01 logo

HTB - Hack The Box - Starting Point - Arch_Type Windows

by Motti Kumar 6 months ago in hackers

Part: 1 Enumeration

Required Software:

Download your virtual machine management software of choice. We recommend VirtualBox (free) or VMWare Fusion/Workstation.

You will also need to choose an operating system. We do not suggest using your main personal OS, as Hack The Box is a shared network environment. Running a hacking-specific operating system inside a virtual machine is far more secure and offers many pre-installed tools to assist with hacking.

Our recommended operating systems are Parrot Security Edition or Kali Linux. You can also build your own attacker OS from scratch, but we highly recommend using a pre-made OS if you are a beginner.

VPN Connection:

Download the connection pack and start the Openvpn session using the command below(Choose your closest server - For India closest HTB server is EU) ,

[email protected]:~/Downloads# sudo openvpn User-startingpoint.ovpn

Enumeration:

[email protected]:/data$ ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

[email protected]:/data$ nmap -sC -sV -p$ports 10.10.10.27

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-12 07:28 CEST

Nmap scan report for 10.10.10.27

Host is up (0.031s latency).

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds

1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM

| ms-sql-ntlm-info:

| Target_Name: ARCHETYPE

| NetBIOS_Domain_Name: ARCHETYPE

| NetBIOS_Computer_Name: ARCHETYPE

| DNS_Domain_Name: Archetype

| DNS_Computer_Name: Archetype

|_ Product_Version: 10.0.17763

| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

| Not valid before: 2020-06-12T03:36:15

|_Not valid after: 2050-06-12T03:36:15

|_ssl-date: 2020-06-12T05:43:40+00:00; +14m28s from scanner time.

5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-server-header: Microsoft-HTTPAPI/2.0

|_http-title: Not Found

49664/tcp open msrpc Microsoft Windows RPC

49665/tcp open msrpc Microsoft Windows RPC

49666/tcp open msrpc Microsoft Windows RPC

49667/tcp open msrpc Microsoft Windows RPC

49668/tcp open msrpc Microsoft Windows RPC

49669/tcp open msrpc Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: 1h38m28s, deviation: 3h07m52s, median: 14m27s

| ms-sql-info:

| 10.10.10.27:1433:

| Version:

| name: Microsoft SQL Server 2017 RTM

| number: 14.00.1000.00

| Product: Microsoft SQL Server 2017

| Service pack level: RTM

| Post-SP patches applied: false

|_ TCP port: 1433

| smb-os-discovery:

| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)

| Computer name: Archetype

| NetBIOS computer name: ARCHETYPE\x00

| Workgroup: WORKGROUP\x00

|_ System time: 2020-06-11T22:43:35-07:00

| smb-security-mode:

| account_used: guest

| authentication_level: user

| challenge_response: supported

|_ message_signing: disabled (dangerous, but default)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2020-06-12T05:43:34

|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 64.79 seconds

Ports 445 and 1433 are open, which are associated with file sharing (SMB) and SQL Server.

It is worth checking to see if anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares (use an empty password), but i used my systems password to login:

[email protected]:/data$ smbclient -L //10.10.10.27

Enter WORKGROUP\unknown's password:

Sharename Type Comment

--------- ---- -------

ADMIN$ Disk Remote Admin

backups Disk

C$ Disk Default share

IPC$ IPC Remote IPC

SMB1 disabled -- no workgroup available

It seems there is a share called backups. Let’s attempt to access it and see what’s inside.

[email protected]:~$ smbclient //10.10.10.27/backups

Enter WORKGROUP\unknown's password:

Try "help" to get a list of possible commands.

smb: \> ls

. D 0 Mon Jan 20 13:20:57 2020

.. D 0 Mon Jan 20 13:20:57 2020

prod.dtsConfig AR 609 Mon Jan 20 13:23:02 2020

10328063 blocks of size 4096. 8259098 blocks available

smb: \> get prod.dtsConfig

getting file \prod.dtsConfig of size 609 as prod.dtsConfig (4.1 KiloBytes/sec) (average 4.1 KiloBytes/sec)

smb: \> Ctrl^D

There is a dtsConfig file, which is a config file used with SSIS.

[email protected]:~$ cat prod.dtsConfig

<DTSConfiguration>

<DTSConfigurationHeading>

<DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>

</DTSConfigurationHeading>

<Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">

<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>

</Configuration>

</DTSConfiguration>

hackers
Motti Kumar
Motti Kumar
Read next: Wearables vs The Virus | João Bocas | Engati Engage
Motti Kumar

Hey guys i'm Motti Kumar and it’s a pleasure to be a guest blogger and hopefully inspire, give back, and keep you updated on overall cyber news or anything hot that impacts us as security enthusiast's here at Vocal Media.

See all posts by Motti Kumar

Find us on socal media

Miscellaneous links