Skip to content

Archetype - A Hack the Box machine

nmap  -sC -sV $ip -Pn

Open ports: 135, 139, 445, 1433.

First, exploit 445. With smbclient, you will download the fileprod.dtsConfig with credentials for mssql database.

With those credentials you can follow instructions from this impacket module and next instructions to exploit it and get a reverse shell with nc64.exe.

With that, you will get user.txt in Desktop.

For escalation of privileges, see technique Recently accessed files and executed commands.

type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

With admin credentials, you can use impacket's psexec.py module to get an interactive shell on the Windows host with admin rights.

python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:MEGACORP_4dm1n\!\!@10.129.95.187
Last update: 2023-05-02
Created: April 23, 2023 19:52:08