[Hack The Box] [Starting Point] [Tier 2] Archetype

Task 1

Which TCP port is hosting a database server? 1433

Task 2

What is the name of the non-Administrative share available over SMB? backups

Task 3

What is the password identified in the file on the SMB share? M3g4c0rp123

该文档含有密码和user id

Task 4

What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? mssqlclient.py

Task 5

What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? xp_cmdshell

Task 6

What script can be used in order to search possible paths to escalate privileges on Windows hosts? winpeas

Task 7

What file contains the administrator’s password? ConsoleHost_history.txt

通过mssqlclient可以登录上sql服务,尝试 xp_cmdshell提示错误,需要admin权限

尝试直接enable_xp_cmdshell,竟然成功了

然后在kali上下载nc64,并打开一个http server和创建一个nc隧道

在目标机器上,下载nc64到Downloads下

然后执行nc命令

就能成功获取到返回的shell

这个返回shell的过程,我在自己的kali上或者vps的kali上,都无法成功下载文件,可能是网卡没有开启混杂模式,所以只能在HTB的PWNbox下操作

接着就是下载winPEASany.exe到目标机上,并执行 .\winPEASany.exe

找到这些有用的文件

查看powershell的执行历史记录,类似Linux下的.bash_history文件,windows下是ConsoleHost_history.txt

找到了管理员的密码,接下来就简单了

之后进入管理员和用户的桌面,就可以看到flag了

Note:

Archetype.pdf

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation

https://vk9-sec.com/winpeas-windows-enum/ MyCuboxLinx

https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet MyCuboxLink