HTB — Tier 2 Starting Point: Archetype
Task 1
Which TCP port is hosting a database server?
Now we will do a more in-depth scan against the open ports
Answer: 1433
Task 2
What is the name of the non-Administrative share available over SMB?
Answer: backups
Task 3
What is the password identified in the file on the SMB share?
Answer: M3g4c0rp123
Task 4
What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
You can tab twice to get a list of impacket commands
Answer: mssqlclient.py
When running the impacket command, I received the following error: legacy sigalg disallowed or unsupported
Per the following HTB forum post, we can try changing the security of the openssl config file
I ended up purging impacket from my system and installing v0.10.0 via pipx
Unfortunately I still got the same error, so I manually built an openssl config file via a StackOverflow post
I made sure to change the security level to 0
After manually specifying this file, I received the following error
Tacking the switch -windows-auth at the end let’s me in
Task 5
What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
Answer: xp_cmdshell
Task 6
What script can be used in order to search possible paths to escalate privileges on Windows hosts?
Answer: WinPeas
Let’s upload a netcat binary to the system
I must have uploaded an incompatible netcat binary version
This other version worked
Now we need to upload winPeas and run it
Getting an error towards the end of winPEAS
Looks like its a known issue
Tried the x64 version, same error
Tried the x86 version, while it still gave me an error, it proceeded to the point where I needed it
Task 7
What file contains the administrator’s password?
Answer: ConsoleHost_history.txt
Submit user flag
Answer: 3e7b102e78218e935bf3f4951fec21a3
Submit root flag
We can login using evil-winrm to grab this flag
Answer: b91ccec3305e98240082d4474b848528
