Archetype
This box was quite a lot of fun and I learnt quite a two new tools. The aim of this challenge was to to hack SMB and SQL on a box and find two flags.
First up as always we need to know what we are dealing with and using nmap to discover what kind of device we are dealing with and what ports are open.
Having just learnt about smbclient
in Tier 1 time to refresh what I can do with it.
smbclient -N -L
the -N flag supress password promt and -L lists available services.
While most of the shares required authentication the backups share did not.
With that I got my access to the box inside the backups share there is a config. Getting the fire we are able to the that there is a service account for sql with a password.
Next up is to connect to it where I learnt a new tool for solving this box called Impacket. This allowed me to connect to the MSSQL and providing the credentials to connect.
With a succesfull connection to the SQL. It was time to check to see if I had got sys admin level.
SELECT is_srvrolemember('sysadmin');
Then from the box using xp_cmdshell I was then able to install NetCat executable on the remote machine. That you can run command execution via SQL eviroment really suprised me at how how muc one can do with it. Going through the steps of setting up an http server on my machine and then using netcat to listen to 443.
I was able to create a reverse shell to my machine. I have to say getting to this point was quite a thrill. Having never setup a reverse shell before it was quite exciting and shocking at how simple it can be.
Now that we a reverse shell the next part was to use WinPEASS. This tools is quite crazy in that it tries to find all the privalage escalation paths it knows about.
By using this I was able to find the last flag for this box challenge.
If you have not tried it yet and are interested in learning Cybersecurity, Hacking I suggest to give Hack the box a try.