0x01-StartingPoint-Archetype

Archetype Walkthrough Video 😀

个人博客地址

---

Help Desk

When reading through my long long article, somethings you should know in the first place.

1. I included all my though process, so the article is very long. But I think to tell you guys what’s going through my mind is really important, since why is more valuable than how.
2. All the thought process will be in bold and italic.
3. Side notes are wrapped between side notes title, ignore them if you don’t want extra knowledge 😄
4. If you are just looking for a solution, just go directly to my video, it’s slate clean with every step demonstrated.

中文对照：

1. 我将我的思考过程全部记录下来，所以文章变得很长。但是我觉得这才是正确的分享方式，因为 为什么 比 怎么做 更重要。
2. 所有思考过程，都用加上了粗体和斜体 （如果不想看，可以直接略过）。
3. 有一些旁注（side notes），用一对旁注标签包裹起来，里面做了一些扩展，如果你不需要这些知识点，可以直接略过 😄
4. 如果你只想看解决方案，那么就直接点击我的视频，里面有最直接的解决方法，快捷省时。

HTB-Archetype

Article in company with a video makes a perfect learning experience.

Today, I am delivering this write up of the first ever machine that I am going to hack.

I am what people call noob! I don’t know nothing. I am completely an empty glass. So I will be logging each and every move that I take during the whole journey, until I am really really stuck, then I am going to check out some walk throughs written by others.

As we go along, the hacking process will be more and more systematic. I will form my own work flow in dealing with different kinds of problems. And that’s good. Things are on the go and getting better and better.

I will also record a video, but the video is a redo, which means it will not contain any of the thought process, so it’s clean and time-saving.

Let’s get started.

Set up

The victim machine is at IP address 10.10.10.27.

By the way, HTB needs you to set up a vpn to connect to its machines, refer to their tutorial, it’s quite clear.

First things first - Nmap

I recall from my first lesson, everything starts with nmap, to list open ports and run some system scripts to find potential vulnerabilities.

Let’s do it.

Nmap result here:

# Nmap 7.80 scan initiated Wed Apr 15 00:56:39 2020 as: nmap -sC -sV -p135,139,445,1433,5985,14803,47001,49664,49665,49666,49667,49668,49669 -o nmap.txt 10.10.10.27
Nmap scan report for 10.10.10.27
Host is up (0.25s latency).

PORT      STATE  SERVICE      VERSION
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp  open   ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-04-15T02:23:29
|_Not valid after:  2050-04-15T02:23:29
|_ssl-date: 2020-04-15T05:12:26+00:00; +13m51s from scanner time.
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
14803/tcp closed unknown
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   unknown
49666/tcp open   unknown
49667/tcp open   unknown
49668/tcp open   unknown
49669/tcp open   msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h37m50s, deviation: 3h07m51s, median: 13m50s
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service