2024-11-28
Archetype - SMB Credential Disclosure, MSSQL xp_cmdshell RCE, and SYSTEM Privileges via psexec
Technical writeup detailing the compromise of the Archetype Windows machine. Initial foothold is achieved by exploiting Anonymous SMB access (445/tcp) to retrieve SQL credentials from a shared backup directory (prod.dtsConfig). These credentials are used to gain access to the MSSQL service (1433/tcp), where xp_cmdshell is activated to achieve RCE and establish a reverse shell. Privilege escalation to NT AUTHORITY sYSTEM is completed by hunting for credentials in the PowerShell history file and leveraging Impacket's psexec.py with the found administrator account.