# Archetype ## Initial Scan ```nmap sudo nmap -T4 -Pn -sV -sC -v 10.129.95.187 -oA Archetype ```

## Task 1 Which TCP port is hosting a database server? Answer: 1433 ## Task 2 What is the name of the non-Administrative share available over SMB?

Answer: backups ## Task 3 What is the password identified in the file on the SMB share?

Answer: M3g4c0rp123 ## Task 4 What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?

Answer: mssqlclient.py ## Task 5 What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?

Answer:xp\_cmdshell ## Task 6 What script can be used in order to search possible paths to escalate privileges on Windows hosts? [PEASS Github](https://github.com/carlospolop/PEASS-ng) Answer: winpeas ## Task 7 What file contains the administrator's password?

Answer: ConsoleHost\_History.txt ## Task 8 Submit user flag

Answer: 3e7b102e78218e935bf3f4951fec21a3 ## Task 9 Submit root flag

```powershell .\winPEASx64.exe ```

Administrator Password: `MEGACORP_4dm1n!!`

Answer: b91ccec3305e98240082d4474b848528