Archetype

This walkthrough covers the Archetype machine and a practical chain from exposed SMB data to administrator-level file access.

Recon

Initial scanning identified:

The combination of SMB + MSSQL was the key path.

Guest-style SMB access exposed a readable backups share.
Inside it, prod.dtsConfig contained a SQL connection string with credentials:

This was enough to move directly into SQL authentication.

Using Impacket:

impacket-mssqlclient ARCHETYPE/sql_svc:<password>@<target> -windows-auth

After connecting, I enabled and used xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

That confirmed command execution as archetype\sql_svc.

From SQL command execution, I enumerated the host and reviewed PowerShell history:

C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

History contained a command with administrator credentials used for SMB mapping.

With recovered admin credentials, I authenticated to administrative SMB shares (C$) and retrieved both user.txt and root.txt.

Backup/config files frequently expose hardcoded credentials.
SQL service accounts with excessive rights make xp_cmdshell highly dangerous.
PowerShell history can leak operational secrets if not controlled.
Segregate service credentials and rotate immediately if exposed in scripts/configs.

Remove plaintext secrets from deployment/config artifacts.
Restrict SQL Server surface area (disable xp_cmdshell unless strictly required).
Monitor for suspicious SQL configuration changes and OS command execution.
Enforce credential hygiene for admin tasks (vaulting, JIT use, no shell history leaks).