Querier — HackTheBox Writeup

Querier was an awesome box that had some pretty neat things which are good for Windows beginners. The box starts with smb enumeration that gives us credentials to login to database server. I’ll get the host to make an SMB connect back to me, where I can collect Net-NTLMv2 challenge response, and crack it to get a password. With that all being said,
Lets jump right in.

Enumeration and Recon

Nmap Scan

SMB — TCP 445

samba shares

Reports looks interesting. Lets check what we’ve got there.

smbclient output

There’s a file with “xslm” extension. Running file command against it says that it’s a Microsoft Excel Document. I tried to open it via Google Sheets only to get trolled. Later I ran a binwalk to see what’s hidden in the file.

binwalk output

I used oletools to get the macros and found a potential username and password.

Username = reporting

Password = PcwTWTHRwryjc$c6

Database = volume

MSSQL — 1433

Now that we have the credentials, lets login to DB and check what we’ve got.I tried logging in with sqsh and dbeaver but they failed for some reason. Later I used this metasploit auxiliary module auxiliary/admin/mssql/mssql_sql to enumerate database.

MSF Module

There we go, we get the SQL Server version. Since enumerating with this module is quite slow, I switched to impacket — mssqlclient to continue enum.

Enabling xp_cmdshell failed, so we might have to escalate to a higher privilege user. Lets grab hashes using responder.

This is a good article for getting ntlm hashes from windows.

Getting Creds via NTLMv2

Run responder -I tun0 -v to start responder

Hashes rolling in

Lets crack these hashes with john.

Username = mssql-svc

Password = corporate568

Time to login again to the database again. When I first did this, I logged into msrpc ( port 135 ) with the above credentials, but couldn’t go any further with it.

xp_cmdshell enabled.

xp_cmdshell is enabled and we can ping ourselves. Awesome. Time to get a shell.

Shell as mssql-svc

I used nishang Invoke-PowerShellTcp.ps1 for reverse shell.

PrivEsc to system

I ran PowerUp.ps1 and right off the bat, I found Admin creds.

Username : Administrator

Password: MyUnclesAreMarioAndLuigi!!1!

Reading flags

net use

Just get’s access to the filesystem, but that’s all that is needed to get the flags:

Shell as nt-authority\system

Since we have admin creds we can just use impacket/psexec.py to login.

Make sure you download the latest psexec.py file as I had issues with the file which I got after cloning the repo. This shell is slow in nature, be patient.

https://github.com/SecureAuthCorp/impacket

powershell “run as”

Use the password to create a credential that can be passed to Invoke-Command. In this case, adminShell.ps1 is another Invoke-PowerShellTcp.ps1 with the port changed to 9001:

Shell as Admin

I tried to use WinRM to get shell as admin but it gave me authorization error.

Well, that’s all from me this time. Hope you had a great time reading.

Thanks and Happy Hacking,
Preetham (@cyber01 )