Tuesday, July 16, 2019



- Layout for this exercise:


The goal of this exercise is to develop a hacking process for the vulnerable machine Querier, what is a machine from the Hack the Box pentesting platform:


- The IP for Querier is

- Scanning with Nmap:

- Scanning deeper port 1433 we find additional information about the Microsoft SQL server:

- Scanning deeper port 445 we learn that there is a SMB service running there:


3.1 - Exploiting SMB

- Connecting to SMB using a null session with smbclient we find the shared folder Reports:

- Examining content of shared folder Reports there is the Report.xlsm document, where extension .xlsm indicates a macro enabled spreadsheet created by Microsoft Excel:

3.2 - Exploiting the .xlsm document

- Downloading to Kali the .xlsm file:

- Obviously the easiest way of reading this .xlsm document would be to use Microsoft Excel, however in this case let's assume that 
Microsoft Excel is not available.

- Unzipping:

- The file vbaProject.bin inside folder xl contains the functions and/or macros:

- Applying command strings over the file vbaProject.bin we find credentials for the SQL Server:

- Storing the credentials:

3.3 - Exploiting the SQL server

- The Python script helps to connect to the SQL Server:

- Connecting with option -windows-auth (default authentication) and using the credentials from previous point 3.2:

- The command enable_xp_cmdshell (allows to run any command line) does not work because the user reporting does not have enough permissions:

- Actually at this moment we don't have sysadmin permissions:

- However we can achieve more information by executing xp_dirtree (which lists all the files in the folder) and enabling responder to catch the leaked NetNTLMv2 hashes.

- responder will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix:

- Running xp_dirtree:

- responder sniffs the NetNTLMv2 hashes.

- Storing the hashes:

3.4 - Cracking the NetNTLMv2 hashes with John The Ripper

- Applying John The Ripper over the hashes we discover credentials mssql-svc:corporate568:

3.5 - Getting a remote shell

- Let's reconnect to the SQL Server with the new credentials mssql-svc:corporate568:

- Now enable_xp_cmdshell is successful (usually it is disabled by default) because user mssql-svc has enough permissions:

- Downloading nc.exe to Kali:

- Transferring nc.exe from Kali to Querier:

- Starting a Netcat listening session on port 5555:

- Launching a Netcat connection from Querier to Kali:

- The connection is successful and we get a remote shell:


- Reading user.txt:


- Access to Administrator's folder is denied:

- However access to Groups.xml is granted:

- Storing cpassword:

- Decrypting cpassword with the well-known gpp-decrypt:

- So credentials for the Administrator are:

- is able to spawn the System shell:


- Reading root.txt: