QUERIER
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Querier, what is a machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- The IP for Querier is 10.10.10.82:
- Scanning with Nmap:
- Scanning deeper port 1433 we find additional information about the Microsoft SQL server:
- Scanning deeper port 445 we learn that there is a SMB service running there:
3 - EXPLOITATION
3.1 - Exploiting SMB
- Connecting to SMB using a null session with smbclient we find the shared folder Reports:
- Examining content of shared folder Reports there is the Report.xlsm document, where extension .xlsm indicates a macro enabled spreadsheet created by Microsoft Excel:
https://xlsxwriter.readthedocs.io/working_with_macros.html
3.2 - Exploiting the .xlsm document
- Downloading to Kali the .xlsm file:
- Obviously the easiest way of reading this .xlsm document would be to use Microsoft Excel, however in this case let's assume that Microsoft Excel is not available.
- Unzipping:
- The file vbaProject.bin inside folder xl contains the functions and/or macros:
https://xlsxwriter.readthedocs.io/working_with_macros.html
- Applying command strings over the file vbaProject.bin we find credentials for the SQL Server:
- Storing the credentials:
3.3 - Exploiting the SQL server
- The Python script mssqlclient.py helps to connect to the SQL Server:
- Connecting with option -windows-auth (default authentication) and using the credentials from previous point 3.2:
- The command enable_xp_cmdshell (allows to run any command line) does not work because the user reporting does not have enough permissions:
- Actually at this moment we don't have sysadmin permissions:
- However we can achieve more information by executing xp_dirtree (which lists all the files in the folder) and enabling responder to catch the leaked NetNTLMv2 hashes.
- responder will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix:
https://gitlab.com/kalilinux/packages/responder
- Running xp_dirtree:
- responder sniffs the NetNTLMv2 hashes.
- Storing the hashes:
3.4 - Cracking the NetNTLMv2 hashes with John The Ripper
- Applying John The Ripper over the hashes we discover credentials mssql-svc:corporate568:
3.5 - Getting a remote shell
- Let's reconnect to the SQL Server with the new credentials mssql-svc:corporate568:
- Now enable_xp_cmdshell is successful (usually it is disabled by default) because user mssql-svc has enough permissions:
- Downloading nc.exe to Kali:
- Transferring nc.exe from Kali to Querier:
- Starting a Netcat listening session on port 5555:
- Launching a Netcat connection from Querier to Kali:
- The connection is successful and we get a remote shell:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Access to Administrator's folder is denied:
- However access to Groups.xml is granted:
- Storing cpassword:
- Decrypting cpassword with the well-known gpp-decrypt:
https://github.com/BustedSec/gpp-decrypt
- So credentials for the Administrator are:
- Psexec.py is able to spawn the System shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: