Sql xpdirtree file details7/17/2023 Check out the help info for this tool if you want more information on the syntax of the command: This is where Impacket’s mssqlclient.py tool comes in to play. Uid=reporting Pwd=PcwTWTHRwryjc$c6 Step 2: Limited MS SQL Server Access If you scan through this code, you’ll see it contains hard-coded credentials for what appears to be the MS SQL Server we initially saw in the Nmap scan: From here, use the Object Catalog menu on the left to navigate to the ‘Connect’ macro as shown in the screenshot below: To do this in LibreOffice, simply navigate to Tools > Macros > Edit Macros, and you’ll be met with a new window. Let’s check to see if there is any embedded macro though… Once inside, there is nothing for us to see, as the file appears to be empty. (Note: You may need to install LibreOffice first, simply type apt-get install libreoffice to do so). Once the file is downloaded let’s open it up in LibreOffice and take a look. We can grab this file with the get command as shown above. We find a Excel document named “Currency Volume Report.xlsm” in the share. ![]() This time, we drop the -L flag so we can enter an interactive smbclient session. Right away, we can see a non-standard share of ‘Reports’, so let’s check if this share is open to anonymous users: When prompted for the password, simply press enter. The -L flag tells smbclient to simply list all shares. We can test for anonymous access with the following smbclient command: We’ll first start by looking into the SMB share. We can go ahead and update out /etc/hosts file to reflect this information: We also get some useful information regarding the NetBIOS computer name, domain name, etc. Looking at our results, we see two ports of immediate interest 445 for SMB and 1433 for MS SQL Server. Per usual, we’ll start with a basic Nmap scan: GOAL: To obtain the user.txt and root.txt flags.From here, we are able to dig up some Administrator credentials in a cached Group Policy Preferences file for an easy privesc. Using these credentials, we can log into the machine as a low-privilege user. Once inside, we utilize SpiderLab’s Responder tool to grab an NTLM hash which we are able to quickly crack. We are then able to log in to the open MSSQL service (port 1433) with some help from Impacket’s mssqlclient.py tool. This Excel file contains a macro that connects back to the machine’s SQL server (with hard-coded credential for us to steal). This was a fun Windows machine where we discover an Excel spreadsheet in an unprotected SMB share. If object_id('tempdb.Hey everyone, today we’ll be going through the ‘Querier’ machine from Hack the Box. Insert into #import_folder exec xp_cmdshell 'dir C:\SQLIMPORTS\*.*'ĭelete from #import_folder where is nullĭelete from #import_folder where like '%dir%'ĭelete from #import_folder where like '%volume%'ĭelete from #import_folder where like '%bytes%' If object_id('tempdb.#import_folder') is not nullĬreate table #import_folder ( nvarchar(255)) ![]() Insert into exec master.xp_dirtree 1, 1 delete from where = 0 Could use alittle optimization, but works great.ĭeclare table ( varchar(255), int, int) This was originally created to use in an automated ETL process. In this case I’m looking in forder C:\SQLIMPORTS. Here’s some quick logic that will return both the Create Date, and File Name of your files in the designated folder.
0 Comments
Leave a Reply. |