Hack The Box Write-Up: Querier! — in an irreverent style :-)

Difficulty: Medium
Attack vectors: MSSQL, SMB, Privilege Escalation
Mood: Nostalgic, remembering my old DBA years.

Let’s have some MSSQL pentesting fun together , with the occasional privilege escalation thrown in for flavor.

Step 1: “Hello, Anybody Home?”

First things first, I hit Querier with a nmap scan. What do I find? Well, looks like there’s an MSSQL server sitting there. This looks interesting. Let’s see what else we do have.

nmap -p 135,139,445,1433,5985,47001 -sCV 10.129.253.120

Oh yeah, there’s SMB …

There’s always SMB. I always get excited when SMB is open. 8/10 times, there’s something to look for.. I decided to knock on the SMB door:

smbclient -N -L //10.129.253.120

Result: Nice, there’s a non-default share called “Reports”. I grab a file off the share and what do I find? An .xlsm file — an Office…