Querier

Pretty interesting little box.

For anyone fighting with this box - use basic tools (not “The Framework”) for exploitation. In the end you need only 2 tools and one script to root it (script is optional part)

  1. If you think it should work, maybe you are not using your tool correctly. Screwdriver can be hammer but you need to know which end you should use
  2. \ != /;!|$ → !|$;
  3. Be aware of mighty Defender

K …Got root shell …
So i guess thats Querier …

Ping me for any help…

Rooted this yesterday but just wanted to say what an awesome box :smiley: Loved that you had to get in using services other than the usual suspects! I spent a good few hours afterwards playing around with the box trying other stuff out and building my own windows cheatsheet.

My hints would be:
For user: I spent way too long trying to get tools to work purely because a password included a character that needed escaping. I realised this later. I did manage to do the majority of this first part using M********* though and it worked well.
For root: I struggled because to me there was nothing standing out on the system. Turned out id already dismissed what I needed because I thought it didn’t apply to this certain system setup. Going through cheatsheets and common Windows attack vectors will get you there in the end, however, “uncles” won’t help you find what you’re looking for, only help you know you’re on the right track when you meet them :wink:

Did anyone run into this error when trying to use i******* m**********?:
[-] [(‘SSL routines’, ‘ssl_do_config’, ‘bad value’)]

I was able to get the necessary info another way, but think I may have an issue with openSSL?

EDIT: Reinstalled i******* and it works fine

very nice box learned a lot Now I really need to learn to keep track of the tools that are installed. Makes things a lot easier.

Very cool box.

Type your comment> @Un4gi said:

Did anyone run into this error when trying to use i******* m**********?:
[-] [(‘SSL routines’, ‘ssl_do_config’, ‘bad value’)]

I was able to get the necessary info another way, but think I may have an issue with openSSL?

What about other methods of auth that mssql has?

Got root.txt but not shell…

Whoever has got root.txt can you pm me if you got a shell and maybe give me some pointers how to get it. Thanks!

Got root.
this is my second windows machine. Really enjoyed solving through … learnt a ton of things … Would like to know if anyone root shell… PM please

Can anyone assist with connecting to the sql service? All of my normal options haven’t been able to connect :confused:

Got root, PM if you need help.

Root shell!
This box was pretty fun, once I got past the sql client troubles.

@avetamine said:
Or you can simply escape it with a backslash "" , cause the “$” sign gets interpreted. :wink:
Hint for user: Ippsec’s writeup on Giddy is incredibly relevant to this box, just note that sometimes it might take a attempts before you find what you’re looking for. You’ll know it when you see it. Also, impacket is awesome.

Hint for root: This is one of those privescs that you’ll really kick yourself over, because it’s one of those things that depending on how well you enumerate the box and which list you use, it may take a while to get to root. Just focus on what you can see.
Also, again, Impacket is awesome.

Simply a great machine. Very real life. Loved all of it! Great job mrh4sh and egre55 :slight_smile:

rooted, finally i know what people meant when i read ‘uncles’.

feel free to pm.

Type your comment> @mcruz said:

Type your comment> @Un4gi said:

Did anyone run into this error when trying to use i******* m**********?:
[-] [(‘SSL routines’, ‘ssl_do_config’, ‘bad value’)]

I was able to get the necessary info another way, but think I may have an issue with openSSL?

What about other methods of auth that mssql has?

It’s not an auth issue… it’s an issue with openSSL or python. Just not sure how to fix it

EDIT: Reinstalled i******* and it works fine

Is it normal to just get a reset connection during the protocol negotiation using the giddy method?

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

I dont get anything so… no hints there :smiley:

Got root shell after a LOT of trouble using my own created Admin user, which I didn’t even manage to use at the end. My final solution was easier.
Still don’t understand what people calls ‘uncles’, didn’t need them to elevate.

I have a stable root shell on the system. I’d be glad to share methods to get root with anyone. :smiley:

Super cool box, was looking for a windows box to lean stuff as I am super new to Windows boxes, learnt tons of stuff about PS, and about some of the ports that were open.

Rooted At last! Awesome box :smiley:

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

ok i found it … thanks :slight_smile: