HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)

HackTheBox P.O.O Writeup Series:

  1. PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
  2. PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
  3. PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
  4. PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
  5. PART 5: p00ned (Coming soon)

The 4th Flag of P.O.O was a bit complicated and time-consuming because I had no idea what to do, I tried Evil WinRM, DCSync, a lot of Impacket tools to gain foothold, all my efforts are in vain.

But as always a simple and straight to the point nudge from a good HTB fellow user made me understand what I supposed to try. I was going in a wrong direction. So here is the writeup of POO Part 5: Foothold.

HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) (Credit: fineartamerica.com)

As I already have Administrator credentials from my previous flag, I tried to log in as Administrator from the SQL Shell python script, I was able to login successfully and get the shell – but the Administrator is a public user with limited access.

I ran couple of commands to find users in the box, Administrator privilages etc.

At this moment, I’m again clue-less. The Administrator seemed useless for the first time. But, for my surprise, an unintended “ipconfig /all” showed me the machine’s network is configured with preferred IPv6 – dead:babe::1001. The DNS is pointing to “172.20.128.53”. I tried to ping Google DNS 8.8.8.8 it failed. My ping to 172.20.128.53 was successful.

So now I know the IPv6 of the machine I decided to scan the services or open ports.

Well, well, well, I found what I was looking for. The WinRM is running on the port 5985. In the next step I updated my hosts file with newly found IPv6 and used Evil-WinRM to get PowerShell shell.

That’s all folks, Thanks for reading. See you soon with the last part “p00ned”.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
4 months ago

[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)Next Post Next post: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]

trackback
4 months ago

[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]

trackback
4 months ago

[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]

Sorry, that action is blocked.
%d bloggers like this: