Recon

Nmap Enumeration

The Initial NMAP scan to the target revealed that MSSQL and HTTP ports were open.

00 - nmap

Website Enumeration

Visiting the website revealed default IIS web page.

01 - website

So I did some directory fuzzing and some directories but either they are non-accessible or they required an admin password.

02 - ffuf

.DS_STORE file

So I did more fuzzing with anothe wordlists such as quickhits or rafts from seclists. Moreover, I also started nikto to check if any vulnerabilities were available. Both tools found that .DS_STORE was accessible.

03 - DSSTORE 2

03 - DSSTORE

So I did some research on this file and found a medium post which explains that we can extract website directories and some of the files using this file. So the file works like .git file. I used ds_store_exp tool to extract all available web files.

04 - dsstore extractor

Then did some more fuzzing to the all endpoints. The Dev/… endpoints revealed some suspicious endpoints.

05 - fuzzing

IIS Tilde Enumeration

Then I did even more fuzzing to all dev/.. endpoints but could not find anything useful. Later I knew that this was an IIS server so I could exploit IIS Tilde Enumeration vulnerability. I could do it using iis_tilde_enum script or msfconsole. I did both of them as seen below.

06 - iis tilde

06 - iis tilde 2

Then from the 6 character shortname and 3 character extension I could see it was comething like poo_co…..txt, So I did even more and more fuzzing but this time with a specfici wordlist. I created a wordlist from seclists directory fuzzing wordlists, I onyl grepped word that starts with co.

07 - poo_connection txt

It showed that the endpoint was poo_connection.txt, so I visited the endpoint and got the flag and connection informations.

08 - RECON flag

Huh?

MSSQL Enumeration

With the found credentials I connected to MSSQL server.

00 - mssql client

The user was not DB admin and it could not do anything useful in the SQL server.

02 - no dba

So, I followed this hackviser MSSQL cheatsheet and found out that there were server links.

03 - no dba on linked server but circular loop

The external user from POO_PULIC was linked to internal_user from POO_CONFIG which was linked back to server admin from POO_PUBLIC. The schema can be seen below.

04 - 0 SİTUATİON

PowerUpSQL

So Instead of writing manually, I ran PowerUpSQL script with Get-SQLLinkCrawl Cmdlet and got code execution.

05 - code execution

Before moving further, I checked DB and found flag table. Simple read the flag.

06 - flag

BackTrack

To avoid crawling links every time I created a backdoor user with sysadmin privileges.

00 - backdoor user

Then connected using mssqlclient. However, there was a trigger that disallows me to enable xp_cmdshell. So, as a system admin I simply disabled the trigger and ran it.

01 - enabled xpcmdshell disabled trigger

I couşd not get a reverse shell because external communication was dissallowed from the machine. So I enumerated webroot directory and found a web.config file and admin directory.

02 - web

External Scripts in MSSQL

But I had no permissions to read any file inside webroot directory.

03 - no access,

So while searching I found an article about external scripts from hackingarticles. We can use external scripts (if it is available) in MSSQL to run python scripts and good thing is it runs as another user so we may have priileges to read the file. So I simply tried it and it worked, I read the web.config file. Which included Administrator password.

04 - different user with password

Then I simply visited the admin endpoint from the website and got the flag.

05 - got the flag

Foothold

I ran netstat -ano using xp_cmdshell and found that WinRM port was open but we could not see it on nmap scan.

00 - winrm is open but fw blocks it

So, I thought probably firewall was blocking it and I ran nmap scan again against the IPv6 address of the target and detected the WinRM port. Later, I simply added IPv6 address to /etc/hosts file and connected using evil-winrm.

01 - lets try ipv6

02 - ipv6 evilwinrm

And I got the flag.

03 - got flag

p00ned

Inside the machine, at first I checked the DC’s IP and found it using ping scan.

00 - dc scan

00 - internal ping scan

BloodHound

I could not run SharpHound in the evil-winrm because the user was not the domain user. But I still had MSSQL access which run xp_cmdshell commands as computer account. So, I transfered the SharpHound using evil-winrm and ran it using MSSQL xp_cmdshell.

01 - sharphound

02 - zip

Then checked the bloodhound but could not find many useful informations. However, I found out later that p00_adm user is domain admin and could be kerberoastable as it has SPN.

03 - kerberoastable

Kerberoasting

So I simply used Rubeus to kerberoast the user.

04 - rubeus

Then cracked the hash with hashcat using keyboard combinations wordlist.

05 - combinations

06 - cracked

RCE on DC

Now I could simply create credentials in evil-winrm and run remote commands.

07 - rce on dc

08 - poo flag

Or I can access remote shares using this credentials directly using net use command.

09 - 2nd way

Pwned

So whole mini prolab was compromised.

PWNED

<
Previous Post
SoSimple - Proving Grounds Play
>
Next Post
Access - Proving Grounds Practice