PENTEST REPORT

P.O.O Hackthebox Endgame

P.O.O Enterpirse
Attn. Mohan Hacky's Ptest Company

21 park street Apple Street 47

4711 Wapple
Mumbai FN 12345 v | D.C. 69420

Example City, March 2, 2024

Report Version: 1.0

CONFIDENTIAL
Table of Contents
1 Document Control ....................................................................... 4
1.1 Team .................................................................................................................. 4
1.2 List of Changes ................................................................................................ 4

2 Executive Summary ..................................................................... 5

2.1 Overview .......................................................................................................... 5
2.2 Identified Vulnerabilities ............................................................................... 6

3 Methodology ................................................................................ 7
3.1 Objective ......................................................................................................... 7
3.2 Scope ................................................................................................................. 7

4 Findings ......................................................................................... 8
H1: Escalating privileges in mssql server to execute command with
xp_cmdshell ............................................................................................................. 8
H2: Kerberoasting to Domain Admin ................................................................. 10
M1: Microsoft IIS shortname vulnerability ........................................................ 13
M2: Plaintext Storage of a Password .................................................................. 15
L1: Basic Authentication Without HTTPS ........................................................... 17

5 Disclaimer .................................................................................. 18
A Appendix ..................................................................................... 19
A.1 Static Appendix Section .............................................................................. 19
A.2 Vulnerability Assessment and Exploitation Analysis ............................... 19

CONFIDENTIAL P.O.O Hackthebox Endgame 2

1 Document Control
1.1 Team
Contact Details Role

Pentester

1.2 List of Changes

Version Description Date

CONFIDENTIAL P.O.O Hackthebox Endgame 4

2 Executive Summary
2.1 Overview

Executive Summary
This report provides an overview of the findings from a comprehensive penetration testing exercise
conducted on the network infrastructure of the organization. The assessment aimed to identify
vulnerabilities and assess the security posture of the systems, with a focus on potential risks and
exploitation scenarios.

The assessment revealed several critical vulnerabilities across the network, including but not limited
to:

• Escalating Privileges in MSSQL Server: Exploiting vulnerabilities within the MSSQL Server
environment allows attackers to escalate privileges and execute commands, potentially leading to
further compromise or data exfiltration.
• Microsoft IIS Shortname Vulnerability: Affecting the web server, this vulnerability could
potentially allow attackers to disclose file shortnames, gaining unauthorized access to sensitive
files or directories.
• Kerberoasting to Domain Admin: Within the Active Directory environment, the vulnerability to
Kerberoasting poses a significant risk. Successful exploitation could lead to the compromise of
service accounts and the escalation of privileges to domain admin level.
• Basic Authentication Without HTTPS: The usage of basic authentication without HTTPS
encryption exposes credentials to interception by attackers, posing a risk of unauthorized access to
sensitive accounts or systems.

Additionally, the assessment identified plaintext passwords transmitted over the network, further
highlighting the need for improved security measures to prevent unauthorized access and
interception.

To mitigate these vulnerabilities and enhance the overall security posture, we recommend the
following measures:

1. Patch Management: Regularly update and patch all systems and applications to address known
vulnerabilities and security flaws.
2. Encryption and Secure Protocols: Implement HTTPS encryption for web applications and services
to protect sensitive information transmitted over the network. Additionally, enforce strong
authentication mechanisms to prevent unauthorized access.
3. Access Control and Monitoring: Implement robust access control measures and monitor network
traffic for suspicious activities. Implementing intrusion detection systems and log monitoring can
help detect and respond to security incidents in a timely manner.
4. Privilege Management: Review and restrict user privileges to minimize the impact of potential
security breaches. Implement the principle of least privilege to limit access to only necessary
resources and functionalities.

CONFIDENTIAL P.O.O Hackthebox Endgame 5

5. Security Awareness Training: Provide regular security awareness training to employees to
educate them about common security threats and best practices for safeguarding sensitive
information.

In conclusion, addressing the identified vulnerabilities and implementing proactive security measures
are essential steps towards enhancing the organization's overall security posture and mitigating the
risks of cyber threats and attacks. Regular security assessments and proactive risk management
practices are crucial in maintaining a strong defense against evolving cybersecurity threats.

2.2 Identified Vulnerabilities

# CVSS Description Page
H1 7.5 Escalating privileges in mssql server to execute command with xp_cmdshell 8
H2 7.5 Kerberoasting to Domain Admin 10
M1 6.5 Microsoft IIS shortname vulnerability 13
M2 5.3 Plaintext Storage of a Password 15
L1 3.7 Basic Authentication Without HTTPS 17

Vulnerability Overview
In the course of this penetration test 2 High, 2 Medium and 1 Low vulnerabilities were identified:

Figure 1 - Distribution of identified vulnerabilities

CONFIDENTIAL P.O.O Hackthebox Endgame 6

3 Methodology
The methodology for this penetration test involves a systematic approach to assess the security of the
target network. Beginning with reconnaissance and enumeration, the team identifies key assets and
potential entry points. Vulnerability scanning follows, utilizing various tools to uncover weaknesses in
the system. Exploitation techniques are then employed to gain initial access, followed by post-
exploitation activities to establish persistence and gather critical information. Privilege escalation
attempts are made to gain higher-level access, and ultimately, the goal is to compromise the domain
infrastructure. Throughout the process, thorough documentation of findings is maintained, and
recommendations for remediation are provided. Finally, cleanup procedures ensure the removal of
any lingering traces of the test.

{{ report.methodology }}

3.1 Objective
The objective of this penetration test is to comprehensively assess the security posture of the target
network infrastructure and identify potential vulnerabilities that could be exploited by malicious
actors. Through a systematic evaluation, the aim is to:

1. Identify entry points into the network and potential weaknesses in the perimeter defenses.
2. Assess the effectiveness of existing security controls in place, including firewalls, intrusion
detection systems, and access controls.
3. Discover and prioritize vulnerabilities present in the network, applications, and services,
considering their severity and potential impact on the organization.
4. Validate the exploitability of identified vulnerabilities through targeted exploitation attempts.
5. Evaluate the organization's response and detection capabilities to simulated attacks, including
incident response procedures and logging mechanisms.
6. Provide actionable recommendations for remediation and improving the overall security posture,
with a focus on mitigating identified risks and strengthening defenses against future attacks.

3.2 Scope

Scope
Entry Point: 10.13.38.11

The goal is to compromise the perimeter host, escalate privileges, and ultimately compromise the
domain. You are allowed to use/run any tools of your choice.

You are not allowed to delete any files or carry out any form of Denial of Service (DOS) attack.

CONFIDENTIAL P.O.O Hackthebox Endgame 7

4 Findings

H1: Escalating privileges in mssql server to execute

command with xp_cmdshell

Score 7.5 (High)

Vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Target 10.13.38.11

References -

Overview
Our pen-tester abused linked server functionality to add themselves as sysadmin group. From there
they abused xp_cmdshell to execute system level commands from mssql server.

Details
We logged in with external_user user credential into POO_PUBLIC and then we executed the following
commands to get an RCE (Remote code execution)

1. Abusing linked server to add our-self to POO_CONFIG database.

2. Then we logged in with newly created credentials into POO_config as "sysadmin"

CONFIDENTIAL P.O.O Hackthebox Endgame 8

3. Then we used xp_cmdshell to execute system commands to get an RCE

Recommendation
Use proper monitoring/logging system to detect creation of any new account.

CONFIDENTIAL P.O.O Hackthebox Endgame 9

 H2: Kerberoasting to Domain Admin

Score 7.5 (High)

Vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Target 10.13.38.11

References https://www.tenable.com/plugins/nessus/150480

Overview
A privileged account is vulnerable to the Kerberoasting attack.

With Kerberoast, attackers exploit the internals of the Kerberos authentication protocol and generally
target privileged domain user accounts. The goal of this attack is to discover the cleartext password of
a privileged account, and thereby gain the associated rights. This attack can be performed from inside
an Active Directory environment. All an attacker needs is a simple, unprivileged user account.

Details
We used Rubeus to kerberoast p00_adm user.

Password hash of p00_adm user

CONFIDENTIAL P.O.O Hackthebox Endgame 10

 $krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:
443*$8CC97916BF27E12EB33786656ECD3BF0$AD136CD680B346EC20C407D7DEA5D93AD26E95BF7B4B33ABC45C
924A44336DCC32A1E559CB9440D621846DAFB3762E4B34BD439EA4D05BB0B707D12B7F9FCC7A29B29787F5128D
934CD32C76C344AE1B530CA842ECA1354C5B205AFA705FDAC9E4AC6E5FC6FC37296A41569CF2D712EDD8068D6C
1B0F08135AADC36CCF9473E8248AB1FE53C464B09FCCFC5C8F268BF1894EBE24D818674B623C85F1375970B7BB
980C8805593A41A8AA37AEF4F57FD9ADF71EBDE49EF787F169D3DC1C4893A2AB312B359D62B92FC7D6CAED0DFA
ECE4EACBEF284E5FF3C1B3B6715C96D4D11E8EA78051B208DD1283F704073AC630150A0D2CB781DBFB93DE4319
C7D7AE4CDC67CB447E6347829EFF72B0F1BEDFD4254A5F1CCC85E9DC89A1DEC486A7626A7311ABCFF35CC6162C
025BFEE79B020ADD6DAF5D91ECF0825184256E91F7AA4399BB4F2423A5B4915D7CAC490B20FE233951BCE10E21
17AB1746A776D54A7260E6B8E8D845214AF3908EBC90137D6496ED27B45D13F236026C5B7D1D4646EB9EA2EF51
7BCEE93212DE6D7D9E82CF5C7F136BAAC64F12B49BF30E10C3671631D4A63C5577B0F3BFA1629E79D1B58E5575
A734342EE3F4488FF4E0B7E572792E1AA6312431FB32820F329A8C7A5EE5CAB929F68EBF7F2F95B2432D174603
0D2B9A82B1E5721DCCADB680ACFF6DC62FB9303FB749AADF27D5ECCCC7F7EA31481426398EF90246038F4CCD5F
CEB114E26730FED6B2BF315FECCEEB9B473355D6F1C883CE9C18844E1524ED22D441B2CFCD32977D66BBB807CF
F2EF2F325792ACEDEFF0CAB6AAC3F788CE591AFF8F9A31F73C6B2930D7DD72FADFF65257E4AB65FA3F3EFFFCA9
CA39AA31A5C77E3E4B3DA8A1A5185BB1466A8BF66B1FE13354BF32313C92658A593E7EDE088CB023159BB39FA1
F8E6A25DA17CE9D53E0E2881FE629831A66C5D6FB5F04357700A57B1CB28830F2FFA5ECEC723DEB00E1DCE62BA
83920C5B1E278629E09A95A62BE183A0040A84E1033C526A49C0A6638CF6D0EE7E89FD5203EDC662331C7CCAFF
2C3117D6BEFA5187D2F117EB282947246A3166F0B642A6C1D73996B0E2E114737113DD9ECAD62581CBD0E486E9
FB2CD4F31C3691F87CB0F55E91442CFC28DC431CD210658900BAC0AD3864A67869FAC0DCD09EA57D9B51313431
EE8F6555D2460B272F6C64FA88A0113858A3476E752032252E69A5ECEBFE5329B6328253796DC14F2ABCFCE72A
EF70CB1861FE7F73D303FC99A731D36EAAD6B2A7E36CD79B7DB5B6DEE2D9D5EA748C98726DD577180B16B03C53
7474ACAF978EE0694C39A38F3FC2E92EFA488A6A7EC55D5A42513A264F67E191A00DB08ACF6DAB6D9D8A26E9EE
BC6890AEC891ACDFD47FFB5703C395D7EE787E76899E0521175FB3BF0AE5970CAA6ABC88F37D5B61FF4D90FED8
8F2B946D60CE91627E6BD7470C1635405CFD475DFA7EC2BB45DD4E51AD802656321450E814

Then we were able to crack password hash using hashcat

From here we abused "Genericall" permission of "P00 Help Desk" group to get domain admin (Note:-
p00_adm was part of help desk group)

Steps :-

1. We added ourselves to domain admins group.

CONFIDENTIAL P.O.O Hackthebox Endgame 11

2. We were successfully able to add ourself to domain admin group.

Recommendation
In order to make sure that privileged accounts are not affected by the Kerberoast attack, different
measures can be taken:

1. Remove the Service Principal Name from the user account.

2. If a Service Principal Name associated with a user account is required for functional reasons, use an
unprivileged account instead.
3. Increase the complexity of the password.
4. Use Group Managed Service Accounts (gMSA) instead of user accounts.
5. Use Smart Cards for sensitive accounts.

CONFIDENTIAL P.O.O Hackthebox Endgame 12

 M1: Microsoft IIS shortname vulnerability

Score 6.5 (Medium)

Vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Target http://10.13.38.11/

References https://www.tenable.com/plugins/was/112442

Overview
Microsoft Internet Information Server (IIS) suffers from a vulnerability which allows the detection of
short names of files and directories which have en equivalent in the 8.3 version of the file naming
scheme.

Details
By crafting specific requests containing the tilde '~‘ character, an attacker could leverage this
vulnerability to find files or directories that are normally not visible and gain access to sensitive
information. Given the underlying filesystem calls generated by the remote server, the attacker could
also attempt a denial of service on the target application.

Our pentester used metasploit module to list shortnames of different files on the iis server

[*] Running module against 10.13.38.11

[*] Scanning in progress...

[+] Found 1 directories
[+] http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/ds_sto*~1
[*] No files were found
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/iis_shortname_scanner) > set PATH /dev/
304c0c90fbc6520610abbf378e2339d1/db
PATH => /dev/304c0c90fbc6520610abbf378e2339d1/db
msf6 auxiliary(scanner/http/iis_shortname_scanner) > run
[*] Running module against 10.13.38.11

[*] Scanning in progress...

[*] No directories were found
[+] Found 1 files
[+] http://10.13.38.11/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_co*~1.txt*
[*] Auxiliary module execution completed

CONFIDENTIAL P.O.O Hackthebox Endgame 13

Recommendation
As a workaround, disable the 8.3 file and directories name creation, manually remove names already
present in the fileystem and ensure that URL requests containing the tilde character (and its unicode
equivalences) are discarded before reaching the IIS server. If possible, upgrade to the latest version of
the .NET framework and IIS server.

CONFIDENTIAL P.O.O Hackthebox Endgame 14

 M2: Plaintext Storage of a Password

Score 5.3 (Medium)

Vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Target 10.13.38.11

References https://cwe.mitre.org/data/definitions/256.html

Overview
Storing a password in plaintext may result in a system compromise.

Password management issues occur when a password is stored in plaintext in an application's

properties, configuration file, or memory. Storing a plaintext password in a configuration file allows
anyone who can read the file access to the password-protected resource. In some contexts, even
storage of a plaintext password in memory is considered a security risk if the password is not cleared
immediately after it is used.

Details
We found 2 different plaintext passwords for two different user/account.

The first Plaintext password was found at Micorsoft IIS server, And it was publicly accessbile.

The second password was found in "C:\inetpub\wwwroot\web.config". However this one required
authentication and privileged mssql account.

SQL (super dbo@master)> EXEC sp_execute_external_script @language = N'Python', @script =

N'import os;os.system("type C:\inetpub\wwwroot\web.config");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>

CONFIDENTIAL P.O.O Hackthebox Endgame 15

 <staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>

Recommendation
1. 1.Use password managers to store your password securily.
2. Avoid storing passwords in easily accessible locations.
3. Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

CONFIDENTIAL P.O.O Hackthebox Endgame 16

 L1: Basic Authentication Without HTTPS

Score 3.7 (Low)

Vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Target http://10.13.38.11/

References https://www.tenable.com/plugins/was/98615

Overview
The remote web server contains web pages that are protected by 'Basic' authentication over cleartext.

Details
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

Recommendation
Make sure that HTTP authentication is transmitted over HTTPS.

CONFIDENTIAL P.O.O Hackthebox Endgame 17

5 Disclaimer
This document pertains to a simulated company, and all information contained within it is provided
solely for educational purposes. The advice and recommendations provided herein should not be
construed as legal advice or formal documentation. They are intended for educational and
informational purposes only.

CONFIDENTIAL P.O.O Hackthebox Endgame 18

A Appendix
A.1 Static Appendix Section
TODO: Appendix section content

A.2 Vulnerability Assessment and Exploitation Analysis

1. Vulnerability: Microsoft IIS shortname vulnerability

◦ CVSS v3 Score: 6.5

◦ Source: Tenable Plugin
◦ Description: This vulnerability affects Microsoft Internet Information Services (IIS) and allows
attackers to perform directory traversal attacks by exploiting short filenames.
◦ Exploitation Potential: This vulnerability could potentially allow attackers to access sensitive
files or directories on the web server.
2. Vulnerability: Kerberoasting to domain admin

◦ CVSS v3 Score: 7.5

◦ Source: Tenable Plugin
◦ Description: Kerberoasting is a technique used to extract Kerberos tickets from Active Directory
to crack the passwords of service accounts. If successful, attackers could elevate their privileges
to domain admin.
◦ Exploitation Potential: If the target system is part of an Active Directory environment and
vulnerable to Kerberoasting, attackers could potentially escalate their privileges to domain
admin level.
3. Vulnerability: Basic Authentication Without HTTPS

◦ CVSS v3 Score: 3.7

◦ Source: Tenable Plugin
◦ Description: Basic Authentication without HTTPS encrypts usernames and passwords in
plaintext, making them susceptible to interception by attackers.
◦ Exploitation Potential: Attackers could potentially intercept credentials transmitted over the
network if basic authentication is used without HTTPS encryption.
4. Vulnerability: Escalating privileges in MSSQL Server to execute command with xp_cmdshell

◦ CVSS v3 Score: 7.5

◦ Description: This vulnerability allows attackers to escalate privileges within MSSQL Server by
abusing linked servers to create a new account with sysadmin privileges, enabling the execution
of commands via xp_cmdshell.
◦ Exploitation Potential: Attackers could gain elevated privileges within the MSSQL Server
environment, potentially allowing for further compromise or data exfiltration.
5. Vulnerability: Plaintext Passwords

◦ CVSS v3 Score: 5.3

◦ Source: NA
◦ Description: Plaintext passwords are transmitted over the network without encryption, making
them vulnerable to interception by attackers.

CONFIDENTIAL P.O.O Hackthebox Endgame 19

 ◦ Exploitation Potential: Attackers could potentially intercept plaintext passwords transmitted
over the network, leading to unauthorized access to sensitive accounts or systems.
6. Exploitable Services:

◦ HTTP (Port 80): Microsoft IIS httpd 10.0

▪ Potential vulnerabilities: Microsoft IIS shortname vulnerability
◦ MS-SQL (Port 1433): Microsoft SQL Server 2017 14.00.2027.00; RTM+
▪ Potential vulnerabilities: Escalating privileges in MSSQL Server, Plaintext Passwords
7. Recommendations:

◦ Patch the Microsoft IIS server to mitigate the shortname vulnerability.

◦ Implement HTTPS to secure basic authentication credentials.
◦ Monitor for and mitigate Kerberoasting attacks, especially if the system is part of an Active
Directory environment.
◦ Regularly update and patch the Microsoft SQL Server to address any potential vulnerabilities.
◦ Implement encryption for passwords to prevent plaintext transmission.
◦ Conduct further penetration testing and vulnerability assessments to identify and remediate
any additional security weaknesses.

CONFIDENTIAL P.O.O Hackthebox Endgame 20