# WEB {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Entry Point {% hint style="warning" %} Start here! {% endhint %} ## Recon We use `rustscan -b 500 -a web.ext.darkhaven.local --top -- -sC -sV -Pn` to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability. {% code overflow="wrap" %} ``` rustscan -b 500 -a web.ext.darkhaven.local --top -- -sC -sV -Pn ``` {% endcode %}

The target `web.ext.darkhaven.local` appears to be a Windows-based host. It hosts an IIS 10.0 web server on port 80, running Microsoft HTTPAPI, with the site titled `Darkhaven Technologies – Secure Network Solutions`. SMB services `139/445` are exposed with message signing enabled but not enforced. Multiple MSRPC endpoints `2103, 2105, 2107, 49680` and MSMQ `1801` are also open. Remote access is also available via RDP `3389` and WinRM `5985`.

## WEB First, we'll take a look at the hosted web service manually. We visit the site and find the Darkhaven Technologies page, which offers various security services. {% code overflow="wrap" %} ``` http://web.ext.darkhaven.local/ ``` {% endcode %}

We access the client portal and are redirected to a login page. In addition to entering our credentials, we can also proceed as a `guest`. {% code overflow="wrap" %} ``` http://web.ext.darkhaven.local/login.aspx ``` {% endcode %}

### Access as guest We are in the Guest Portal and see a Help Desk chat. The chat mentions shares such as `\\share\DarkhavenData`. We also see chat suggestions that include a domain user named `sql_svc` in the example. {% code overflow="wrap" %} ``` http://web.ext.darkhaven.local/guest.aspx ``` {% endcode %}

### Access as sql\_svc If we use the example query `find user sql_svc`, we're in luck in this case and get a default password for the user. We'll make a note of this; we might need it later. {% code overflow="wrap" %} ``` find user sql_svc ``` {% endcode %}

We use the credentials during login and are successful. {% code overflow="wrap" %} ``` http://web.ext.darkhaven.local/login.aspx ``` {% endcode %}

On the dashboard, we repeatedly see the credentials for the user `sql_svc`.

### Access as administrator During testing, we also noticed that we can log in by entering `*`. Some sort of injection is possible. {% code overflow="wrap" %} ``` * ``` {% endcode %}

But no admin credentials here...

### Alternative Access as sql\_svc via LDAP Injection We also tried other special characters and received an LDAP error when using `)`. This means we were previously able to log in using \* due to a successful LDAP injection. {% code overflow="wrap" %} ``` ) ``` {% endcode %}

{% embed url="" %} > LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. We try one of the example payloads from PayloadsAllTheThings but fail. We can see that the LDAP query isn't resolving properly. {% code overflow="wrap" %} ``` sql_svc)(!(&(1=0 ``` {% endcode %}

We resolve them properly, try to log in as `sql_svc` without a password, and succeed. {% code overflow="wrap" %} ``` sql_svc)(|(sAMAccountName=*) ``` {% endcode %}

## SMB ### Access as sql\_svc We are now attempting to authenticate via SMB using `sql_svc`. We have already confirmed, through the LDAP injection, that we are dealing with Active Directory credentials here.We then list the available shares for the `sql_svc` account. This confirmed that the `IPC$` share was readable. {% code overflow="wrap" %} ``` nxc smb web.ext.darkhaven.local -u sql_svc -p 'REDACTED' --shares ``` {% endcode %}

To further enumerate domain users, we perform a RID brute-force, since the `IPC$` share is readable. {% code overflow="wrap" %} ``` nxc smb web.ext.darkhaven.local -u sql_svc -p 'REDACTED' --rid ``` {% endcode %}

We also request the the password policy. {% code overflow="wrap" %} ``` nxc smb dc.ext.darkhaven.local -u sql_svc -p 'REDACTED' --pass-pol ``` {% endcode %}

We're stuck here for now, but since we now have an SQL service user, we'll continue with SQL Server. {% embed url="" %} *** {% hint style="warning" %} STOP HERE AND CONTINUE AT SQL.EXT.DARKHAVEN.LOCAL. This section becomes relevant after solving SHARE.EXT.DARKHAVEN.LOCAL. {% endhint %} Reference: {% embed url="" %} ## Shell as svc\_webpool Using Inveigh, we captured the NTLMv2 hash of the `svc_webpool` account on `SHARE.EXT.DARKHAVEN.LOCAL`. After failing to crack it with `rockyou.txt`, we successfully recovered the password using the retrieved wordlist `it_security_wordlist.txt` form the share `DarkhavenData`. With the obtained credentials, we authenticated over SMB and confirmed that `svc_webpool` has local administrator privileges on the WEB machine. These credentials will be used for further access on the target system.

{% code overflow="wrap" %} ``` nxc rdp targets.txt -u svc_webpool -p 'REDACTED' --local-auth ``` {% endcode %}

We connect to the target machine with the gathered credntials using evil-winrm. {% code overflow="wrap" %} ``` evil-winrm -i web.ext.darkhaven.local -u 'svc_webpool' -p 'REDACTED' ``` {% endcode %}

We enumerate the users directories... {% code overflow="wrap" %} ``` tree /f ``` {% endcode %}

We find a portable notepad executable and the location of the flag for `WEB.EXT.DARKHAVEN.LOCAL`.

The flag is located at `C:\Users\Administrator\Desktop\root.txt`.

## Post Compromise ### Access as kwarren We found a portable version of Notepad++ in the user folder structure. In the AppData folder, we find the Notepad backup folder, which contain the changes made to the files during the last session. There is a `main_config.php`.

Inside of this file we are able to extract the credentials of `kwarren`.

This can also be extracted remotely using NetExec. {% embed url="" %} {% code overflow="wrap" %} ``` nxc smb web.ext.darkhaven.local -u svc_webpool -p 'REDACTED' --local-auth -M notepad++ ``` {% endcode %}

We test the credentials using NetExec and are able to authenticate as `kwarren`. {% code overflow="wrap" %} ``` nxc smb web.ext.darkhaven.local -u kwarren -p 'REDACTED' --shares ``` {% endcode %}

{% hint style="warning" %} From here, we can head back to CA.EXT.DARKHAVEN.LOCAL. {% endhint %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hack-smarter-labs/2026/darkhaven-technologies/web.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.