# 9 box enum iis apppool\defaultapppool Nothing using PowerUp.ps1 ## PEAS ``` [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson) [*] OS Version: 1809 (17763) [!] CVE-2020-1013 : VULNERABLE [>] https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/ [*] Finished. Found 1 potential vulnerabilities. Computer Name : WORKER User Name : Administrator User Id : 500 Is Enabled : True User Type : Administrator Comment : Built-in account for administering the computer/domain Last Logon : 2021-09-23 19:36:37 Logons Count : 94 Password Last Set : 2020-04-05 21:13:02 อน Installed Applications --Via Program Files/Uninstall registry-- Check if you can modify installed software https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software C:\Program Files\Azure DevOps Server 2019 C:\Program Files\common files C:\Program Files\desktop.ini C:\Program Files\Git C:\Program Files\internet explorer C:\Program Files\Microsoft SQL Server C:\Program Files\Microsoft Visual Studio 10.0 C:\Program Files\Microsoft.NET C:\Program Files\TortoiseSVN C:\Program Files\Uninstall Information C:\Program Files\Windows Defender C:\Program Files\Windows Defender Advanced Threat Protection C:\Program Files\WindowsApps C:\Program Files\WindowsPowerShell C:\Program Files\VMware Host File 10.10.10.202 devops.worker.htb # something is running on 8080? TCP 127.0.0.1 8080 127.0.0.1 49700 Established 4 System ``` ## p.ps1 ``` Program Files files and directories permissions - backdoor windows binaries: Group: Users, Permissions: CreateFiles, AppendData, Read, Synchronize on C:\Program Files\Microsoft SQL Server\140\DTS\DataDumps # interesting file saw in different sections Group: defaultapppool, Permissions: Write on W:\agents\agent01\.agent Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials Group: defaultapppool, Permissions: Write on W:\agents\agent01\.credentials_rsaparams Group: defaultapppool, Permissions: Write on W:\agents\agent01\.service Possible passwords found in files on all drives are being dumped to pwds.txt. C:\Users\Public\pwds.txt C:\Windows\debug\PASSWD.LOG W:\svnrepos\www\conf\passwd List installed software: Name Property ---- -------- Git_is1 Inno Setup: Setup Version : 5.6.1 (u) Inno Setup: App Path : C:\Program Files\Git DisplayName : Git version 2.27.0 Microsoft SQL Server 14 DisplayName : Microsoft SQL Server 2017 (64-bit) SystemComponent : 1 Microsoft SQL Server SQL2017 DisplayName : Microsoft SQL Server 2017 (64-bit) DisplayIcon : "C:\Program Files\Microsoft SQL Server\140\ Directory: C:\Program Files Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2020-03-28 14:46 Azure DevOps Server 2019 d----- 2020-07-24 12:04 common files d----- 2020-07-07 17:45 Git d----- 2018-09-15 09:12 internet explorer d----- 2020-03-28 15:01 Microsoft SQL Server d----- 2020-03-28 15:00 Microsoft Visual Studio 10.0 d----- 2020-03-28 15:00 Microsoft.NET d----- 2020-04-04 22:56 TortoiseSVN d----- 2020-07-24 12:04 VMware d----- 2020-04-02 20:04 Windows Defender d----- 2020-07-14 13:59 Windows Defender Advanced Threat Protection d----- 2018-09-15 09:12 WindowsPowerShell ``` ## Seatbelt.exe ``` ====== InstalledProducts ====== DisplayName : Azure DevOps Server 2019 Update 1.1 DisplayVersion : 17.153.29522.3 Publisher : Microsoft Corporation InstallDate : 0001-01-01 00:00:00 Architecture : x86 DisplayName : Azure DevOps Server Express 2019 Update 1.1 DisplayVersion : 17.153.29522.3 Publisher : Microsoft Corporation InstallDate : 0001-01-01 00:00:00 Architecture : x86 DisplayName : Browser for SQL Server 2017 DisplayVersion : 14.0.1000.169 Publisher : Microsoft Corporation InstallDate : 0001-01-01 00:00:00 Architecture : x86 DisplayName : Git version 2.27.0 DisplayVersion : 2.27.0 Publisher : The Git Development Community InstallDate : 0001-01-01 00:00:00 Architecture : x64 DisplayName : TortoiseSVN 1.13.1.28686 (64 bit) DisplayVersion : 1.13.28686 Publisher : TortoiseSVN InstallDate : 0001-01-01 00:00:00 Architecture : x64 ====== UdpConnections ====== Local Address PID Service ProcessName 0.0.0.0:1434 1800 SQLBrowser sqlbrowser.exe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/worker/9-box-enum-iis-apppool-defaultapppool.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.