sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59
full Nmap scan
nmap -sV -p- -oA nmap/full_scan 10.10.10.59
While we wait for the full scan to be complete lets start our enumeration process
Nmap initial results
sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 04:21 EDT
Nmap scan report for 10.10.10.59
Host is up (0.036s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.59:1433:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_ssl-date: 2023-08-15T08:21:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-15T08:17:32
|_Not valid after: 2053-08-15T08:17:32
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/15%OT=21%CT=1%CU=30638%PV=Y%DS=2%DC=T%G=Y%TM=64DB359
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:A)SEQ(SP=106%GCD=3%ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M53ANW8ST11%O
OS:2=M53ANW8ST11%O3=M53ANW8NNT11%O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)
OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=
OS:2000%O=M53ANW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-08-15T08:21:37
|_ start_date: 2023-08-15T08:17:13
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 50.12 ms 10.10.16.1
2 24.24 ms 10.10.10.59
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds
Ports
21: FTP
anonymous login disabled
80:HTTP
The main page looks to be Microsoft SharePoint
81:HTTP
cant access invalid hostname
135:RPC
139:netbios-ssn
445:SMB
anonymous login is disabled
808: Possibly HTTP
1433:ms-sql-s Microsoft SQL Server 2016
Port 80 HTTP
when first landing on the web server we can see that the application utilises Microsoft share point
Not much we can do on this page without credentials, it's worth noting that within the URL bar we can see the following
When looking at the URL bar take notice of the /_layouts/15/start.aspx
/_layouts : is a standard SharePoint directory used for system-level pages and functionality
/15 in the path refers to the version of Sharepoint (Sharepoint 2013)
/start.aspx this serves as the default entry point into the SharePoint site
With this knowledge, it would be a good presumption to start a directory busting from the http://10.10.10.59/_layouts/15 with a specific SharePoint wordlist (seclists)
Very interesting if we click on the documents we can see a word file ftp-details modified by tally\adminstrator
Let's download it to our local host and view the contents
we can use libreoffice to open the word document
libreoffice ftp-details.docx
we can see the following
we can find a password
UTDRSCH53c"$6hys
we dont have a username tho let's go back to
http://10.10.10.59/_layouts/15/viewlsts.aspx
and view the site pages
When you click on the site pages you'll notice you head back to the home menu, but to navigate to the actual site pages we need to remove the following in the URL
so our URL should consist of the following
http://10.10.10.59/SitePages/Forms/AllPages.aspx
Now the most likely reason why we are redirected back to the home page is that SharePoint often employs redirection and URL rewriting to ensure consistency and proper navigation for the users, but for us that's not the case.
alright within the Site Pages, we can see the following
when we are redirected to /SitePages/FinanceTeam.aspx we can see some juicy information
from what we can gather we found the users
Rahul
Sarah
Tim
ftp_user
From the message we can safely say we found the user for the FTP pass we found earlier
ftp_user: UTDRSCH53c"$6hys
FTP
once we log in via FTP
ftp ftp_user@10.10.10.59
Looking within the user directories we can see a number of users
Administrator
Ekta
Jess
Paul
Rahul
Sarah
Stuart
Tim
Yenwi
Let's download the data from the FTP server onto our local machine using wget
looking through the database we do find credentials relating to a smb share
TALLY ACCT share: Finance: Acc0unting
SMB
Let's view what shares are present and the privilege associated with them
smbmap -u Finance -p Acc0unting -H 10.10.10.59
we can see we have READ access to the ACCT Share lets mount to the share and enumerate the contents
sudo mount -t cifs -o user=Finance,pass=Acc0unting //10.10.10.59/ACCT /mnt
cd /mnt
initially tried to find any file that may be on the share resulting a lot of junk files
find . -type f
we saw early in our Nmap scan there was a Microsoft SQL Server 2016, lets refine our search
find . | grep SQL
we do find the following
looking in the conn-info.txt we can see a set of credentials
old server details
db: sa
pass: YE%TJC%&HYbe5Nw
have changed for tally
nothing old credentials
Let's look for txt files and see if anything comes up
also, note if we can recall with the user Sarah's directory that Orchard is no longer present on the system, meaning any files related to Orchard should not be relevant to our search.
find . -type f | grep txt | grep -v Orchard
nothing to interesting
let's look for executables
find . -type f | grep exe | grep -v Orchard
Looking through the executables on the share, we can see the highlighted above, tester.exe doesnt sound like your ordinary executable lets investigate the executable using strings
strings tester.exe > tester_output.txt
vi tester_output.txt
within the output we can see a particular line of strings
