Tally

Difficulty: HARD

Reconnaissance

Nmap

Nmap scan report for 10.10.10.59
Host is up (0.20s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-server-header: Microsoft-IIS/10.0
|_http-generator: Microsoft SharePoint
81/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp   open  ccproxy-http?
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2023-04-16T01:25:36+00:00; -4h58m17s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.10.59:1433: 
|     Target_Name: TALLY
|     NetBIOS_Domain_Name: TALLY
|     NetBIOS_Computer_Name: TALLY
|     DNS_Domain_Name: TALLY
|     DNS_Computer_Name: TALLY
|_    Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-04-15T16:06:56
|_Not valid after:  2053-04-15T16:06:56
32843/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-16T01:25:26
|_  start_date: 2023-04-15T16:06:34
|_clock-skew: mean: -4h58m17s, deviation: 0s, median: -4h58m17s

HTTP - Port 80

Starting with the HTTP enumeration we found out that this is a Microsoft IIS and is servicing a Microsoft-SharePoint.

To be stealthy and not so aggressive I will look for juicy directories using a Pentest report from internet.

Here we can see potential directories that can give us access to some features of the Microsoft SharePoint so, let's start enumerating them.

I see 2 directories with 1 item each one of them. Let's download what it's inside to analyze it.

The server is making some filters to don't let us get in, just erase the URL as showed in the image.

Inside the FinanceTeam file we can see a username to use on the ftp server.

On the other hand, we have the ftp_details.docx.

Opening the file with LibreOffice we can see that this file has the password of the previous user that we get.

FTP - Port 21

Looking if I could connect using the username anonymous without password, we find out that this service is protected with a user and password that we don't know.

Using the given credentials that we find out on those files we can log into the ftp server.

We will be using curlftpfs to mount the ftp server and enumerate all the files more easily.

Using the ftp mount that we have made, I will use tree to enumerate all the directories and files that are on each directory.

Here we can see an interesting keepass database in the showed image so let's continue to crack it using JohnTheRipper.

Here we see the password of this database, just open the database with keepasskc and use the cracked password.

Inside the database we found a user and its password we can use these credentials in the smb server, let's continue enumerating it.

SMB - Port 445

First let's check the user and password we get from keepass db.

Using the keepass credentials let's continue to make a cifs mount for the smb server and enumerate it with a tree command.

I found an interesting directory called Binaries so, looking those we can see that there is a tester.exe so, let's try to use strings first, in case we don't see anything we use another thechniques to reverse the code an see what this is.

Using strings, we can see that there are some credentials for the MS-SQL service.

Once you get this credentials let's start exploiting the MS-SQL service.

Exploitation

Once we get in, try to execute a command on the machine using the xp_cmdshell command.

We need to activate the xp_cmdshell command and reconfigure the database for changes.

MS-SQL Commands Used
sp_configure "show advaced options",1 # activate the advanced options on the database
reconfigure
sp_configure "xp_cmdshell",1 # enable the command 
reconfigure
xp_cmdshell "whoami" # execute a system comm

Now, I will use nishang powershell backdoor to gain access in the followin images will be shown.

Yay, once we get access let's continue enumerating the system, we will see very fast that we can abuse the golden privileges using juicy potato.

Privilege Escalation

To know how to exploit these privileges click in the following page link.

pageAbusing the Golden Privileges

Now we get Admin privileges : )

Persistence

Cotinuing with making a persistence let's get the SAM and the SYSTEM files so, we can get the users hashes and make pass the hash in order to obtain a shell again in the machine.

Using pwdump get the users hashes to get a shell as that user in the future.

Here we can see how we get a persistence just dumping the SAM, SYSTEM files and get the users hashes to obtain a shell.

PreviousActiveNextPortswigger

Last updated