Tally
Difficulty: HARD
Reconnaissance
Nmap
HTTP - Port 80
Starting with the HTTP enumeration we found out that this is a Microsoft IIS and is servicing a Microsoft-SharePoint.
To be stealthy and not so aggressive I will look for juicy directories using a Pentest report from internet.
Here we can see potential directories that can give us access to some features of the Microsoft SharePoint so, let's start enumerating them.
I see 2 directories with 1 item each one of them. Let's download what it's inside to analyze it.
The server is making some filters to don't let us get in, just erase the URL as showed in the image.
Inside the FinanceTeam file we can see a username to use on the ftp server.
On the other hand, we have the ftp_details.docx.
Opening the file with LibreOffice we can see that this file has the password of the previous user that we get.
FTP - Port 21
Looking if I could connect using the username anonymous without password, we find out that this service is protected with a user and password that we don't know.
Using the given credentials that we find out on those files we can log into the ftp server.
We will be using curlftpfs to mount the ftp server and enumerate all the files more easily.
Using the ftp mount that we have made, I will use tree to enumerate all the directories and files that are on each directory.
Here we can see an interesting keepass database in the showed image so let's continue to crack it using JohnTheRipper.
Here we see the password of this database, just open the database with keepasskc and use the cracked password.
Inside the database we found a user and its password we can use these credentials in the smb server, let's continue enumerating it.
SMB - Port 445
First let's check the user and password we get from keepass db.
Using the keepass credentials let's continue to make a cifs mount for the smb server and enumerate it with a tree command.
I found an interesting directory called Binaries so, looking those we can see that there is a tester.exe
so, let's try to use strings first, in case we don't see anything we use another thechniques to reverse the code an see what this is.
Using strings, we can see that there are some credentials for the MS-SQL service.
Once you get this credentials let's start exploiting the MS-SQL service.
Exploitation
Once we get in, try to execute a command on the machine using the xp_cmdshell command.
We need to activate the xp_cmdshell command and reconfigure the database for changes.
Now, I will use nishang powershell backdoor to gain access in the followin images will be shown.
Yay, once we get access let's continue enumerating the system, we will see very fast that we can abuse the golden privileges using juicy potato.
Privilege Escalation
To know how to exploit these privileges click in the following page link.
pageAbusing the Golden PrivilegesNow we get Admin privileges : )
Persistence
Cotinuing with making a persistence let's get the SAM and the SYSTEM files so, we can get the users hashes and make pass the hash in order to obtain a shell again in the machine.
Using pwdump get the users hashes to get a shell as that user in the future.
Here we can see how we get a persistence just dumping the SAM, SYSTEM files and get the users hashes to obtain a shell.
Last updated