Tally — HackTheBox Writeup

Source

This is a practical writeup of “Tally” retired machine from HackTheBox. Credit goes to egre55 for making this machine available to us. Although this machine is from 2017 but the simulation of vulnerabilities are real-to-life.

Synopsis

“Tally” is marked as Hard difficulty machine that features IIS web server and SharePoint CMS with MSSQL running in background. Gobuster gives us path to FTP credentials. FTP has a directory with KeePass credential database, we crack the master password of DB and get access to SMB credentials. SMB access gives us credentials to MSSQL DB. Using MSSQL we get our initial access and we exploit misconfiguration to get admin access.

Skills Learned

  • Sharepoint Enumeration
  • MSSQL Exploits
  • Evading AVs

Enumeration

Nmap

Nmap reveals eight open ports/services on target. In summary, target is running FTP without anonymous access, HTTP with Microsoft Sharepoint, 2016 MSSQL and hostname is “tally”.

Add the hostname to /etc/hosts.

Let’s enumerate sharepoint. Using GoBuster with SecLists sharepoint URLs we can find available links.

gobuster

GoBuster result is huge, but if we cross match the result with popular sharepoint URLs and some trial an error then we’d find those above two links are quite useful.

viewlsts page

The first discovered link takes us to this page, it has directories with 1 item each inside. Let’s visit Documents.

Documents Directory

The content of ftp-details are below.

ftp-details

We got FTP password but they didn’t mention any username in this file. But that can be found in “site pages” directory.

ftp-user

Make sure to add “tally” to /etc/hosts and point its IP address. If you don’t then this page will not be displayed.

Now we have username:password of the FTP. Let’s login and find what it contains.

ftp login
contents

We got couple of directories, let’s download all the content to localhost and then we can dig in.

download ftp

This above command will recursively download all the content of FTP to your machine. If we look though some of the directories then we’d find a “do to.txt”.

doto.txt

According to this message, they are using “keepass” application to store shared folder credentials.

In the same user directory we can find the keepass password database.

keepass files
keepass password DB version

Now we need to extract master password hash of ‘keepass db’ and then we can crack it.

keepass hash

Now we can crack this hash using “john the ripper”.

hash cracking

We got the master password of KeePass. Now we need to install KeePass on localhost.

install keepass

After installation, open keepass and give the keepass database file (tim.kdbx) and input the password.

keepass

Now we have access to keepass all the stored passwords. Check Shares.

shares
shares password

Username and password for SMB share (ACCT).

smb share

In one of the directory of SMB share you’d find “tester.exe”. Download it to your localhost.

tester

Now run strings on that file.

strings

From strings you’d get the MSSQL credentials.

mssql creds

username (ID) “sa” and Password “GWE3V65#6KFH93@4GWTG2G” .

Access MSSQL using sqsh application.

interactive shell
error

If we try to run “xp_cmdshell” to spawn a shell and pass the string “whoami” to find the current user information then it gives us an error. It is disabled and admin can enable using sp_configure command. We are ‘sa’ user of this DB, it is short for “system administrator”, so we can change global configuration settings for current user using “sp_configure” command.

sp_configure

Now we can spawn a shell and pass the he string using “xp_cmdshell”.

whoami

This is “Sarah” user, let’s check the privileges for this current user.

/priv

Set “SeImpersonatePrivilege” is enabled for this user, so once we have initial access then we can impersonate system to get privileged shell.

Initial Access

Now we need to get a initial access using powershell payloads. I am going to use Nishang.

nishang

Edit the file and add the last line with your IP:Port

edit ps1

Start a http server from same location.

http server

Setup a netcat listener on localhost.

netcat listner

Invoke expression to download the powershell payload and run in to on target machine.

invoke

We got the hit on http server.

got hit
shell

Aight, *hacker voice* we are in. Get you first flag fro users Desktop.

user flag

Privilege Escalation

This target has multiple PrivEsc points

On Sarah’s Desktop there are multiple files which would help us to escalate privileges to administrator.

desktop files

Two txt files helps us to understand what is blocked and what is enabled to protect the system. Bat file gives an idea to escalate privs using outdated firefox browser. XML and PS1 files which we are going to use to get admin access.

That PS1 script is a warmup script for sharepoint application.

The Warm-Up script prefetches SharePoints ASPX pages and loads them into the IIS cache. This will help to improve the user experience.

However, to run this script we need elevated privileges and also it creates a schedule task on the machine to be run frequently. Read more

That XML file is a configuration of warmup script. TL;DR of configuration is, it’s running a schedule job every hour with “ExecutionPolicy” and “skipadmincheck” arguments. We can modify the PS1 script and get a reverse shell on our machine when the next hour this script gets executed.

We use Nishang payload again for this. Edit the file and add the last line with IP and Port.

nishang

Star the http server

Setup a netcat listener.

netcat listener

Now edit the warmup script.

edit warmup script

Check the time

time

Its 9:34 when I modified the PS1 script, now I have to wait for 24 minutes to get the reverse shell.

admin access

Now we have admin access. Get the root flag.

root flag

Note: This way of PrivEsc’s only hurdle was time. You can try other PrivEsc techniques by exploiting outdated FireFox or “SeImpersonatePrivilege” by rotten potato exploit.

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver15
https://blog.greenbrain.de/2014/10/fire-up-those-caches.html
https://github.com/samratashok/nishang

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store