Synopsis
“Tally” is marked as Hard difficulty machine that features IIS web server and SharePoint CMS with MSSQL running in background. Gobuster gives us path to FTP credentials. FTP has a directory with KeePass credential database, we crack the master password of DB and get access to SMB credentials. SMB access gives us credentials to MSSQL DB. Using MSSQL we get our initial access and we exploit misconfiguration to get admin access.
Skills Learned
- Sharepoint Enumeration
- MSSQL Exploits
- Evading AVs
Enumeration
Nmap reveals eight open ports/services on target. In summary, target is running FTP without anonymous access, HTTP with Microsoft Sharepoint, 2016 MSSQL and hostname is “tally”.
Add the hostname to /etc/hosts.
Let’s enumerate sharepoint. Using GoBuster with SecLists sharepoint URLs we can find available links.
GoBuster result is huge, but if we cross match the result with popular sharepoint URLs and some trial an error then we’d find those above two links are quite useful.
The first discovered link takes us to this page, it has directories with 1 item each inside. Let’s visit Documents.
The content of ftp-details are below.
We got FTP password but they didn’t mention any username in this file. But that can be found in “site pages” directory.
Make sure to add “tally” to /etc/hosts and point its IP address. If you don’t then this page will not be displayed.
Now we have username:password of the FTP. Let’s login and find what it contains.
We got couple of directories, let’s download all the content to localhost and then we can dig in.
This above command will recursively download all the content of FTP to your machine. If we look though some of the directories then we’d find a “do to.txt”.
According to this message, they are using “keepass” application to store shared folder credentials.
In the same user directory we can find the keepass password database.
Now we need to extract master password hash of ‘keepass db’ and then we can crack it.
Now we can crack this hash using “john the ripper”.
We got the master password of KeePass. Now we need to install KeePass on localhost.
After installation, open keepass and give the keepass database file (tim.kdbx) and input the password.
Now we have access to keepass all the stored passwords. Check Shares.
Username and password for SMB share (ACCT).
In one of the directory of SMB share you’d find “tester.exe”. Download it to your localhost.
Now run strings on that file.
From strings you’d get the MSSQL credentials.
username (ID) “sa” and Password “GWE3V65#6KFH93@4GWTG2G” .
Access MSSQL using sqsh application.
If we try to run “xp_cmdshell” to spawn a shell and pass the string “whoami” to find the current user information then it gives us an error. It is disabled and admin can enable using sp_configure command. We are ‘sa’ user of this DB, it is short for “system administrator”, so we can change global configuration settings for current user using “sp_configure” command.
Now we can spawn a shell and pass the he string using “xp_cmdshell”.
This is “Sarah” user, let’s check the privileges for this current user.
Set “SeImpersonatePrivilege” is enabled for this user, so once we have initial access then we can impersonate system to get privileged shell.
Initial Access
Now we need to get a initial access using powershell payloads. I am going to use Nishang.
Edit the file and add the last line with your IP:Port
Start a http server from same location.
Setup a netcat listener on localhost.
Invoke expression to download the powershell payload and run in to on target machine.
We got the hit on http server.
Aight, *hacker voice* we are in. Get you first flag fro users Desktop.
Privilege Escalation
This target has multiple PrivEsc points
On Sarah’s Desktop there are multiple files which would help us to escalate privileges to administrator.
Two txt files helps us to understand what is blocked and what is enabled to protect the system. Bat file gives an idea to escalate privs using outdated firefox browser. XML and PS1 files which we are going to use to get admin access.
That PS1 script is a warmup script for sharepoint application.
The Warm-Up script prefetches SharePoints ASPX pages and loads them into the IIS cache. This will help to improve the user experience.
However, to run this script we need elevated privileges and also it creates a schedule task on the machine to be run frequently. Read more
That XML file is a configuration of warmup script. TL;DR of configuration is, it’s running a schedule job every hour with “ExecutionPolicy” and “skipadmincheck” arguments. We can modify the PS1 script and get a reverse shell on our machine when the next hour this script gets executed.
We use Nishang payload again for this. Edit the file and add the last line with IP and Port.
Star the http server
Setup a netcat listener.
Now edit the warmup script.
Check the time
Its 9:34 when I modified the PS1 script, now I have to wait for 24 minutes to get the reverse shell.
Now we have admin access. Get the root flag.
Note: This way of PrivEsc’s only hurdle was time. You can try other PrivEsc techniques by exploiting outdated FireFox or “SeImpersonatePrivilege” by rotten potato exploit.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver15
https://blog.greenbrain.de/2014/10/fire-up-those-caches.html
https://github.com/samratashok/nishang
