Tally — HackTheBox Writeup

Source

Synopsis

Skills Learned

Enumeration

Nmap

Add the hostname to /etc/hosts.

gobuster
viewlsts page
Documents Directory
ftp-details
ftp-user

Make sure to add “tally” to /etc/hosts and point its IP address. If you don’t then this page will not be displayed.

ftp login
contents
download ftp
doto.txt
keepass files
keepass password DB version
keepass hash
hash cracking
install keepass
keepass
shares
shares password
smb share
tester
strings
mssql creds
interactive shell
error
sp_configure
whoami
/priv

Initial Access

nishang
edit ps1
http server
netcat listner
invoke
got hit
shell
user flag

Privilege Escalation

This target has multiple PrivEsc points

desktop files

The Warm-Up script prefetches SharePoints ASPX pages and loads them into the IIS cache. This will help to improve the user experience.

nishang
netcat listener
edit warmup script
time
admin access
root flag

Note: This way of PrivEsc’s only hurdle was time. You can try other PrivEsc techniques by exploiting outdated FireFox or “SeImpersonatePrivilege” by rotten potato exploit.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://resources.bishopfox.com/resources/tools/sharepoint-hacking-diggity/
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver15
https://blog.greenbrain.de/2014/10/fire-up-those-caches.html
https://github.com/samratashok/nishang

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store