Links

Tally

Tally - 10.10.10.59

Target Enumeration:

OS: Windows
User: be72362e8dffeca2b42406d5d1c74bb1
Root: 608bb707348105911c8991108e523eda

Ports / Services / Software Versions Running

21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM

Vulnerability Exploited:

FTP Password stored in plaintest on Sharepoint
MSSQL creds stored in keepass file with weak password
MSSQL service reconfigured to allow xp_commandshell gives a powershell reverse connection

Privilege Escalation:

CVE-2017-0213: Windows COM Elevation of Privilege Vulnerability

Exploiting the host:

Nmap:
Dirb gives a few sharepoint dirs.
Sharepoint gives you some unauthenticated credentials under:
http://10.10.10.59/Shared%20Documents/Forms/AllItems.aspx
Login with the user ftp_user and password above:
Looking around the file system we see do to.txt which has the contents from the folder
/user/tim/project/log
Looking further around the system we find the keepass file refrenced above in /user/tim/files
We grab the hash from the file
And crack it with john
Login using kpcli and open the file now we have found some further creds
Login to tally via smb and start enumerating the ACCT share for information.
The migration folder looks the most promising from the clue above:
Running strings on the tester.exe file gives you a sql password
Now login to the sqlserver using sqsh
Reconfigure to run system commands
There is windows defender on the target which detects most reverse shells so use setoolkit
Move the payload to Shell2.ps1 and host it with python, set up your metasploit listener
Download and execute with xp_cmdshell
Now you have a shell
There is a hint that the current patches are not upto date
Looks like the machine has been locked down and has Windows Defender installed.
Download winrar 32 bit and encode a reverse shell with shellter
Upload it to the target and see if it bypasses Windows Defender, once successfully uploaded open a few more shells incase our one dies off. We will also need this file for root.
Running systeminfo shows us that there are only 2 hotfixes installed and after trying numerous exploits against the host we find the following which works:
Download the compiled exploit from:
Migrate to explorer.exe
Upload the exploit to the target system and rename your root shell as cmd.exe
Run the file
Now you will have a system shell
System Shell:
Now capture your flag:
Dump the plaintext passwords