HackTheBox - Tally - 10.10.10.59
Tally is a hard difficulty Windows Server 2016 machine on hackthebox.eu.
Tally can be a very challenging machine for some. It focuses on many different aspects of real Windows environments and requires users to modify and compile an exploit for escalation. Covered in this post is the use of Rotten Potato, which is an unintended alternate method for privilege escalation.
Recon and Scanning
From the ports open we can clearly see that this is a domain controller and that it is running Windows Server 2016 by the SQL Server version. You can also see that there is a share point site running on port 80
As we know there is a sharepoint site we can go and look at http://10.10.10.59/layouts/viewlsts.aspx to see all the documents hosted on the sharepoint.
Inside the documents folder there is a document called
ftp-details.docx, inside this we will find credentials for the FTP server.
Now that we have credentials we can login to the ftp server and browse around.
\User\Tim\Files we see a
.kbdx file which is a
keepassx database file, if we can crack the password we will have access to whatever credentials are inside. We can crack it using john the ripper.
Getting More Credentials
Cracking the KeePassX DB file
Firstly, we will need to download the file to our local machine and use
keepass2john to get a hash file that we can then crack with
Now crack it with john
Bingo! Now let’s open it with KeePassX and view the stored credentials
Accessing the Accounting SMB Share
We now have credentials for a share named acct, let’s mount this and view all the files
After some manual enumeration, we come a across a file called
tester.exe, running strings on the file reveals the credentials for the MSSQL Server we saw in the nmap scan.
Getting Command Execution using the MSSQL Server and ‘xp_cmdshell’
Now that we have creds for the SQL Server we can login using
sqsh, a tool built into Kali.
Now that a connection has been established we can enable the
xp_cmdshell function, so that we can execute system commands as the user who is running the database server. The following commands are used to enable the function.
Getting a Meterpreter Session using Veil
Now we have command execution on the box, we can generate a Meterpreter reverse shell payload, to do this I will use Veil to create an encrypted Meterpreter payload to bypass windows defender which I presume is running on the machine.
To install Veil on Kali, simple run:
Now that veil has been installed we can launch it with:
We want to select the evasion module, so type
This will show us all the available modules
The module we want is
Select it with
Now finally, set the LHOST and LPORT and then type,
Now that we have our
tally-msf.bat file, we can serve it to the box using
smbserver.py, firstly, we need to set up metasploit, this can be done by using the pre-built resource file,
We can now start up our Meterpreter listner with:
We can now execute our bat file over the network with
xp_cmdshell and our
Priv Esc to SYSTEM
Now that we have a shell as a user on the machine, we can use the
rottenpotato attack to impersonate the SYSTEM user, I deduced this as the box is a very early release of Server 2016 and doesn’t appear to have many hotfix’s installed. If you want a detailed explation of the attack, the article Here is very good. We also have the required privelages to run this attack, as seen here.
Impersonating SYSTEM with Incognito
Firstly, download RottenPotato from the GitHub Here and upload it to the box with Meterpreter
Now we can load Metasploit’s incognito module and then run
As you can see we have the
SYSTEM users impersonation token avaliable, so we can impersonate it with:
User and Root Flags
Now that we have a shell as SYSTEM we can grab both the User and Root flags.
Dumping the Domain Hashes
We can also dump all of the hashes in the domain using Metasploit’s Kiwi Module
If you enjoyed the write up or found it useful consider + repping my htb profile linked below: