sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59
full Nmap scan
nmap -sV -p- -oA nmap/full_scan 10.10.10.59
While we wait for the full scan to be complete lets start our enumeration process
Nmap initial results
sudo nmap -sV -sC -A -oA nmap/inital_nmap 10.10.10.59
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 04:21 EDT
Nmap scan report for 10.10.10.59
Host is up (0.036s latency).
Not shown: 992 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-generator: Microsoft SharePoint
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.59:1433:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_ssl-date: 2023-08-15T08:21:41+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-15T08:17:32
|_Not valid after: 2053-08-15T08:17:32
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=8/15%OT=21%CT=1%CU=30638%PV=Y%DS=2%DC=T%G=Y%TM=64DB359
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:A)SEQ(SP=106%GCD=3%ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M53ANW8ST11%O
OS:2=M53ANW8ST11%O3=M53ANW8NNT11%O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)
OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=
OS:2000%O=M53ANW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-08-15T08:21:37
|_ start_date: 2023-08-15T08:17:13
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 50.12 ms 10.10.16.1
2 24.24 ms 10.10.10.59
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds
Ports
21: FTP
anonymous login disabled
80:HTTP
The main page looks to be Microsoft SharePoint
81:HTTP
cant access invalid hostname
135:RPC
139:netbios-ssn
445:SMB
anonymous login is disabled
808: Possibly HTTP
1433:ms-sql-s Microsoft SQL Server 2016
Port 80 HTTP
when first landing on the web server we can see that the application utilises Microsoft share point
Not much we can do on this page without credentials, it's worth noting that within the URL bar we can see the following
When looking at the URL bar take notice of the /_layouts/15/start.aspx
/_layouts : is a standard SharePoint directory used for system-level pages and functionality
/15 in the path refers to the version of Sharepoint (Sharepoint 2013)
/start.aspx this serves as the default entry point into the SharePoint site
With this knowledge, it would be a good presumption to start a directory busting from the http://10.10.10.59/_layouts/15 with a specific SharePoint wordlist (seclists)
within the results, we do find a
Very interesting if we click on the documents we can see a word file ftp-details modified by tally\adminstrator
Let's download it to our local host and view the contents
we can use libreoffice to open the word document
we can see the following
we can find a password
we dont have a username tho let's go back to
and view the site pages
When you click on the site pages you'll notice you head back to the home menu, but to navigate to the actual site pages we need to remove the following in the URL
so our URL should consist of the following
Now the most likely reason why we are redirected back to the home page is that SharePoint often employs redirection and URL rewriting to ensure consistency and proper navigation for the users, but for us that's not the case.
alright within the Site Pages, we can see the following
when we are redirected to /SitePages/FinanceTeam.aspx we can see some juicy information
from what we can gather we found the users
From the message we can safely say we found the user for the FTP pass we found earlier
FTP
once we log in via FTP
Looking within the user directories we can see a number of users
Let's download the data from the FTP server onto our local machine using wget
if we look within the
/10.10.10.59/User/Sarah
we will find notes.txt which contains the following
from what we can tell, Orchard CMS was replaced with SharePoint
When we look in the /10.10.10.59/Intranet/Binaries
we can see a Firefox executable
we can use searchsploit to see if this version of Firefox is vulnerable, which indeed it is
we will keep this in our back pocket
If we also look at
/10.10.10.59/User/Tim/Files
we will find a tim.kdbx file which is a keepass database that could possibly contain passwords
When we try to open the database we are prompted for the Master Password
What we can do is use keepass2john to create a hash of the master password and use hashcat to crack it
using keepass2john
use hashcat to crack the hash
We now have the master key
Now we can open the keepass database
looking through the database we do find credentials relating to a smb share
SMB
Let's view what shares are present and the privilege associated with them
we can see we have READ access to the ACCT Share lets mount to the share and enumerate the contents
initially tried to find any file that may be on the share resulting a lot of junk files
we saw early in our Nmap scan there was a Microsoft SQL Server 2016, lets refine our search
we do find the following
looking in the conn-info.txt we can see a set of credentials
nothing old credentials
Let's look for txt files and see if anything comes up
also, note if we can recall with the user Sarah's directory that Orchard is no longer present on the system, meaning any files related to Orchard should not be relevant to our search.
nothing to interesting
let's look for executables
Looking through the executables on the share, we can see the highlighted above, tester.exe doesnt sound like your ordinary executable lets investigate the executable using strings
within the output we can see a particular line of strings
we found a connection string for the SQL server
Shell as sarah via MSSQL
We can use the mssqlclient.py (part of impacket)
typing help shows us we can run commands through a xp_cmdshell
but first, we need to enable xp_cmdshell
running dir we can see we are in the system32 directory
