< Back to All

Hack The Box: Tally

Tally -

Target Enumeration:

OS: Windows

User: be72362e8dffeca2b42406d5d1c74bb1

Root: 608bb707348105911c8991108e523eda

Ports / Services / Software Versions Running

21/tcp   open ftp           Microsoft ftpd

80/tcp   open http          Microsoft IIS httpd 10.0

81/tcp   open http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

135/tcp  open msrpc         Microsoft Windows RPC

139/tcp  open netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

808/tcp  open ccproxy-http?

1433/tcp open  ms-sql-s Microsoft SQL Server 2016 13.00.1601.00; RTM

Vulnerability Exploited:

FTP Password stored in plaintest on Sharepoint

MSSQL creds stored in keepass file with weak password

MSSQL service reconfigured to allow xp_commandshell gives a powershell reverse connection

Privilege Escalation:

CVE-2017-0213: Windows COM Elevation of Privilege Vulnerability


Exploiting the host:


Dirb gives a few sharepoint dirs.

Sharepoint gives you some unauthenticated credentials under:

Login with the user ftp_user and password above:

Looking around the file system we see do to.txt which has the contents from the folder


Looking further around the system we find the keepass file refrenced above in /user/tim/files

We grab the hash from the file

And crack it with john

Login using kpcli and open the file now we have found some further creds

Login to tally via smb and start enumerating the ACCT share for information.

The migration folder looks the most promising from the clue above:

Running strings on the tester.exe file gives you a sql password

Now login to the sqlserver using sqsh

Reconfigure to run system commands

There is windows defender on the target which detects most reverse shells so use setoolkit

Move the payload to Shell2.ps1 and host it with python, set up your metasploit listener

Download and execute with xp_cmdshell

Now you have a shell

There is  a hint that the current patches are not upto date

Looks like the machine has been locked down and has Windows Defender installed.

Download winrar 32 bit and encode a reverse shell with shellter

Upload it to the target and see if it bypasses Windows Defender, once successfully uploaded open a few more shells incase our one dies off. We will also need this file for root.

Running systeminfo shows us that there are only 2 hotfixes installed and after trying numerous exploits against the host we find the following which works:


Download the compiled exploit from:


Migrate to explorer.exe

Upload the exploit to the target system and rename your root shell as cmd.exe

Run the file

Now you will have a system shell

System Shell:

Now capture your flag:

Dump the plaintext passwords