Tally (need a little nudge)

Glasgow · November 8, 2017, 12:32am

I was able to find the FTP info (hostname, workgroup, and password) but have not had any luck in logging in. Am I on the right path or am I way off base?

wolverine · November 8, 2017, 7:31am

your on the right path, your missing some info; enum, enum, enum

Glasgow · November 11, 2017, 4:28am

I’m thinking that I’m missing the username (from sharepoint), but not having any luck.

wolverine · November 11, 2017, 8:04am

look at typical sharepoint attack URLs, there are a few resources from other testers/hackers on github.
One or two should prove fruitful.

Glasgow · November 12, 2017, 1:03am

I’ve tried sparty and spscan. I’ve found some of the urls, but haven’t been able to do anything with then (e.g. trying to post soap commands or enum users all require authentication)

wolverine · November 12, 2017, 8:00am

the url is a little mangled for some reason, try them manually

Glasgow · November 12, 2017, 4:42pm

Do you mean the urls returned by sparty/spscan, or the ones within the SOAP post requests?

wolverine · November 13, 2017, 7:16am

when you put the url in the address bar, tally mangles them via a redirect? you have to re-type them manually, then you’ll find some pages with info that are useful to further attack tally. I havnt bothered with the soap.

Yavellion · November 16, 2017, 10:28pm

Hello all,
Information on this forum are very useful, so first thanks for this. I was keeping investigating in some rabbit hole before I read your posts.
I’m stuck at the same point than glasgow…
I Tried several times to enumerate further with various lists, and also tried to adjust/changed the lists to adapt them to this particular case. Could someone lead me to some useful hint/resource please?
I’m really stuck now. Thanks for all.

Glasgow · November 18, 2017, 3:53am

I feel like such a moron. I was looking right at this before I found the FTP details. As wolverine called out, watch for places where the site redirects you (it adds something to the URL and displays the homepage). If you see that happen, try adjusting the URL manually.

ActivateD · November 18, 2017, 2:31pm

Hmm I am stuck on finding the user, I have found the ftp stuff. I have found another directory but its is not giving me much. Can someone PM me a tip?

paciock · November 26, 2017, 12:49am

after collected several credentials i tried with the exposed db service but none of em work, any hint, or if i’m in the wrong way?

ipatchcables · December 13, 2017, 8:56pm

Can anybody throw me a PM on this? I have searched high and low.

puerkito66 · December 13, 2017, 9:14pm

@ipatchcables said:
Can anybody throw me a PM on this? I have searched high and low.

Send me a message

beginner2010 · December 15, 2017, 2:18pm

Guys, who can give a hint? I’ve got access to ftp, got creds to smb and found old creds for db and creds from password-protected zip. The problem is that I can’t connect with them to DB.

peek · December 15, 2017, 2:46pm

maybe something with smb

ipatchcables · December 17, 2017, 12:23am

Tips on priv esc?

Glasgow · December 18, 2017, 4:53pm

@ipatchcables, if you’re still stuck on priv esc, send me PM with what you’ve done so and what info you’ve gathered. I don’t want to spoil it for anyone who hasn’t gotten as far as you. That would be a rotten thing to do.

Yavellion · January 8, 2018, 9:50pm

@peek ; was it a nudge for beginner2010? 'cause I’m stuck at same stage

Thanks!

peek · January 9, 2018, 1:58pm

@Yavellion said:
@peek ; was it a nudge for beginner2010? 'cause I’m stuck at same stage

Thanks!

write me a private message, i dont know which step you are ?