Search

Tally

  • Microsoft SharePoint webpage
    • dirbuster
      • Use gobuster with sharepoint word list instead
  • ftp
    • Connect anonymous?
      • not allowed
  • mssql
    • mssqlclient after credentials?
  • smb
    • find initial credentials?
      • anonymous denied. responder?
    • signing not required
      • smb relay?

gobuster found us a folder with sharepoint files. it’s docx so we can:

docx2txt ftp-details.docx ftpdetails.txt
cat ftpdetails.txt

we get:

FTP details
hostname: tally
workgroup: htb.local
password: UTDRSCH53c"$6hys
Please create your own user folder upon logging in

mistake: hostname is not username. Enum further for a username

What was stopping my page from loading:

Link had old pages with # into new pages when it should have been:

/SitePages/FinanceTeam.aspx

This gives us the ftp username and also a file that’s allowed to upload from that user, not blacklisted. Credentials:

ftp_user
UTDRSCH53c"$6hys