# HackTheBox-Mantis ## NMAP ```bash PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-03 16:26:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1337/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2022-01-03T16:23:47 | Not valid after: 2052-01-03T16:23:47 | MD5: c8ce e7c1 63c6 b69c f8ad 9227 769f b67c |_SHA-1: 6810 c8c8 1e18 458d 4fd3 60d6 90b1 ca8e 5619 e790 |_ssl-date: 2022-01-03T16:28:00+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Microsoft-IIS/7.5 |_http-title: Tossed Salad - Blog 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49164/tcp open msrpc Microsoft Windows RPC 49166/tcp open msrpc Microsoft Windows RPC 49172/tcp open msrpc Microsoft Windows RPC 50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000 | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 42m51s, deviation: 1h53m24s, median: 0s | ms-sql-info: | 10.10.10.52:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: mantis | NetBIOS computer name: MANTIS\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: mantis.htb.local |_ System time: 2022-01-03T11:27:49-05:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required ``` ## PORT 139/445/389 (SMB/LDAP) Running enum4linux to check null authentication on smb , ldap and rpc to enumerate usernames if possible And looks like that we are not successful here, running `smbclient` and `smbmap` also failed ## PORT 1337 (HTTP) This port gives us a IIS version 7 default page So running `gobuster` against this I didn't found anything interesting And this gives us forbidden message that we can't access this directory So I just left running a gobuster on this port with the wordlist `directory-list-2.3-medium.txt` and moved forward ## PORT 8080 (HTTP) Visting port 8080 , this shows a blog page There's an option to add a comment in blog post , so let's try and see if there's xss here But nothing really happened , even the comment wasn't added , so gobuster to fuzz for files here I did found some directories But these are two posts that we already saw on the main page, and the admin page would require us to enter credentials which we can just try the default ones like `admin:admin` but it didn't worked Going back to the scan left on port 1337 it found a directory `secure_notes` `web.config` file returned 404 but with text file we found some juicy information Scrolling down below we can also find a password for orchid cms admin user which is in binary Logging in with this password we can become admin on orchid user But being admin on orchid cms , there wasn't anything that we can abuse neither there were any exploits available that could give us code execution Notice that the file name we saw in secure_notes `dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt` , the text in the middle "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" this looks like some sort of encoding , using the magic feature of cyber chef this can identify and decode it Further decoding this from base64 to hex This decoded to a plain text which is mssql login password , we already saw the username from the text file which is `sa`, so using `crackmapexec` we can verify if we have correct credentials But these creds failed ,tried with admin user as well but no luck So switched to using metasploit module for mssql login and it worked ,it could be that the mssql version that the target machine is using is quite old for crackmapexec so that's why this module works There's a tool for linux called `sqsh` which works well with older version of mssql and it's a client for linux when interacting with sql ```bash sqsh -S 10.10.10.52 -U 'admin' -P 'm$$ql_S@_P@ssW0rd!' ``` After connecting with mssql we need to now run commands in order to select the database we want to use and then see which tables are there ```sql select name from sys.databases go ``` I tried listing tables in `orcharddb` but it wasn't in a good format and was un readable Also tried to see if we can get command execution here but it failed To counter this , I searched for GUI client for linux in order to connect to mssql and found `DBeaver` Installing the debian package for dbeaver after it's installed , select the connection for SQL Server Now we can see the databases easily so this is a really good tool to view databases, moving on , we can access `orcharddb` and selecting the table `UserPartRecord` we can see the columns username and password so this seems promising as we may find potential username Switching to data , we can see the admin user and james user Trying to verify the login with crackmapexec it will fail as the cme may not support older version of smb However using `smbmap` we can see the shares and the permissions we have on them Running enum4linux just to check if we can enumerate usernames and groups on the machine Looking into NETLOGON , there wasn't anything there, SYSVOL Share had some policies files which just showed what privileges were enabled but it really wasn't interesting other than that just password policy files were there So being an AD machine only thing that was coming into my mind was running bloodhound and since there's no winrm running we can't get just use sharphound powershell script so there's a python implementation for sharphound that collects information of AD and generates json files that we can import to bloodhound GUI ```bash python3 /opt/Python-Bloodhound/bloodhound.py -d htb.local -u 'James' -p 'J@m3s_P@ssW0rd!' -c all - ns 10.10.10.52 ``` Running the pre-built query `Shortest path to high level targets` we only see that this user can RDP into the machine but there's no RPD service running (port 3389) on the machine As this machine is way old , judging from the MSSQL version and OS version being used ,the domain controller may also be vulnerable So a vulnerability exists in unpatched versions of windows AD servers which is known as `MS14-068` which escalates privileges of a normal user to an administrator or a nt authority \ system on the machine , there was a issue in validating singatures in PAC (Privilege Attribute Certificate) as Domain controller wasn't able to validate invalid singature created by a valid domain user that can cause an attacker to give him the highest privileges by forging information in PAC to grant him higher privileges To abuse this attack there's an impacket script called `goldenPac.py` , so simply we need to just supply correct credentials and also to note that we need to specify the computer name as well else it won't work Without specifying the computer name it gives an error So adding the computer name in `/etc/hosts` file And with the computer name the exploit works , we can dump hashes as well from NTDS.dit , to do this add `James` to `Administrators` group Also just to get a powershell session we need to enable WinRM service as well To verify that we can reach to that port Using `secretsdump.py` which is also a part of impacket which can be used to dump hashes from either SAM or NTDS.dit ## References - https://www.rapid7.com/db/modules/auxiliary/scanner/mssql/mssql_login/ - https://noraj.gitlab.io/the-hacking-trove/Tools/sqsh/ - https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/ - https://askubuntu.com/questions/788197/graphical-ms-sql-clients-for-a-ubuntu-desktop - https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html - https://adsecurity.org/?p=525