13 KiB
HackTheBox-Mantis
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-03 16:26:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-01-03T16:23:47
| Not valid after: 2052-01-03T16:23:47
| MD5: c8ce e7c1 63c6 b69c f8ad 9227 769f b67c
|_SHA-1: 6810 c8c8 1e18 458d 4fd3 60d6 90b1 ca8e 5619 e790
|_ssl-date: 2022-01-03T16:28:00+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 42m51s, deviation: 1h53m24s, median: 0s
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2022-01-03T11:27:49-05:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
PORT 139/445/389 (SMB/LDAP)
Running enum4linux to check null authentication on smb , ldap and rpc to enumerate usernames if possible
And looks like that we are not successful here, running smbclient and smbmap also failed
PORT 1337 (HTTP)
This port gives us a IIS version 7 default page
So running gobuster against this I didn't found anything interesting
And this gives us forbidden message that we can't access this directory
So I just left running a gobuster on this port with the wordlist directory-list-2.3-medium.txt and moved forward
PORT 8080 (HTTP)
Visting port 8080 , this shows a blog page
There's an option to add a comment in blog post , so let's try and see if there's xss here
But nothing really happened , even the comment wasn't added , so gobuster to fuzz for files here I did found some directories
But these are two posts that we already saw on the main page, and the admin page would require us to enter credentials which we can just try the default ones like admin:admin but it didn't worked
Going back to the scan left on port 1337 it found a directory secure_notes
web.config file returned 404 but with text file we found some juicy information
Scrolling down below we can also find a password for orchid cms admin user which is in binary
Logging in with this password we can become admin on orchid user
But being admin on orchid cms , there wasn't anything that we can abuse neither there were any exploits available that could give us code execution
Notice that the file name we saw in secure_notes dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt , the text in the middle "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" this looks like some sort of encoding , using the magic feature of cyber chef this can identify and decode it
Further decoding this from base64 to hex
This decoded to a plain text which is mssql login password , we already saw the username from the text file which is sa, so using crackmapexec we can verify if we have correct credentials
But these creds failed ,tried with admin user as well but no luck
So switched to using metasploit module for mssql login and it worked ,it could be that the mssql version that the target machine is using is quite old for crackmapexec so that's why this module works
There's a tool for linux called sqsh which works well with older version of mssql and it's a client for linux when interacting with sql
sqsh -S 10.10.10.52 -U 'admin' -P 'm$$ql_S@_P@ssW0rd!'
After connecting with mssql we need to now run commands in order to select the database we want to use and then see which tables are there
select name from sys.databases
go
I tried listing tables in orcharddb but it wasn't in a good format and was un readable
Also tried to see if we can get command execution here but it failed
To counter this , I searched for GUI client for linux in order to connect to mssql and found DBeaver
Installing the debian package for dbeaver
after it's installed , select the connection for SQL Server
Now we can see the databases easily so this is a really good tool to view databases, moving on , we can access orcharddb and selecting the table UserPartRecord we can see the columns username and password so this seems promising as we may find potential username
Switching to data , we can see the admin user and james user
Trying to verify the login with crackmapexec it will fail as the cme may not support older version of smb
However using smbmap we can see the shares and the permissions we have on them
Running enum4linux just to check if we can enumerate usernames and groups on the machine
Looking into NETLOGON , there wasn't anything there, SYSVOL Share had some policies files which just showed what privileges were enabled but it really wasn't interesting other than that just password policy files were there
So being an AD machine only thing that was coming into my mind was running bloodhound and since there's no winrm running we can't get just use sharphound powershell script so there's a python implementation for sharphound that collects information of AD and generates json files that we can import to bloodhound GUI
python3 /opt/Python-Bloodhound/bloodhound.py -d htb.local -u 'James' -p 'J@m3s_P@ssW0rd!' -c all -
ns 10.10.10.52
Running the pre-built query Shortest path to high level targets we only see that this user can RDP into the machine but there's no RPD service running (port 3389) on the machine
As this machine is way old , judging from the MSSQL version and OS version being used ,the domain controller may also be vulnerable
So a vulnerability exists in unpatched versions of windows AD servers which is known as MS14-068 which escalates privileges of a normal user to an administrator or a nt authority \ system on the machine , there was a issue in validating singatures in PAC (Privilege Attribute Certificate) as Domain controller wasn't able to validate invalid singature created by a valid domain user that can cause an attacker to give him the highest privileges by forging information in PAC to grant him higher privileges
To abuse this attack there's an impacket script called goldenPac.py , so simply we need to just supply correct credentials and also to note that we need to specify the computer name as well else it won't work
Without specifying the computer name it gives an error
So adding the computer name in /etc/hosts file
And with the computer name the exploit works , we can dump hashes as well from NTDS.dit , to do this add James to Administrators group
Also just to get a powershell session we need to enable WinRM service as well
To verify that we can reach to that port
Using secretsdump.py which is also a part of impacket which can be used to dump hashes from either SAM or NTDS.dit
References
- https://www.rapid7.com/db/modules/auxiliary/scanner/mssql/mssql_login/
- https://noraj.gitlab.io/the-hacking-trove/Tools/sqsh/
- https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/
- https://askubuntu.com/questions/788197/graphical-ms-sql-clients-for-a-ubuntu-desktop
- https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html
- https://adsecurity.org/?p=525