HackTheBox-Mantis

10 min readJan 6, 2022

Hello everyone , in this post I will be sharirng my writeup for HTB-Mantis which is a really old windows active directory machine , starting off with the machine , there was a IIS sever running on port 1337 on which fuzzing for files reveal directory where it had a text file which contained some credentials and the name of the file which actually was a password to MSSQL service , logging in on mssql as an admin user we can find password for james user and being an old AD machine this was vulnerable to ms14–068 that can escalate our privileges to NT AUTHORITY\SYSTEM on the machine which is the highes privilege you can get

NMAP

PORT      STATE SERVICE      VERSION            
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:                                                            
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)              
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-03 16:26:51Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn             
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?                                              
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-01-03T16:23:47
| Not valid after:  2052-01-03T16:23:47
| MD5:   c8ce e7c1 63c6 b69c f8ad 9227 769f b67c
|_SHA-1: 6810 c8c8 1e18 458d 4fd3 60d6 90b1 ca8e 5619 e790                        
|_ssl-date: 2022-01-03T16:28:00+00:00; 0s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49164/tcp open  msrpc        Microsoft Windows RPC
49166/tcp open  msrpc        Microsoft Windows RPC
49172/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 42m51s, deviation: 1h53m24s, median: 0s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2022-01-03T11:27:49-05:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required

PORT 139/445/389 (SMB/LDAP)

Running enum4linux to check null authentication on smb , ldap and rpc to enumerate usernames if possible

And looks like that we are not successful here, running smbclient and smbmap also failed

PORT 1337 (HTTP)

This port gives us a IIS version 7 default page

So running gobuster against this I didn't found anything interesting

And this gives us forbidden message that we can’t access this directory

So I just left running a gobuster on this port with the wordlist directory-list-2.3-medium.txt and moved forward

PORT 8080 (HTTP)

Visting port 8080 , this shows a blog page

There’s an option to add a comment in blog post , so let’s try and see if there’s xss here

But nothing really happened , even the comment wasn’t added , so gobuster to fuzz for files here I did found some directories

But these are two posts that we already saw on the main page, and the admin page would require us to enter credentials which we can just try the default ones like admin:admin but it didn't worked

Going back to the scan left on port 1337 it found a directory secure_notes

web.config file returned 404 but with text file we found some juicy information

Scrolling down below we can also find a password for orchid cms admin user which is in binary

Logging in with this password we can become admin on orchid user

But being admin on orchid cms , there wasn’t anything that we can abuse neither there were any exploits available that could give us code execution

Notice that the file name we saw in secure_notes dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt , the text in the middle "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" this looks like some sort of encoding , using the magic feature of cyber chef this can identify and decode it

Further decoding this from base64 to hex

This decoded to a plain text which is mssql login password , we already saw the username from the text file which is sa, so using crackmapexec we can verify if we have correct credentials

But these creds failed ,tried with admin user as well but no luck

So switched to using metasploit module for mssql login and it worked ,it could be that the mssql version that the target machine is using is quite old for crackmapexec so that’s why this module works

There’s a tool for linux called sqsh which works well with older version of mssql and it's a client for linux when interacting with sql

sqsh -S 10.10.10.52 -U 'admin' -P 'm$$ql_S@_P@ssW0rd!'

After connecting with mssql we need to now run commands in order to select the database we want to use and then see which tables are there

select name from sys.databases
go

I tried listing tables in orcharddb but it wasn't in a good format and was un readable

Also tried to see if we can get command execution here but it failed

To counter this , I searched for GUI client for linux in order to connect to mssql and found DBeaver

Installing the debian package for dbeaver

after it’s installed , select the connection for SQL Server

Now we can see the databases easily so this is a really good tool to view databases, moving on , we can access orcharddb and selecting the table UserPartRecord we can see the columns username and password so this seems promising as we may find potential username

Switching to data , we can see the admin user and james user

Trying to verify the login with crackmapexec it will fail as the tool may not support older version of smb

However using smbmap we can see the shares and the permissions we have on them

Running enum4linux just to check if we can enumerate usernames and groups on the machine

Looking into NETLOGON , there wasn’t anything there, SYSVOL Share had some policies files which just showed what privileges were enabled but it really wasn’t interesting other than that just password policy files were there

So being an AD machine only thing that was coming into my mind was running bloodhound and since there’s no winrm running we can’t get just use sharphound powershell script so there’s a python implementation for sharphound that collects information of AD and generates json files that we can import to bloodhound GUI

python3 /opt/Python-Bloodhound/bloodhound.py -d htb.local -u 'James' -p 'J@m3s_P@ssW0rd!' -c all -
ns 10.10.10.52

Running the pre-built query Shortest path to high level targets we only see that this user can RDP into the machine but there's no RPD service running (port 3389) on the machine

As this machine is way old , judging from the MSSQL version and OS version being used ,the domain controller may also be vulnerable

So a vulnerability exists in unpatched versions of windows AD servers which is known as MS14-068 which escalates privileges of a normal user to an administrator or a NT AUTHORITY\SYSTEM on the machine , there was a issue in validating signatures in PAC (Privilege Attribute Certificate) as Domain controller wasn't able to validate invalid signature created by a valid domain user that can cause an attacker to give him the highest privileges by forging information in PAC to grant him higher privileges

To abuse this attack there’s an impacket script called goldenPac.py , so simply we need to just supply correct credentials and also to note that we need to specify the computer name as well else it won't work