🍏Mantis
https://app.hackthebox.com/machines/98
I'll start with a quick nmap scan and then look deeply into each open ports ->
we quickly enumerate smb:
Both smbmap
and smbclient
seem to authenticate anonymously, but return no shares
Now let's enumerate RPC (445)
Now let's look for valid users ->:
Good we found some stuff:
Now let's test out for ASP-Roasting with GetNPUser
for user in $(cat users)
: This loops through each line of the file called "users" and assigns the line to the variable "user".do GetNPUsers.py htb.local/${user} -no-pass -dc-ip 10.129.20.149 2>/dev/null
: This runs the GetNPUsers.py script for each user in the "users" file, using the domain "htb.local" and the IP address "10.129.20.149" as the domain controller. The "-no-pass" option is used to specify that no password will be provided. The2>/dev/null
part is used to redirect any error messages to the null device, effectively hiding them from the user.| grep -F -e '[+]' -e '[-]'
: This pipes the output of the previous command to the grep command, which is used to filter the output to only show lines that contain either the "[+" or "-" characters. These characters are used to indicate whether the script was able to extract a valid NTLM hash for the user or not.
We look at the http web page on port 8080:
then we see :
Maybe there is something to look on this side ->:
But let's continue enumeration
port 1337 was open
Bingo
i click on the first one and see some steps for setting up the server:
beware of sneaky traps, scroll down ->
We then go to
and are able to login with those creds
looking at the nomenclature of the file name was a bit wierd:
so I copied and pasted it in cyberchef and let the magic do his thing:
another way of doing it is:
since the content of the file Id'd admin, i'll try connecting to mysql (1433) with admin/m$$ql_S@_P@ssW0rd!:
But CLI is not the best so let's use GUI with dbeaver
then we start looking at every file and looking at the data :
this brings a new perspective for our enumeration ->
to connect via RCP with rpcclient with credentials:
With a user, now I can dump the full list of ASP-REP vulnerable users
nothing to be found on this side:
After striking out on more exploitation, I started to Google a bit, and eventually found this blog post about MS14-068. Basically it’s a critical vulnerability in Windows DCs that allow a simple user to get a Golden ticket without being an admin. With that ticket, I am basically a domain admin.
install the Kerberos packages:
in /etc/hosts
in /etc/resolv.conf
in /etc/krb5.conf
(information about the domain)
ntpdate 10.10.10.52
to sync my host’s time to Mantis, as Kerberos requires the two clocks be in sync.
Let's try to connect to C$ ->
but it does not work
Last updated