# Mantis

## Mantis - 10.10.10.52

### Target Enumeration:

OS: Windows

IP: 10.10.10.52

User: 8a8622e2872d13d1162fbe92ce38f54d

Root: 209dc756ee5c09a9967540fe18d15567

### Ports / Services / Software Versions Running

53/tcp    open domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)

88/tcp    open kerberos-sec Microsoft Windows Kerberos (server time: 2018-04-29 20:13:37Z)

135/tcp   open msrpc        Microsoft Windows RPC

139/tcp   open netbios-ssn  Microsoft Windows netbios-ssn

389/tcp   open ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)

445/tcp   open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)

464/tcp   open kpasswd5?

593/tcp   open ncacn\_http   Microsoft Windows RPC over HTTP 1.0

636/tcp   open tcpwrapped

1433/tcp  open ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM

3268/tcp  open ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: 3269/tcp  open tcpwrapped

8080/tcp  open http         Microsoft IIS httpd 7.5

49152/tcp open  msrpc Microsoft Windows RPC

49153/tcp open  msrpc Microsoft Windows RPC

49154/tcp open  msrpc Microsoft Windows RPC

49155/tcp open  msrpc Microsoft Windows RPC

49157/tcp open  ncacn\_http Microsoft Windows RPC over HTTP 1.0

49158/tcp open  msrpc Microsoft Windows RPC

### Vulnerability Exploited: 

Credentials to user stored in sql database, psexec takes you to system shell.

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh6.googleusercontent.com/vXVHQzW0O68FFOPLsBKITtd1fww3HOe6053XT1aYmz4-OOPaSYtK8ouMMnj--mVLT8ui4zEMyJ2ou44EoZSYahdDzG9gtQB3qAJu8dATMJuz2UTDQPnKgtviACFbNMpAgayDHdoj" alt=""></div>

Port 1337 is hosting the basic IIS7 install page

![](https://lh4.googleusercontent.com/LXa4RigtJysLlyCiLuIl3jgkVLLZjTXpb2IrXNSUvLjYTfat_2--eyIE5n8A2__ywbuZ0YK_lbxp1fMKWtCM4BrxdOvjtfpcVffvB0UsqI-bHZIprsTypDSdX9wXRuJezTiOm-go)

Scanning with dirsearch gives:

![](https://lh6.googleusercontent.com/iIb0HihBn47rt1BtKwdMJdeBv0ndRNjducM01fRRYj6Y3wjApX9bQaPJNW4QlLRogeiQZxLFLNUTmEHh5p8v3v2QuhPnyaH-YThI1-K1_BZNvS6c647ZYWtEnRgONgbL407Tmc-Z)

secure \_notes leads to the following 2 files:

![](https://lh3.googleusercontent.com/E0Swbz9sMHVozHVQaw9YLCGtiuVAlCbyZpjX0q9ncYJLzz_kG0-wIBSQq0yWizPmwdLr03-0jQ-XQRINikWES91rc_hwSb5L1R17vV5Y5EdolU1E8KIZjETxqOr_pxUqdyFfi0V7)

At the bottom of the dev\_notes file we see some encoded credentials

![](https://lh5.googleusercontent.com/lk4RVgzpXljslSRFSHwGHQ06mr1dzQyarkTr2k_UQX80_q05MsI0WJD5APIfXXNG5NVF65vsWSTINUXxlQZi6MfKDNUnGdt3IY2IapT3BWd15e98FuVPDWzDKIbWpc3K5ft8lFwB)

This decodes to nothing, the file name looks like a base64 string.

![](https://lh6.googleusercontent.com/IP7YKXOmqMu9_x2l6Nb40siwSyNQga4ulVecCBO06pRYWnL17OpK3jIcXKF8s2PXwoduThTNL42KcnUKo-UCGfQb0afGxHVFNJfMWjcfQAEL_iMQn4j1wQwBZhhYd4X-jZ6fctvT)

This gives us the mysql password.

m$$ql\_S@\_P\@ssW0rd!

Try the username is admin as mentioned at the bottom of the file.

Now we need to login to the sql server:

<https://www.adampalmer.me/iodigitalsec/2013/08/10/accessing-and-hacking-mssql-from-backtrack-linux/>

You should already have this installed on kali.

![](https://lh3.googleusercontent.com/8xmITBCXBFyUNRBGBbtJYmzxuOCNDwjck75VKcVC-DV4vWMrZHRIHU0sxOWC70XBeBqDnh9rUJdBSUP4Nd33hryGnM2gNaKjP62VsHeLRbeAHjjrRTmxSEhSZRQ8TRUEdjKRWj8i)

Enumerate the database and eventually you will find:

![](https://lh6.googleusercontent.com/z2MHTjUIAqBmB5Xl_rlzDkAIGkdEFr9sRr3qZUqTAd0MsJqRqucx_vopYP_amMFbfve96jnA1cGG2M7iaDoWZv5YI_ZJzvIEZPT-8K0k_dfe-D4L0lHFJuTsl5yKpKh9UbHJYA_L)

Now view that database which will give you a password

![](https://lh3.googleusercontent.com/J2GLI5JKMCzmW8U2zDHGmrHgHFNM8kBZrDZTOxdFu63OqsQV_l-ygGb7Uhnrhf4XzIM3XF4B_gR4tODhaXJTo7XveSabCRH-85Wkw1hmGsE_rMNfSvwHcn2RuNBuVkTDfNu6DP8F)

Commands used:

```
SELECT * FROM master.dbo.sysdatabases
Go
SELECT * FROM orcharddb.INFORMATION_SCHEMA.TABLES
Go
SELECT * FROM orcharddb.INFORMATION_SCHEMA.COLUMNS
Go
use orcharddb
Go
SELECT * FROM blog_Orchard_Users_UserPartRecord
```

Privilege escalation.

We have a user and a password but no rdp creds so login via SMB

Try psexec

![](https://lh6.googleusercontent.com/PZ_8m6Q4pmW94gPdJ7t2IAK7SSZvtPoLLiqq59KrR3ut5QsuQ50yqvG7CGMCVixHnBn5hg6z9wnlQ_dq3_YEyAdTfaICcJO3pM8hfoB4VmS4LyxePgkkfd4cPLGbJRFii2EOBoOA)

Grab root and user passwords

![](https://lh3.googleusercontent.com/XZEOEIHRv3p8RmQ4nMRvt4bo27j_izZQQ46jCrnOHhvCyAJmvxxck_sIQ1yQPILIXMUYWPnI7cG1lTVc3MucvG65GbE2OFR1bH8K90J8MN7OqTYMn-J4HxF1TJDjZyDfAjwo_FAs)