# Mantis

## Mantis - 10.10.10.52

### Target Enumeration:

OS: Windows

IP: 10.10.10.52

User: 8a8622e2872d13d1162fbe92ce38f54d

Root: 209dc756ee5c09a9967540fe18d15567

### Ports / Services / Software Versions Running

53/tcp    open domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)

88/tcp    open kerberos-sec Microsoft Windows Kerberos (server time: 2018-04-29 20:13:37Z)

135/tcp   open msrpc        Microsoft Windows RPC

139/tcp   open netbios-ssn  Microsoft Windows netbios-ssn

389/tcp   open ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)

445/tcp   open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)

464/tcp   open kpasswd5?

593/tcp   open ncacn\_http   Microsoft Windows RPC over HTTP 1.0

636/tcp   open tcpwrapped

1433/tcp  open ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM

3268/tcp  open ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: 3269/tcp  open tcpwrapped

8080/tcp  open http         Microsoft IIS httpd 7.5

49152/tcp open  msrpc Microsoft Windows RPC

49153/tcp open  msrpc Microsoft Windows RPC

49154/tcp open  msrpc Microsoft Windows RPC

49155/tcp open  msrpc Microsoft Windows RPC

49157/tcp open  ncacn\_http Microsoft Windows RPC over HTTP 1.0

49158/tcp open  msrpc Microsoft Windows RPC

### Vulnerability Exploited: 

Credentials to user stored in sql database, psexec takes you to system shell.

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh6.googleusercontent.com/vXVHQzW0O68FFOPLsBKITtd1fww3HOe6053XT1aYmz4-OOPaSYtK8ouMMnj--mVLT8ui4zEMyJ2ou44EoZSYahdDzG9gtQB3qAJu8dATMJuz2UTDQPnKgtviACFbNMpAgayDHdoj" alt=""></div>

Port 1337 is hosting the basic IIS7 install page

![](https://lh4.googleusercontent.com/LXa4RigtJysLlyCiLuIl3jgkVLLZjTXpb2IrXNSUvLjYTfat_2--eyIE5n8A2__ywbuZ0YK_lbxp1fMKWtCM4BrxdOvjtfpcVffvB0UsqI-bHZIprsTypDSdX9wXRuJezTiOm-go)

Scanning with dirsearch gives:

![](https://lh6.googleusercontent.com/iIb0HihBn47rt1BtKwdMJdeBv0ndRNjducM01fRRYj6Y3wjApX9bQaPJNW4QlLRogeiQZxLFLNUTmEHh5p8v3v2QuhPnyaH-YThI1-K1_BZNvS6c647ZYWtEnRgONgbL407Tmc-Z)

secure \_notes leads to the following 2 files:

![](https://lh3.googleusercontent.com/E0Swbz9sMHVozHVQaw9YLCGtiuVAlCbyZpjX0q9ncYJLzz_kG0-wIBSQq0yWizPmwdLr03-0jQ-XQRINikWES91rc_hwSb5L1R17vV5Y5EdolU1E8KIZjETxqOr_pxUqdyFfi0V7)

At the bottom of the dev\_notes file we see some encoded credentials

![](https://lh5.googleusercontent.com/lk4RVgzpXljslSRFSHwGHQ06mr1dzQyarkTr2k_UQX80_q05MsI0WJD5APIfXXNG5NVF65vsWSTINUXxlQZi6MfKDNUnGdt3IY2IapT3BWd15e98FuVPDWzDKIbWpc3K5ft8lFwB)

This decodes to nothing, the file name looks like a base64 string.

![](https://lh6.googleusercontent.com/IP7YKXOmqMu9_x2l6Nb40siwSyNQga4ulVecCBO06pRYWnL17OpK3jIcXKF8s2PXwoduThTNL42KcnUKo-UCGfQb0afGxHVFNJfMWjcfQAEL_iMQn4j1wQwBZhhYd4X-jZ6fctvT)

This gives us the mysql password.

m$$ql\_S@\_P\@ssW0rd!

Try the username is admin as mentioned at the bottom of the file.

Now we need to login to the sql server:

<https://www.adampalmer.me/iodigitalsec/2013/08/10/accessing-and-hacking-mssql-from-backtrack-linux/>

You should already have this installed on kali.

![](https://lh3.googleusercontent.com/8xmITBCXBFyUNRBGBbtJYmzxuOCNDwjck75VKcVC-DV4vWMrZHRIHU0sxOWC70XBeBqDnh9rUJdBSUP4Nd33hryGnM2gNaKjP62VsHeLRbeAHjjrRTmxSEhSZRQ8TRUEdjKRWj8i)

Enumerate the database and eventually you will find:

![](https://lh6.googleusercontent.com/z2MHTjUIAqBmB5Xl_rlzDkAIGkdEFr9sRr3qZUqTAd0MsJqRqucx_vopYP_amMFbfve96jnA1cGG2M7iaDoWZv5YI_ZJzvIEZPT-8K0k_dfe-D4L0lHFJuTsl5yKpKh9UbHJYA_L)

Now view that database which will give you a password

![](https://lh3.googleusercontent.com/J2GLI5JKMCzmW8U2zDHGmrHgHFNM8kBZrDZTOxdFu63OqsQV_l-ygGb7Uhnrhf4XzIM3XF4B_gR4tODhaXJTo7XveSabCRH-85Wkw1hmGsE_rMNfSvwHcn2RuNBuVkTDfNu6DP8F)

Commands used:

```
SELECT * FROM master.dbo.sysdatabases
Go
SELECT * FROM orcharddb.INFORMATION_SCHEMA.TABLES
Go
SELECT * FROM orcharddb.INFORMATION_SCHEMA.COLUMNS
Go
use orcharddb
Go
SELECT * FROM blog_Orchard_Users_UserPartRecord
```

Privilege escalation.

We have a user and a password but no rdp creds so login via SMB

Try psexec

![](https://lh6.googleusercontent.com/PZ_8m6Q4pmW94gPdJ7t2IAK7SSZvtPoLLiqq59KrR3ut5QsuQ50yqvG7CGMCVixHnBn5hg6z9wnlQ_dq3_YEyAdTfaICcJO3pM8hfoB4VmS4LyxePgkkfd4cPLGbJRFii2EOBoOA)

Grab root and user passwords

![](https://lh3.googleusercontent.com/XZEOEIHRv3p8RmQ4nMRvt4bo27j_izZQQ46jCrnOHhvCyAJmvxxck_sIQ1yQPILIXMUYWPnI7cG1lTVc3MucvG65GbE2OFR1bH8K90J8MN7OqTYMn-J4HxF1TJDjZyDfAjwo_FAs)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/mantis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.