# HackTheBox - Mantis - 10.10.10.52

Mantis is an hard difficulty rated Active Directory machine on hackthebox.eu.

## Summary

Mantis can definitely be one of the more challenging machines for some users. For successful exploitation, a fair bit of knowledge or research of Windows Servers and the domain controller system is required.

## Recon and Scanning

### Nmap Results

Nmap shows us that there is an IIS web server on port 1337, SQL Server on port 1433 and the usual ports for a domain controller. Firstly, I will enumerate the webpage as I have no credentials for the SQL Server.

### GoBusting

As there is nothing on the default IIS page I will start up a gobuster scan to try and find some hidden pages.

The gobuster scan revealed a directory, secure_notes with two files inside.

dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt

The Dev Notes Reveals:

• There is a SQL Server with a database called orcharddb.
• There is a user called “admin”
• The password has been set

Something else intresting is that the string after dev_notes in the URL, looks to be base64 and could be a clue to the password.

## SQL Server

The decoded base64 string turns out to be a hex string and that hex string, when decoded revelas the SQL Server password.

We now have credentials for the SQL Server: admin:[email protected][email protected]!

### Connecting to the database with DBeaver

To connect to the SQL Server I will use dbeaver which can be installed with, sudo apt install dbeaver

Now launch dbeaver from the kali menu.

Now select Microsoft SQL Server

Now type in all the relevant information and download any relevant drivers, once you have tested the connection, press the Finish button.

### Exploring the Database

Now that we are in the database let’s have a look at the users table and see if we get any local Windows credentials.

Bingo, we have credentials, james:[email protected][email protected]!

## James to Administrator - PyKek

To root this machine we need to use the impacket script goldenPac.py and the Python Kerberos Exploitation Kit’s ms14-068.py script. This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. This means we are able to get a shell as SYSTEM with normal user credentials and a user generated kerberos ticket, this exploit is explained here, MS14-068.

Firstly, make sure you have impacket installed with:

### Getting James’s SID

First, we need to get the SID of the user james to use with this script to generate a kerberos ticket for james and store it in /tmp/krb5cc_0. To get the SID we will use RPCClient and the LOOKUPNAMES command.

### Generating a Kerberos Ticket

Now that we have the SID we need to generate a kerberos ticket using pykek’s ms14-068.py found here. To downlad all the necessary files use this command:

Now that we have pykek downloaded, the command syntax is as follows:

Next, we need to move the ticket file named, [email protected] to /tmp/krb5cc_0

Now we have the Kerberos TGT, we can use the goldenPac.py script. The syntax is as follows:

## User and Root Flags

We can also now get the root and user flags.

## Beyond Root

Now that we have a system shell, I will fire up Covenant C2 and load up a grunt on the box such that we can dump the SAM hashes.

If it is your first time launching covenant with docker run:

If you have run Covenant before then type:

Firstly, create a new grunt and host it on a listner.

Now download it to an AppLocker Bypass directory like C:\Windows\System32\spool\drivers\color and execute it.

Bingo, we got a grunt.

### Dumping the SAM hashes with Covenant

To dump the SAM hashes we will head over to the interact tab and enter the following command

### Clearing Up

Now that we have dumped all the hashes and completed the box, exit the grunt and reset the box.

## Respect

If you enjoyed my write up or found it useful consider +repping my htb profile linked below:

Categories:

Updated: