# Mantis - بالعربي

‌

![](/files/-M_zIBiywPwkmCcFoW5-)

## Recon

### nmap

```
nmap -sV -sC -p- -Pn 10.10.10.52
```

```
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-18 02:28 EDT
Nmap scan report for 10.10.10.52
Host is up (0.49s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-18 07:07:04Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-18T06:43:19
|_Not valid after:  2051-05-18T06:43:19
|_ssl-date: 2021-05-18T07:08:23+00:00; +15m17s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49164/tcp open  msrpc        Microsoft Windows RPC
49166/tcp open  msrpc        Microsoft Windows RPC
49168/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-18T06:43:19
|_Not valid after:  2051-05-18T06:43:19
|_ssl-date: 2021-05-18T07:08:23+00:00; +15m17s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 49m34s, deviation: 1h30m44s, median: 15m16s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-05-18T03:08:10-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-18T07:08:06
|_  start_date: 2021-05-18T06:42:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1493.14 seconds

```

### SMB

![](/files/-Ma-X-5PrOBfqBfvyE78)

بما انو مافي شي لفت انتباهي الويب 

### Web :8080

![](/files/-Ma0FOtKk-Jv6FieUZnL)

بعد لف و دوران تكتشف ان مافي شي نرجع مرة تانية لل nmap نشوف ان في منفذ 1337 كمان عليه ويب سيرفر Microsoft IIS :)

### Web :1337

![](/files/-Ma0Fh3x059LbiMdz804)

على طول يا معلم اكبس و directory enum شغل dirb, dribuster, gobuster الي بدك 

```
gobuster dir -u http://mantis.htb.local:1337/ -w /usr/share/wordlists/dirb/common.txt
```

استخدمت ال wordlist الي هي common.txt من ال wordlists تبعيت اداة dirb و ما طلعلي شي 

ف غيرت ل directory-list-2.3-medium.txt من dirbuster و بعد انتظار وصلت ل هدول

```
/aspnet_client
/secure_notes
```

![](/files/-Ma0YA_R8Ad58cWBzZA6)

![](/files/-Ma0YxBB4NHDJtNYV0W6)

![](/files/-Ma0Z1YeA7tf0eFIOjGS)

![](/files/-Ma0Z9dNqqYpEo8j86AV)

هاد الملف فتح و في معلومات لطيفة بس في شي لفت نظري و ماتوقعت ان يكون الي ببالي 

![](/files/-Ma0_yiYkvJn1RSBEjFV)

هاد شكلو base64 انا الصراحة بالاول قلت ما معقول ان يكون في هيك شي بمسار ملف و ما فكرت فيها 

```
sqsh -U admin -S 10.10.10.52:1433 -D orcharddb
```

```
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
Password:
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mhzcyber.gitbook.io/vulnerability-research-ar/hackthebox-ar/mantis-balarby.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.