Offensive Security
  • Who Am I ?!
  • HackTheBox - بالعربي
    • Blunder - بالعربي
    • Lame - بالعربي
    • Legacy - بالعربي
    • Ariekei - بالعربي
    • Forest - بالعربي
    • Sauna - بالعربي
    • Active - بالعربي
    • Reel - بالعربي
    • Mantis - بالعربي
    • Sizzle - بالعربي
  • Bug Hunting
  • Red Team
Powered by GitBook
On this page
  • Recon
  • nmap
  • SMB
  • Web :8080
  • Web :1337

Was this helpful?

  1. HackTheBox - بالعربي

Mantis - بالعربي

حل Mantis بالعربي

PreviousReel - بالعربيNextSizzle - بالعربي

Last updated 3 years ago

Was this helpful?

‌

Recon

nmap

nmap -sV -sC -p- -Pn 10.10.10.52
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-18 02:28 EDT
Nmap scan report for 10.10.10.52
Host is up (0.49s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-18 07:07:04Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1337/tcp  open  http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-18T06:43:19
|_Not valid after:  2051-05-18T06:43:19
|_ssl-date: 2021-05-18T07:08:23+00:00; +15m17s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc        Microsoft Windows RPC
8080/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49164/tcp open  msrpc        Microsoft Windows RPC
49166/tcp open  msrpc        Microsoft Windows RPC
49168/tcp open  msrpc        Microsoft Windows RPC
50255/tcp open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-05-18T06:43:19
|_Not valid after:  2051-05-18T06:43:19
|_ssl-date: 2021-05-18T07:08:23+00:00; +15m17s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 49m34s, deviation: 1h30m44s, median: 15m16s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2021-05-18T03:08:10-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-18T07:08:06
|_  start_date: 2021-05-18T06:42:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1493.14 seconds

SMB

بما انو مافي شي لفت انتباهي الويب

Web :8080

بعد لف و دوران تكتشف ان مافي شي نرجع مرة تانية لل nmap نشوف ان في منفذ 1337 كمان عليه ويب سيرفر Microsoft IIS :)

Web :1337

على طول يا معلم اكبس و directory enum شغل dirb, dribuster, gobuster الي بدك 

gobuster dir -u http://mantis.htb.local:1337/ -w /usr/share/wordlists/dirb/common.txt

استخدمت ال wordlist الي هي common.txt من ال wordlists تبعيت اداة dirb و ما طلعلي شي

ف غيرت ل directory-list-2.3-medium.txt من dirbuster و بعد انتظار وصلت ل هدول

/aspnet_client
/secure_notes

هاد الملف فتح و في معلومات لطيفة بس في شي لفت نظري و ماتوقعت ان يكون الي ببالي

هاد شكلو base64 انا الصراحة بالاول قلت ما معقول ان يكون في هيك شي بمسار ملف و ما فكرت فيها 

sqsh -U admin -S 10.10.10.52:1433 -D orcharddb
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
Password: