Manager
Recon
nmap_scan.log
Open 10.129.251.108:53
Open 10.129.251.108:80
Open 10.129.251.108:88
Open 10.129.251.108:135
Open 10.129.251.108:139
Open 10.129.251.108:389
Open 10.129.251.108:445
Open 10.129.251.108:464
Open 10.129.251.108:593
Open 10.129.251.108:636
Open 10.129.251.108:1433
Open 10.129.251.108:3268
Open 10.129.251.108:3269
Open 10.129.251.108:5985
Open 10.129.251.108:9389
Open 10.129.251.108:49667
Open 10.129.251.108:49728
Open 10.129.251.108:49695
Open 10.129.251.108:49694
Open 10.129.251.108:49693
Open 10.129.251.108:49770
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.251.108
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: Manager
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-12-07 15:32:29Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-12-07T15:34:01+00:00; +6h59m58s from scanner time.
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-12-07T15:34:00+00:00; +6h59m58s from scanner time.
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-12-07T15:29:50
| Not valid after: 2054-12-07T15:29:50
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2024-12-07T15:34:01+00:00; +6h59m58s from scanner time.
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2024-12-07T15:34:01+00:00; +6h59m58s from scanner time.
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-12-07T15:34:00+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49693/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49694/tcp open msrpc syn-ack Microsoft Windows RPC
49695/tcp open msrpc syn-ack Microsoft Windows RPC
49728/tcp open msrpc syn-ack Microsoft Windows RPC
49770/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m57s, deviation: 0s, median: 6h59m57s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43832/tcp): CLEAN (Timeout)
| Check 2 (port 10631/tcp): CLEAN (Timeout)
| Check 3 (port 23630/udp): CLEAN (Timeout)
| Check 4 (port 52374/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-12-07T15:33:21
|_ start_date: N/ADNS (53)
└─$ dig ANY manager.htb @10.129.251.108 +tcp | grep -vE ';|^$'
manager.htb. 600 IN A 10.129.251.108
manager.htb. 600 IN A 10.10.11.236
manager.htb. 3600 IN NS dc01.manager.htb.
manager.htb. 3600 IN SOA dc01.manager.htb. hostmaster.manager.htb. 247 900 600 86400 3600
dc01.manager.htb. 3600 IN A 10.129.251.108HTTP (80)
The site is serving static html, no subdomain was found with ffuf
SMB
Bruteforce the passwords with usernames
Enumerate DC
Raven can winrm in to the machine, so the account is desired target.
MSSQL
Bloodhound didn't show any outbound permissions, but we have access to MSSQL
Command execution is disabled
Hash caught by responder is not crackable
We became sysadmin by netexec, but still no permissions to enable xp_cmdshell
Enumerate with xp_dirtree
We can download the backup file available on webserver.
Creds:
raven:R4v3nBe5tD3veloP3r!123
WinRM
User.txt
Privilege Escalation
Still nothing from Bloodhound
Enumerate certificates on DC
https://github.com/ly4k/Certipy?tab=readme-ov-file#esc7https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-authority-esc7
Get the NTLM hash for user and fix clock skew
Root.txt
Last updated