The target host has multiple open ports indicating a Windows environment, including services such as DNS, web hosting with Microsoft IIS, Active Directory LDAP, Microsoft SQL Server 2019, RPC services, and others, suggesting potential avenues for further exploration and exploitation. We are dealing with a domain controller and received the domain and computer name from the Nmap scan:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 08:38 EDT
Nmap scan report for manager.htb (10.129.120.237)
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-16 19:38:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.120.237:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.120.237:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-16T19:30:16
|_Not valid after: 2054-03-16T19:30:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49694/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
52872/tcp open msrpc Microsoft Windows RPC
52918/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m50s, deviation: 0s, median: 6h59m49s
| smb2-time:
| date: 2024-03-16T19:39:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.94 second
When enumerating the website, nothing could be detected apart from static web pages.
We are probably dealing with an active directory challenge. We can enumerate some users using Kerbrute. For this, we use the xato-net-10-million-usernames.txt from SecLists.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ sed -n 's/.*:\s*\([^@]\+\)@manager\.htb.*/\1/p' kerbrute-results.txt > usernames.txt
usernames.txt
ryan
guest
cheng
raven
administrator
Ryan
Raven
operator
Guest
Administrator
Cheng
jinwoo
RYAN
RAVEN
GUEST
Operator
Next, we try a password spray on the SMB port. We do this with the help of NetExec. We will also use the usernames as the password list. Maybe a user has used his username as a password. We issue the parameter --no-brute only to insert the password as the username. We have a hit for the user operator.
We see that raven has dangerous permissions that allow the ESC7 attack.
A detailed explanation of the attack can be found here:
To issue the attack we place the commands in a simple script, since they have to be issued very quickly in succession. You have to set the password, and if already requests were made the request_id has to be adjusted.
By executing the script we get the Administrator certificate
With that, we can retrieve the admin hash. The next commands have to be queued in quick succession and might fail. We have to synchronize our time with the DC.
