Personal WebsiteLinkedin

Manager

Enumeration

Nmap

nmap -A -p- -v -sC manager.htb
Nmap scan report for manager.htb (10.10.11.236)
Host is up (0.051s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-27 23:10:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d:67bc:2117:e4d5:43e9:76bd:1212:b562
|_SHA-1: 6779:9506:0167:b030:ce92:6a31:f81c:0800:1c0e:29fb
|_ssl-date: 2024-01-27T23:12:04+00:00; +6h59m58s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-27T23:12:04+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d:67bc:2117:e4d5:43e9:76bd:1212:b562
|_SHA-1: 6779:9506:0167:b030:ce92:6a31:f81c:0800:1c0e:29fb
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-01-27T23:12:04+00:00; +6h59m58s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.11.236:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-27T17:32:53
| Not valid after:  2054-01-27T17:32:53
| MD5:   a3fc:e7f8:048c:fabf:6eb7:212c:d24f:5c29
|_SHA-1: c7b4:13dd:ac31:034c:087b:cd34:49c9:79da:cb9a:d41b
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-27T23:12:04+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d:67bc:2117:e4d5:43e9:76bd:1212:b562
|_SHA-1: 6779:9506:0167:b030:ce92:6a31:f81c:0800:1c0e:29fb
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d:67bc:2117:e4d5:43e9:76bd:1212:b562
|_SHA-1: 6779:9506:0167:b030:ce92:6a31:f81c:0800:1c0e:29fb
|_ssl-date: 2024-01-27T23:12:04+00:00; +6h59m58s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
49735/tcp open  msrpc         Microsoft Windows RPC
52758/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-27T23:11:25
|_  start_date: N/A
|_clock-skew: mean: 6h59m57s, deviation: 0s, median: 6h59m57s

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   51.41 ms 10.10.14.1
2   51.70 ms manager.htb (10.10.11.236)

NSE: Script Post-scanning.
Initiating NSE at 11:12
Completed NSE at 11:12, 0.00s elapsed
Initiating NSE at 11:12
Completed NSE at 11:12, 0.00s elapsed
Initiating NSE at 11:12
Completed NSE at 11:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 232.23 seconds
           Raw packets sent: 131228 (5.778MB) | Rcvd: 1240 (279.462KB)

Port 53

Port 80

Port 88

Try to enumerate some possible usernames against Kerberos service:

Save usernames to a file users.txt

Port 445

Confirm version of SMB service:

Try anonymous access with crackmapexec:

Try to access SMB shares using usernames enumarated before (as password we can use the same file with usernames):

operator:operator is a good username and password to signin in SMB share:

Enumerate folder and files to which we have access with these credentials:

Traverse the directory SYSVOL and go inside manager.htb directory:

Access the SYSVOL share:

But there is nothing of interest:

Port 1433

Microsoft SQL Server 2019 15.00.2000.00;

Service pack level: RTM

Try to login using operator:operator credentials and plain SQL Server authentication method:

Instead using Windows integrated authentication it works:

Windows Authentication in MSSQL is a method of authentication where users are authenticated using their Windows credentials. This means that users can access MSSQL databases using the same username and password they use to log in to their Windows accounts. It provides a seamless and secure way to authenticate users without requiring separate database credentials.

We can try to spawn a shell using stored procedure of MSSQL Server.

Note that in order to be able to execute commands it's not only necessary to havexp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure.

You can get who (except sysadmins) can use xp_cmdshell with:

In this case we don't have permission to execute xp_cmdshell:

You can check if who (apart sysadmins) has permissions to run those MSSQL functions with:

We can list the files and directories on Domain Controller:

The web.config file is not viewable instead we can download the zip file and extracting it we can finding a valuable XML with possible credentials:

Info

Domain AD:

  • dc01.manager.htb

  • NetBIOS_Domain_Name: MANAGER

  • Microsoft Windows Server 2019

Port 80:

  • IIS 10.0

  • Potentially risky methods: TRACE

Port 88/445:

  • operator:operator

  • raven:R4v3nBe5tD3veloP3r!123

Privilege Escalation

Try to connect using psexec.py or wmiexec.py not work.

Using evil-winrm trough port 5985 work and user flag can be grabbed from Desktop:

Enumeration

Using WinPEAS.exe we cannot obtain any relevant result.

Using Certify.exe we can retrieve some vulnerabilities on AD CS for example misconfigured templates:

If we try to use the template WebServer only because it has the flag ENROLLEE_SUPPLIES_SUBJECT enabled, we obtain the following error:

PKINIT (Public Key Cryptography for Initial Authentication) is a protocol used in Kerberos authentication, allowing clients to authenticate to the Key Distribution Center (KDC) using X.509 certificates. For PKINIT client authentication to work, the client's certificate must have the appropriate Key Usage and Extended Key Usage extensions set. To resolve the issue we need to:

  1. Check Certificate Key Usage: Ensure that the client certificate has the "Digital Signature" and "Key Encipherment" key usage extensions set. These extensions are typically required for certificates used in PKINIT authentication.

  2. Check Extended Key Usage (EKU): Verify that the "Client Authentication" EKU (OID 1.3.6.1.5.5.7.3.2) is included in the certificate's Extended Key Usage extension. This EKU indicates that the certificate is intended for client authentication purposes.

Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled:

Only the blue certificate template SubCA is capable of ClientAuthentication because is NOT specified (<null>) instead the WebServer template has ServerAuthentication so is not usable for privilege escalation in that case.

When the "pkiextendedkeyusage" (or Extended Key Usage) attribute is null or not present in a certificate, it means that there are no specific extended key usage purposes defined for that certificate. In such cases, the certificate may still be usable for certain purposes, including client authentication, depending on the configuration and policies of the systems involved.

Following our earlier find, we also came across a weakness in the SubCA template. To take advantage of this vulnerability, we utilized a tool called ‘certipy-ad.’

Creating an Officer Account

An "Officer Account" in ADCS refers to a user or service account used to manage and administer the ADCS service in an Active Directory infrastructure. ADCS is a feature of Windows Server that allows for the creation, management, and deployment of digital certificates within an organization.

An Officer Account would typically have specific administrative privileges for managing certificates within the organization. These privileges might include the ability to:

  • issue certificates,

  • revoke certificates,

  • manage certificate requests,

  • and other activities related to managing certificate-based security infrastructures.

I started by creating an ‘officer’ account with ‘certipy.ad.’ This was essential because it granted me the authority to manage certificates and related operations within the Active Directory. Without this ‘officer’ account, I wouldn’t have the necessary permissions to request and issue certificates or perform any certificate-related task.

Enabling a Certificate Template and Requesting a Certificate

Next, I enabled a specific certificate template and requested a certificate with elevated privileges. By doing this, I essentially secured a certificate that would grant me additional access rights, a critical step in the privilege escalation process.

Issuing the Requested Certificate

Once the certificate request was submitted, I needed it to be approved and issued.

Retrieved the Issued Certificate

After the certificate was issued, I retrieved it.This allowed ‘raven’ to have the certificate locally and use it for authentication.

Authenticated with the obtained certificate

However, during this process, I encountered an error related to clock skew. This error, known as KRB_AP_ERR_SKEW (Clock skew too great), occurs when there is a significant time difference between the local system and the remote server. In this case, the time skew was too substantial for the Kerberos authentication system to handle, resulting in the error. If you get this type of error, that means you need to sync your time.

To synchronize the system time with the ‘manager.htb’ server use the following command:

if it didn’t work use:

The server resets its settings automatically within a minute, so it’s important to have all the commands ready for quick execution. You can prepare a script or a set of commands that you can quickly copy and paste as needed:

Obtaining Administrator Hash

After successfully obtaining the Administrator hash, I used it to log in with elevated privileges. I utilized the hash as a password to connect to the system using evil-winrm. This allowed me to access the system as the administrator, granting me root-level privileges. As a result, I was able to easily retrieve the root flag:

PreviousVisualNextDevvortex

Last updated