Post

HTB Manager: Walkthrough

Posted Updated
Preview Image
By partyh4t
4 min read
HTB Manager: Walkthrough

image

This machine begins with a password spray on the machine, which is domain joined, giving us access to a domain user with MSSQL access. We utilize our MSSQL access to find a backup.zip file within the webroot of a webserver, which contains an old xml file with credentials for another domain user. We can use these credentials to exploit a misconfigured ADCS template, and gain Administrator access to the machine.

0) Machine Overview

  1. Scans
  2. RPC Enumeration
  3. MSSQL
  4. Privilege Escalation

1) Scans

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds?
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763

Enum4Linux:

image

2) RPC Enumeration

Couldn’t do much with the SMB shares.

image

Lets mess with msrpc and see what we can do.

First, when connecting with a random user, it returns a ACCESS_DENIED.

However, if we try to connect with a blank user:

image

This is where things get interesting. If we check what user we currently are:

image

This actually opens a lot of doors for us. One door is try this username with quite a few impacket scripts and see what kind of information we can pull from the domain. (You could also try querydispinfo or enumdomusers within rpcclient, however in this case we are denied)

I started doing some research on what scripts would be of use in situations like this, and one that instantly caught my eye was lookupsid.py, which basically brute-forces SID’s: (We could have also used kerbrute with a username list if we wanted to find users)

image

image

Now we have a list of users that exist within the domain. There’s lots we can try now.

I tried seeing if any of the user’s were AS-REP Roast-able, but they weren’t. So lets try password spraying with CME:

One thing you can always do before you try a more proper password spray, is just use the usernames as the password list:

image

image

Perfect. Lets see what access this can give us now.

Firstly, we can run most commands now through rpcclient:

image

Doesn’t give us much through SMB.

Let’s try dumping the LDAP Server:

image

1

sudo ldapdomaindump 10.10.11.236 -u 'manager.htb\operator' -p 'operator' --no-json --no-grep -o ldap-dump

Not much there either.

3) MSSQL

Lets try the creds on the MSSQL server: (Be sure to add -windows-auth or else it will not work.) ![[Pasted image 20240110193214.png]]

We cant execute xp_cmdshell commands just yet. So we’ll have to enumerate a bit.

Apparently, you can read certain files with the xp_dirtree command thanks to this article:

image

Lets checkout the web-server’s file’s, usually stored in C:\inetpub\wwwroot:

EXEC master.sys.xp_dirtree 'C:\inetpub\wwwroot',0,1; (We added a 1 at the end as well here to display files, or else it would have just displayed folders)

Very interestingly, we can find that there’s a backup.zip file within the webroot:

image

Which means, if we access that directory through a URL:

image

Once we unzip the folder, we can run an ls -la and instantly something stands out:

image

image

Credentials. raven:R4v3nBe5tD3veloP3r!123

Lets try it on winrm:

image

4) Privilege Escalation

Lets run Bloodhound first:

1

bloodhound-python -c all -u raven -p 'R4v3nBe5tD3veloP3r!123' --zip -d manager.htb -ns 10.10.11.236

Didn’t find anything noteworthy. Lets see what AD CS has in store for us.

The article I’m following in this scenario is again, HackTricks. It basically shows that we can run tools like Certipy or Certify, and apparently there are a ton of potential misconfigurations that we can leverage for Privilege Escalation, Persistence, and so on.

For this machine, I’m going to be trying certipy, as it can also generate output for BloodHound.

image

You could import it into bloodhound, but it isn’t working for me in this case, so i’ll resort to manual enumeration alongside HackTricks.

image

Seems we have dangerous permission’s with the vulnerability being ESC7:

Attack 1 (Which has certain limitations listed in the article, like having to restart the CA service)

image

OR

Attack 2

image

Ill be trying Attack 2: Certipy’s README.md shows how to exploit each ESC

NOTE: the server seems to reset its settings automatically quite quickly, so we have to be relatively fast and issue the commands in quick succession.

Adding raven as an officer to be able to manage certificates:

image

Enabling the SubCA Template:

image

Requesting a certificate based on the SubCA Template, then saving the private key and noting down the request ID. (manager.htb would have worked as well for the -target)

image

Issue the certificate ourselves:

image

Retrieve the issued certificate:

image

Finally, authenticate:

image

If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) its because of your local time, you need to synchronize the host with the DC. There are a few options:

  • ntpdate <IP of DC> - Deprecated as of Ubuntu 16.04
  • rdate -n <IP of DC>

image

image

image

Then if we want to re-enable ntp, just timeatectl set-ntp on.

Finally, lets PtH with administrator’s hash:

image

Pwned.

HTB
HTB Password Spraying MSSQL ADCS
This post is licensed under CC BY 4.0 by the author.