Hack The Box: Manager Machine Walkthrough – Medium Difficulty

In this post, I would like to share a walkthrough of the Manager Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Manager machine?

For the user flag, you will need to initiate a rigorous investigative cycle, employing a RID (Relative Identifier) methodology. Subsequently, a meticulously orchestrated password spray attack ensues, utilizing each user’s username as a potential password. Upon successful penetration of the operator account, access to the MSSQL database instance is achieved, facilitating the utilization of the xp_dirtree functionality to meticulously navigate and explore the file system. An exhaustive examination leads to the discovery of a backup archive for the web server, containing an outdated configuration file replete with credentials for a specific user.

As for the root flag, you need to gain entry to the Active Directory Certificate Services (ADCS) instance and leverage the ESC7 misconfiguration to obtain administrative privileges.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Manager Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

──[darknite@parrot]─[~/Documents/htb/manager]
└──╼ $ nmap -sC -sV 10.10.11.236 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-27 06:13 EDT
Nmap scan report for manager.htb (10.10.11.236)
Host is up (0.021s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-27 17:13:40Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-27T17:15:01+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-27T17:15:00+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-10-27T17:15:00+00:00; +7h00m00s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-27T12:36:25
|_Not valid after:  2053-10-27T12:36:25
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-27T17:15:00+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-10-27T17:15:00+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc01.manager.htb
| Not valid before: 2023-07-30T13:51:28
|_Not valid after:  2024-07-29T13:51:28
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-27T17:14:24
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.62 seconds
┌─[darknite@parrot]─[~/Documents/htb/manager]
└──╼ $ 

Let’s access the website interface

However, I didn’t see anything useful and important to be exploited on the website interface. When I re-analyze the Nmap result, I noticed that there’s an SMB port that is open to the public.

Trying to enumerate on mssql and smb port

Firstly, let’s enumerate the Mssql database by using the NetExec tools but sadly, all login access has failed.

Another port has been revealed to the public which is SMB port

After a while, I have been provided with a lot of potential username and password

We can try to find the match of username with the password that we found earlier. Sadly, we found a dead-end right now.

Let’s try to retrieve the potential credentials with the MySQL database using the NetExec tool. At last, we managed to retrieve the credentials such as operator: operator

Accessing the mssqlclient with the credential

As a result, we can try to access the mysqlclient from impacket which looks like a success to me.

As we know that this machine is running on Windows Operating System, let’s list the directory on C:\

Let’s analyze the inetpub directory which makes a little curious about what is stored inside there.

I managed to find the zip file which we can try to download on our attacker’s machine

I was thinking about how to download the zip file into our attacker’s machine, and I have found a way to download it from the website interface

Analyze the source code from the website backup file

Once we manage to successfully download the zip file, we should be able to extract the zip file where we can investigate it further

The file stored inside the zip file looks like something as shown above.

Sadly, there are nothing that look interesting to me at all.

After trying to look into all the hidden files that are stored inside the zip file, I noticed there’s one XML file such as .old-conf.xml which we can investigate further.

At last, we managed to retrieve a potential username and password that we can use to access the machine.

Finally, we have successfully retrieved the credentials for Raven as username and R4v3nBe5tD3v as Raven’s password.

As a result, we managed to access the machine by using the credentials that we found earlier via evil-winrm

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access on the Manager machine

We should upload the certify.exe file into the victim’s machine found here

We should be able to find whether the Windows Machine is vulnerable to anything by entering the command above.

However, I found something that looked suspicious the machine access is allowing the ManageCA

After doing some research on ManageCA vulnerability, I found a few sources that we can use to escalate further.

The only source that looks useful to me would be Hacktricks

We can use the same command which we found on the Hacktricks website earlier.

However, we cannot use the TGT request due to an error saying “KRB_AP_ERR_SKEW(Clock skew too great)”

To fix the issues above, we need to update the time on our attacker’s machine by running the command above

Boom! We managed to retrieve the NT hash after we had solved the issues above.

Therefore, let’s access the machine as Administrator with the hashes we found earlier.

We can read the root flag by typing the “type root.txt” command

Extra Information

We managed to find all the hashes when running the secretdump command above.

By using the command above, we also can obtain the root privileges access to the machine