Post

HTB AD Medium: Manager

Manager is a Medium rated AD machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB AD Medium: Manager

Nmap

Pasted image 20240714194436.png Pasted image 20240714194431.png

Initial Foothold

Password spraying

We can perform an RID brute attack to obtain valid users in the domain. Pasted image 20240714194426.png

Add users to file. Pasted image 20240714194422.png

Try to bruteforce passwords using the username as the password operator:operator, ravan:ravan. Pasted image 20240714194417.png

Now that we know we can authenticate via smb we can try authenticating via mssql. Pasted image 20240714194413.png

Log into the mssql server using the operator user credentials. Pasted image 20240714194407.png

We can use the xp_dirtree command to list files. Pasted image 20240714194401.png

We can download the backup.zip file by visiting the website. Pasted image 20240714194356.png

After unzipping the backup file we find credentials in the old config file raven:R4v3nBe5tD3veloP3r!123. Pasted image 20240714194350.png

We can use these credentials to get a shell (evil-winrm). Pasted image 20240714194345.png

Priv Esc

Upload certify.exe to abuse ADCS: Pasted image 20240714194334.png

Use the following commands found on hacktricks to request the administrator’s certificate. Pasted image 20240714194330.png

Now that we have the administrator’s certificate, we can request the administrator hash (make sure to sync time with the DC before requesting the hash). Pasted image 20240714194325.png

We can gain shell access using the administrator hash. Pasted image 20240714194321.png

User.txt

Pasted image 20240714194316.png

Root.txt

Pasted image 20240714194310.png

You have PWNED!!!

Pasted image 20240714194305.png

Sources

CTF, HTB
AD Medium
This post is licensed under CC BY 4.0 by the author.