Manager - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed HTTP, SMB, LDAP, Kerberos, MSSQL and WinRM Ports.
RID Brute Forcing
I tried anonymous ldapsearch and SMB null session which did not reveal anything. Then I did vhost and directory enumeration for HTTP site and it also did not reveal anything.
Then after some search, I found that it is possible to brute force RIDs if the SMB Null session has read access to IPC$. So I did that and created a userList
Exploitation
Brute Force
Then using the userList, I created an password list that includes reverse and direct usernames.
Then using this credentials I applied a brute force attack for SMB. (At first I tried it with kerbrute which did not reveal anything useful)
MSSQL Client
After finding the valid password I checked SMB Shares but non of the shares were usefull. So then I tried to login MSSQL with ‘mssqlclient.py’ using windows-auth option and got inside.
I then tried xp_cmdshell which was blocked. Used xp_dirtree to capture hash with responder but it was a machine account so I could not do anything useful.
Then again using xp_dirtree I simply enumerated the files. I got access to the inetpub folder and enumerating it I found website backup zip file.
Got The User
So simply downloaded it and checked all files including hidden files. One of them revealed the password for the user raven.
And using evil-winrm I got the user flag.
Privilege Escalation
I then used bloodhound and winPEAS but could not find anything useful. Only useful information was network listening service certsrv.
So I thought maybe the machine is about AD certifications. I then ran certipy.
The machine was vulnerable to ESC7 vulnerability.
So by following the official wiki I was able to get administrator hash. And logged in using psexec.py
Pwned
The machine was pwned.