{"id":646,"date":"2026-05-06T01:04:16","date_gmt":"2026-05-06T01:04:16","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=646"},"modified":"2026-05-06T01:08:28","modified_gmt":"2026-05-06T01:08:28","slug":"manager-hackthebox","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=646","title":{"rendered":"Manager- Hackthebox"},"content":{"rendered":"\n

I started with a full port scan using my Nmap automation script. https:\/\/github.com\/HutchSec\/portScan<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The scan revealed several interesting services including SMB, MSSQL, WinRM, and HTTP.
<\/p>\n\n\n\n

SMB Enumeration \u2014 RID Cycling<\/strong><\/p>\n\n\n\n

Anonymous SMB access was enabled, which allowed RID cycling attacks using Impacket\u2019s lookupsid.py<\/code>. This exposed valid domain usernames.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Password Spraying \u2014 User-as-Password<\/strong><\/p>\n\n\n\n

With a list of usernames, I performed a simple password spray using the classic username:username<\/code> approach.<\/p>\n\n\n\n

This successfully identified valid credentials for the operator<\/code> account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

MSSQL Access<\/strong><\/p>\n\n\n\n

Using the discovered credentials, I authenticated to MSSQL with Impacket. While enumerating the server, I found a website backup archive containing application files.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Configuration File Loot<\/strong><\/p>\n\n\n\n

Inside the backup, I discovered plaintext credentials stored in a configuration file.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

WinRM Access<\/strong><\/p>\n\n\n\n

The recovered credentials provided remote access over WinRM.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Privilege Escalation \u2014 AD CS ESC7<\/strong><\/p>\n\n\n\n

Enumeration revealed a vulnerable Active Directory Certificate Services configuration vulnerable to ESC7 abuse.<\/p>\n\n\n\n

I added the raven account as a Certificate Authority officer.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, I approved the pending certificate request and retrieved a certificate for the Administrator account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Kerberos Time Synchronization<\/strong><\/p>\n\n\n\n

When attempting certificate authentication, Kerberos rejected the request due to clock skew.<\/p>\n\n\n\n

I synchronized my attack VM\u2019s time with the domain controller. After syncing time, I authenticated with the generated Administrator certificate and extracted the NTLM hash.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Root Access<\/strong><\/p>\n\n\n\n

Using the recovered Administrator hash, I obtained full administrative access to the target and completed the box.<\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

I started with a full port scan using my Nmap automation script. https:\/\/github.com\/HutchSec\/portScan The scan revealed several interesting services including SMB, MSSQL, WinRM, and HTTP. SMB Enumeration \u2014 RID Cycling Anonymous SMB access was enabled, which allowed RID cycling attacks using Impacket\u2019s lookupsid.py. This exposed valid domain usernames. Password Spraying […]<\/p>\n","protected":false},"author":1,"featured_media":664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-646","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=646"}],"version-history":[{"count":1,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/646\/revisions"}],"predecessor-version":[{"id":663,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/646\/revisions\/663"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/664"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}