Manager starts with a RID cycle or Kerberos brute force to find users on the domain, and then a password spray using each user’s username as their password. When the operator account hits, I’ll get access to the MSSQL database instance, and use the xp_dirtree feature to explore the file system. I’ll find a backup archive of the webserver, including an old config file with creds for a user. As that user, I’ll get access to the ADCS instance and exploit the ESC7 misconfiguration to get access as administrator.

0xdf hacks stuff

The post describes the enumeration process and exploitation steps for the HTB: Manager challenge. It covers the identification of open ports, domain information, and accessible shares. The post also explores the LDAP, SMB, and MSSQL services. Finally, it highlights the exploitation of the ESC7 vulnerability and the privilege escalation process.