HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Cerberus is a Hard Difficulty Windows machine that initially presents a scant range of open services. The primary point of entry is through exploiting a pre-authentication vulnerability in an outdated `Icinga` web application, which then leads to Remote Code Execution (RCE) and subsequently a reverse shell within a Linux container. Here, a `Firejail` `SUID` binary is discovered, which can be manipulated for privilege escalation inside the container using `CVE-2022-31214`. Further investigation reveals that the machine utilizes `Kerberos` authentication with `sssd`, harboring a cached credential hash. Once cracked, this credential can is reused on the host machine, although this necessitates the forwarding of the `WinRM` port for access. Various local ports, some specific to `ADSelfService Plus`, are found active on the host machine, authenticated through `SAML`, and linked to a known CVE (`CVE-2022-47966`) with an available Metasploit module. The final hurdle involves careful enumeration of the filesystem to locate a `ManageEngine` backup, which provides the necessary data for exploiting `ADSS SAML` authentication.
Machine Matrix