HTB Retired Machine: Escape (Windows — Medium)
We will start off an nmap scan
Now we we will a Service scan
Let’s check for any open SMB shares
With this information, we can log into the SQL DB
I knew that enabling xp_cmdshell would fail, but always worth to try it anyways
Let’s check the version we are running
Let’s list the tables
Let’s select * from logmarkhistory
With no data in any of the tables, let’s spin up Responder and see if we can get an NTLM hash
We will use xp_dirtree
Now we will use hashcat to crack it
sql_svc password: REGGIE1234ronnie
Since WinRM is running on the machine, let’s login via evil-winrm
We’ll check out the users on the machine
We’ll have to get a shell as Ryan
If we go into our user folder, we find an error log
Near the bottom we find what likely is Ryan’s password
Password: NuclearMosquito3
User.txt
Answer: 8523430a9ca2eff1dccf59125df410a5
Let’s add the following host names to our hosts file: dc.sequel.htb, sequel.htb, dc
Now we will run crackmpaexec
We can grab Certify from the following repo
Let’s look for vulnerable templates
Per the Certify docs, we can execute scenario 3 to gain admin rights
First we create our certificate file
Now we will copy the entire contents of cert.pem (and name it as such) to our local machine
At the bottom it tells us what command to run (do not copy the command line portion into the file)
We will not enter a password when prompted, just press enter
Next step is to upload both the cert.pfx file and Rubeus
Now we will use Rubeus with our template name and the pfx file
Looking through the Rubeus docs, this is what we need. We are also going to add the /nowrap and /show flags as well
NTLM hash: A52F78E4C751E5F5E17E1E9F3E58F4EE
Root.txt
Answer: bb5e9bcfe951ad4bee2daa1c477c6a97
There’s a way to automate the certificate stuff without uploading tools using Certipy
Let’s use the find command to look for the vulnerable template
certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
Now we will use the request flag to request the ticket
certipy req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
Now we will auth with the pfx cert
Due to the time sync issue, we will need to sync with the domain (might need to install ntpdate)
The sync will kill the vpn, so make sure to reconnect
Doesn’t seem to sync correctly
Had to install rdate and also run it in a single command a few times due to the short time sync issue
With the hash, we can use impacket’s psexec
There’s also an exploit using a Silver Ticket method