🏃‍♂️Escape

Escape is a Medium difficulty Windows Active Directory machine

Enumeration

This is a Windows machine with MSSQL installed

Enumerating shares we find a Public directory

Inside we find a PDF with MSSQL credentials

The credentials work

Unfortunately we cannot enable xp_cmdshell

We can try to steal a NTLMv2 hash by running Responder and forcing the MSSQL server to authenticate to us

And we can crack it

sql_svc:REGGIE1234ronnie

ADCS Privilege escalation

We can see in the Nmap scan that this is also a ADCS server

We can try to enumerate vulnerable certificate templates

But we don't find anything useful

We login with WinRM, check the MSSQL directory and we find a log file with a mistyped password from the user Ryan.Cooper

The credentials are correct

With the new credentials we find a vulnerable certificate template

We can request a certificate for any user in the domain without approval

We cannot directly request the Administrator's NT hash

We need to use PassTheCert

python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -domain sequel.htb -dc-ip 10.10.11.202 -target Administrator -new-pass

Now we can authenticate with WinRM using the new password

PreviousIntelligence NextOffice

Last updated 2 years ago

hashtagEnumeration

hashtagADCS Privilege escalation

Enumeration

ADCS Privilege escalation