Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
12K views8 pages

EscapeTwo HTB Writeup

The EscapeTwo HTB writeup details the process of exploiting a Windows machine starting with provided credentials for the user 'rose'. It covers various techniques including SMB enumeration, MSSQL access, and exploiting DACLs to gain higher privileges and ultimately access the root flag. The writeup emphasizes the use of tools like bloodyAD and certipy-ad for privilege escalation and authentication.

Uploaded by

https://apedesigns.fun/
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12K views8 pages

EscapeTwo HTB Writeup

The EscapeTwo HTB writeup details the process of exploiting a Windows machine starting with provided credentials for the user 'rose'. It covers various techniques including SMB enumeration, MSSQL access, and exploiting DACLs to gain higher privileges and ultimately access the root flag. The writeup emphasizes the use of tools like bloodyAD and certipy-ad for privilege escalation and authentication.

Uploaded by

https://apedesigns.fun/
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

EscapeTwo HTB Writeup

HTB machine link:

https://app.hackthebox.com/machines/EscapeTwo

Recon Link to heading

From the description of the machine, we have already been given a basic account to start with: “As is common in real life Windows pentests, you will
start this box with credentials for the following account: rose / KxEPkKe6R8su”

rose
KxEPkKe6R8su

Let’s scan open ports, here we have everything standard for windows machine

Let’s start by checking the credential given to us for validity and add the resulting domain name sequel.htb to /etc/hosts/

echo "10.10.11.51 sequel.htb" | sudo tee -a /etc/hosts

User flag Link to heading


Let’s try a basic smb enumeration

You can log in via smbclient

Looking through the catalogues, we find the Accounting Department we are interested in. We need to download it using the get command and then
unpack it.
smbclient //10.10.11.51/Accounting\ Department -U rose --option='client min protocol=SMB2'

Inside will be user credentials that we can use later.


The sa account is the default admin account for connecting and managing the MSSQL database. Checking showed that the account is valid, let’s try to
use mssqlclient from impacket to log in.

Great, now we are sa!) By default, the xp_cmdshell stored procedure is disabled in MSSQL, but we can enable it and enjoy all its benefits.

Be sure to scour the host for anything useful. For example, it has notable files for MSSQL deployment.
Save SQLSVCPASSWORD, we will need it later.

The most useful thing we can do is to catch the reverse shell on our listener. The example below uses PowerShell load encoded in base64.
At the moment we are the sql_svc user. He has certain privileges, e.g. he can run winPEAS and quickly gather key information about the system.

One of the interesting points is the information that only three users have ever been authorised in the system - sql_svc, Administrator and ryan (sorry,
not Gosling). It’s not hard to guess that getting this user authorised will be our next vector.

By trial and error it was determined that to authenticate under the user ryan it is enough just to find a password for him from the list of all passwords
previously collected in the system.

This way we can authenticate to the server under the user ryan. On the user’s desktop we take the user flag.
Root flag Link to heading

Next, consider the exploitation of Discretionary Access Control Lists (DACLs) using the WriteOwner permission. Abuse of the WriteOwner
permission can lead to a change of the object’s owner to a user controlled by an attacker (in this case, ryan) and capture the object.

Bloodhound report contributed to finding the vector.

In the diagram we can clearly see that due to WriteOwner rights of user ryan it is possible to boot the ca_svc account.

The following are the commands that will help us take control of ca_svc

Use bloodyAD to change the owner of the ca_svc object to the user ryan:
bloodyAD --host {host name} -d {domain name} -u {user} -p {password} set owner ca_svc ryan

Next, set FullControl permissions for ryan. Now we will be able to control the object from this user, including the ability to modify and delete it.
dacledit.py -action 'write' -rights 'FullControl' -principal '{user}' -target 'ca_svc' '{domain name}'/'{user}':'{password}'

The following certipy-ad command to automatically abuse the shadow account ca_svc. We connect to the domain controller by IP address (-dc-ip) and
use the specified credentials for authentication.
certipy-ad shadow auto -u {user}@{domain} -p '{pass}' -dc-ip {ip} -ns {ip} -target {ip} -account ca_svc
Next, we look for vulnerabilities in the target host using Kerberos authentication.

KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad find -scheme ldap -k -debug -target {host name} -dc-ip {ip} -vulnerable -stdout

The command below creates a certificate request using the DunderMifflinAuthentication template.
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -target {host name} -dc-ip {ip}

This command creates a certificate request for the ca_svc account using the specified hashes and template:
certipy-ad req -u ca_svc -hashes :hashes -ca sequel-DC01-CA -target {host} -dc-ip {ip} -template DunderMifflinAuthentication
Now it’s just a matter of authenticating the user using the PFX file that was obtained the step before:
certipy-ad auth -pfx {some.pfx} -dc-ip {ip}

In return, we get a hash.

All that remains is to use evil-winrm and a fresh administrator hash. The root flag will be waiting for us on the desktop.

You might also like