- author: IppSec
"IPSec's HackTheBox Walkthrough: Escape"
In this walkthrough, we'll be exploring the "Escape" machine on HackTheBox. This is a short but sweet Windows box that involves exploiting an open SMB share to gain access to a PDF file containing credentials. From there, we'll utilize MS SQL Server and its vulnerabilities to escalate our privileges and gain administrative access.
As always, we start off with an nmap scan with the following flags:
-sC for default scripts,
-sV to enumerate versions,
-oA to output all formats, and by specifying the output directory as "escape". The target IP address is 10.10.11.202.
The nmap scan shows that 12 ports are open. Notably, we see DNS on Port 53, which identifies as "simple DNS plus," and Kerberos on Port 88, indicating a Microsoft Windows Active Directory server. We also see Microsoft SQL on Port 1433. Additionally, the domain name "sql.htb" is leaked on Port 389, allowing us to add it to our host file.
Since this is an active directory, we could start poking at SMB, but before we do that, we perform some additional reconnaissance. We try to connect to Port 3269 using HTTPS, which lets us view the certificate. The certificate's common name is "SQL dc.ca" which suggests that a domain controller certificate authority exists. This ties in with our previous discovery of a Microsoft Windows Active Directory server.
We proceed to use CrackMapExec to connect to the SMB share, and we see a DC's name and the domain name. SMB client also shows the same public SMB directory. Going into the public share, we find a PDF file that contains potential usernames and credentials. We attempt to use these credentials to authenticate, but we're unsuccessful.
Exploiting MS SQL Server
Using the valid credentials we discovered in the PDF, we try to connect to the MS SQL Server. We initially get a "login failed" error, but then we use the
--local-auth flag, and we're authenticated. We now have the ability to read files on the SQL server.
We can use Responder to steal the net NTLMv2 hash from the MS SQL server user's authentication response, crack it, and gain further privileges. Alternatively, we can use the Silver Ticket feature of Kerberos to achieve the same purpose.
Additionally, we find a vulnerable certificate template on the box, which enables us to utilize the Escalation of Privilege (EOP) technique called "Certified Pre-Owned." By exploiting the certificate template, we gain administrative access to the box.
Exploring Microsoft SQL Server Authentication Types and Privileges
When it comes to working with Microsoft SQL Server, there are different types of authentication that one can use. In this article, we'll delve into the local authentication approach and how it can help us to log in successfully.
Local Authentication for Microsoft SQL Server
Our authentication attempts to the Microsoft SQL Server initially resulted in a login failure for the user. However, with the help of the
--local-auth option, we were able to login successfully.
After successfully logging in, we used the
ms-sql-priv module to check the privileges we had on the server. Unfortunately, the module failed to provide any useful information, and we had to resort to another method.
crackmapexec to Access Microsoft SQL Server
crackmapexec tool can also be used to gain access to a Microsoft SQL Server. With it, we tried to log in as the
public user with the password
guest user, which was successful. We then used the
XP_CMD command to show who we were, but were denied permission.
Attempting to Enable XP_CMD Shell
To enable the
XP_CMD shell, we tried using the command to execute it, but we didn't have the necessary privileges. Instead, we tried to use
XP_Dirtree to access the server and manage files. We specified the IP address of the server, including a fake share. We had to ensure we specified both the directory and the file share to avoid an error message.
Responder and Password Cracking
Responder to try and get the SQL service credential from the server, so we could crack it. Although we managed to crack the password, we couldn't log in using the username and password we derived. We then tried to use tools like
Evil Winrm to gain access to the server, but these attempts did not initially work, as we found we had not installed the necessary packages.
Previewing Error Logs
We explored the error logs to see which users had failed to log in, and we noticed that users, such as
nuclear mosquito 3 and
SQL Ryan Cooper, had encountered login problems. Since we had managed to gain access to the system as an SQL service user, we decided to explore its
SQL Server directory and check the logs.
Exploiting Certificate Abuse for Privilege Escalation
On February 7th, 2023, an attack was carried out using certificate abuse to escalate privileges. The attacker began by looking at the error log and backup file and discovered that the Library XB star dll was attempting to load into memory, which was an unknown file. Above that, the login field for the user SQL Ryan Cooper was seen, where he had incorrectly typed his password. The attacker attempted to log in with Ryan's credentials, and upon succeeding, they were able to use the ticket to authenticate as administrator.
The attack proceeded in the following steps:
- The attacker used Crack Map Exec to test the validity of Ryan Cooper's credentials.
- Crack Map Exec authenticated the user, allowing the attacker control of their credentials.
- The attacker checked if Ryan Cooper could use WinRM and then attempted to switch to the user using the Run As Yes executable.
- Although the WinRM was not open, the attacker was still able to log in as SQL SVC.
- Next, the attacker ran the Certify tool again.
- The tool discovered a certificate vulnerability and vulnerable certificate templates. The user authentication template was found to be vulnerable because the enrollment rights were set to domain users.
- Since Ryan Cooper and SQL SVC were domain users, they were able to enroll in the third template and request a certificate for the user.
- The attacker used Certify to give themselves a valid certificate with administrator permission.
- With the certificate, the attacker used Evil WinRM to establish a remote connection with SQL HTB.
- However, Evil WinRM was unable to establish SSL on SQL HTB, so Rubius was used instead.
- Rubius was used to ask TGT for the administrator account using the certificate.
- The NTLN HASH of the user was obtained.
- With the NTLN HASH, the attacker was successfully able to log in as the Administrator user.
The attack chain could also be carried out entirely from Linux using the Certa Pi Command. This command would allow the attacker to upload the Certify tool to the target system and then run it from there, enabling them to escalate privileges. This method offers an alternative option compared to using the certificate abuse attack chain from Windows.
Using Kerberos for Golden Ticket Attacks
In this section, we will explore how to use Kerberos to execute golden ticket attacks. Golden ticket attacks are effective at compromising a domain and gaining access to all systems connected to that domain.
To begin the attack, we first need to understand the Kerberos authentication process, which occurs between the client and the domain controller. The process is outlined below:
- The client requests a TGT from the domain controller.
- The domain controller responds with a TGT signed by the domain controller.
- The client uses the TGT to request a TGS ticket from the domain controller.
- The domain controller sends the TGS ticket, encrypted with the password hash of the system the client wants to access.
- The client presents the TGS ticket to the target system, which implicitly trusts it because it is signed by the domain controller.
The golden ticket attack consists of two main parts: obtaining the password hash and the domain SID. The password hash can be obtained using Python to generate an NTLM hash, as shown below:
The domain SID can be obtained using PowerShell with the
Get-ADDomain command, as shown below:
Once we have this information, we can use the
ticketer.py script to execute the golden ticket attack. The script takes the NTLM hash, domain SID, and SPN as input, and generates a TGS ticket that can be used to access any system on the domain.
Overall, it is essential to understand how Kerberos works to effectively execute golden ticket attacks. These attacks can be very damaging to an organization, so proper ethical considerations should be taken before attempting to execute them.
Using Kerberos to Obtain Administrator Access
Kerberos authentication can be exploited to get access to domain controllers and escalate privileges. Attackers can impersonate non-existent users to authenticate with a Ticket-Granting Ticket (TGT), manipulate the logs and perform unauthorized activities. In this article, we will explore how to use Kerberos to get administrator access on a target system.
TGT Ticket Creation
To create a fake TGT ticket, attackers can sign a ticket from the domain controller with a non-existent user. This will allow them to authenticate as that user and manipulate logs. For example, in a golden ticket attack:
- Use a "totes legit" Service Principal Name (SPN) on the attacker's machine.
- Create a TGT ticket with the DC SQL.hdb and the administrator user.
- Acquire a Ticket-Granting Service (TGS) ticket for the SQL Server.
- Use the TGS ticket to authenticate as the SQL administrator.
At this point, the attacker has access to the SQL Server as an administrator.
Enabling XP CMD Shell
Next, the attacker can enable XP CMD shell to navigate the system.
- Use the administrator permission to enable XP CMD shell.
- Check the identity of the SQL Service using the XP CMD shell.
The attacker can write files to escalate privileges. However, they may face some issues with writing files due to incorrect syntax or lack of proper credentials. Here is how they can overcome these issues:
- Search for Elevation of Privilege (EOP) files and find their usage on the Windows Privilege Escalation page.
- Prove that the attacker can write files using power up SQL and the "bulk insert right file" command.
- Create a table to use for writing.
- Switch to SQL sh for better session management.
- Write the file by changing its target location and pasting the commands on a single line.
If successful, the attacker will have an elevated file to use for privilege escalation.
In this article, we've looked at how to enumerate and exploit a windows box on hackthebox. the process involved using various reconnaissance techniques, such as nmap scanning and smb enumeration, to gather information. we also explored the vulnerabilities present in ms sql server and found a way to exploit a certificate template to gain administrative access to the box. overall, this walkthrough provided an excellent demonstration of how to escalate privileges in a windows environment and shows the critical importance of proper reconnaissance and vulnerability identification in penetration testing.
This so far has been an overview of the different authentication types and privileges one can have when working with microsoft sql server, as well as some of the tools that can be used to gain access. the next part of the article will delve further into microsoft sql server privileges and the importance of studying error logs.
Certificate abuse could be an easy method for attackers to escalate their privileges during an attack. the attack chain described above highlights the need for organizations to implement more robust security measures to protect against such attacks. by having proper security practices and protocols in place, organizations can minimize the risks posed by attackers and ensure the security of their systems and data.
Kerberos authentication can be a powerful tool for attackers to gain access to systems and escalate privileges. As always, it is imperative to stay up-to-date on the latest exploits and protect systems with proper security measures.