HackTheBox : Escape

12 min readFeb 9, 2025

--

Escape is an interesting Windows machine with an SMB share accessible by guest users. This share exposes a sensitive PDF file containing MSSQL credentials. Using these credentials, we can force the MSSQL service to authenticate to their machine and capture the service account Net-NTLMv2 hash. After cracking the credentials, we can obtain command execution on the machine via WinRM.

Further enumeration uncovers a log file with credentials for Ryan.Cooper. Additionally, a Certificate Authority is present, and a misconfigured certificate template is vulnerable to the ESC1 attack. This allows eligible users to request certificates for any domain user, including Domain Administrators. By exploiting this flaw, an attacker can obtain a valid certificate for the Administrator account and retrieve the administrator's hash, achieving full domain control.

Reconnaissance

Nmap

DNS — TCP/UDP/53

The query above returns various type of DNS records including A, AAAA, NS, etc. These information can be used to expand our attack surface.

Let’s see if the DNS server is vulnerable to zone transfer :

SMB — TCP/445

The following section will cover SMB enumeration.

To start, let’s check null session authentication. One tool that I generally use to quickly enumerate SMB and RPC is enum4linux-ng :

Here is a quick breakdown of the command used above :

-A is used to perform all simple enumeration such as users, groups, shares, password policy, OS information, printer information, etc.

-C is used to enumerate running services on the target machine using RPC.

From the output above, we can confirm that the server allows null session.

Let’s perform further enumeration with netexec :

We have read permission over the Public share. Let’s take a quick look at its content. To do that, we can use nxc’s Spider_plus module :

There is a PDF file in the Public share. Let’s mount the share on our attacker machine then access its content :

Well, we can now take a look at the PDF file content using the open command :

Interesting ! The file contains usernames (ryan, tom, brandon) and a pair of credentials that are assigned for new hired employees.

Initial Access

Let’s check if we can authenticate with these credentials :

As you can notice, the authentication seems to work but nxc returned (Guest) rather than (Pwn3d!) which is quite uncommon. I then tried to enumerate users and groups and got an access denied as you can see it :

That said, I also tried to authenticate to other open ports :

Checking authentication against other open ports

The authentication succeeded only for Ldap. From here, we can try to collect the domain information and look for potential attack paths that could help us move laterally or escalate our privileges. However, as you may notice, though the MSSQL authentication failed, nxc recommended to us to try again with the --local-auth option. Let’s give it a try :

Mssql local authentication succeeded

Awesome ! It was worth giving a try ! Let’s try to quickly take a look at the mssql database. Shall we ?

As you can see, we only have the default databases. Well, we could say that there is probably nothing interesting here. Nevertheless, there is a stored procedure called xp_dirtree that we can leverage to grab the database user’s Net-NTLMv2 hash. The intercepted hash can then be used to perform an SMB Relay attack where we replay the hash to log into other systems where the account has local admin privileges or cracking this hash on our local system. Successful cracking would allow us to see and use the password in cleartext. A successful SMB Relay attack would grant us admin rights on another host in the network, but not necessarily the host where the hash originated because Microsoft patched an older flaw that allowed an SMB Relay back to the originating host. Nevertheless, we can gain local admin to another host and then steal credentials that could be re-used to gain local admin access to the original system where the Net-NTLMv2 hash originated from.

That said, let’s get our hands dirty :

Here is the syntax to use xp_dirtree : xp_dirtree "<PATH_TO_DIRECTORY>"

Note : xp_dirtree is a function used to view the contents of a specific folder locally or remotely.

Knowing that xp_dirtree allows us to access folders remotely, we can try to run a tool such as responder to grab the Net-NTLMv2 hash :

Once responder launched, let’s execute xp_dirtree as follows :

Executing xp_dirtree with a remote share

Fantastic ! We intercepted the Net-NTLMv2 hash of the user sql_svc .

Note : It’s not possible to perform a pass-the-hash attack with a Net-NTLMv2 hash. Therefore, we will try to crack it using hashcat.

By default, responder saves the hashes in /usr/share/responder/logs directory.

First of all, let’s try to find the type of hash being used :

Great ! The password was successfully cracked. Let’s check where we can authenticate using that password :

Wonderful ! We got a shell via WinRM. Let’s try to authenticate to the sql_svc’s account using that access :

After authenticating to a target system, I generally look for a couple of things such as the user’s privileges, group memberships, folders and files.

If that led me nowhere as it was the case here, I dig a bit deeper in my enumeration until I found something interesting.

While taking a look at the C:\ folder, I noticed an uncommon folder : SQLServer.

After taking a look at this folder, I came across a log file ERRORLOG.BAK :

To be honest, the file contained lots of text and I did not want to read all that. Therefore, I sent it to my attacker machine and used a regex to look for login and password patterns :

Downloading ERRORBAK.LOG on my attacker machine

Once done, I tried to look for sensitive information using the pattern below but it seems that grep did not work :

Tried the same with sed but got similar results :(

Finally, I opened the file and went through it manually. You got it, I had lots of fun doing that !

After some time, I came across Ryan’s password :

Moral lesson : It’s always worth it to take a look at the logs and configuration files as they may contain sensitive information such as passwords.

Well, as usual, let’s try to check if we can use this password to authenticate to Ryan’s account :

Let’s check other authentication methods :

Wonderful ! Here again, we have a WinRM authentication.

Let’s get a shell :

Let’s retrieve the flag :

user.txt flag

Privilege Escalation

In this section, we are going to enumerate the domain deeper till we find an attack path that will allow us to escalate our privileges.

Let’s start with enumerating Ryan.Cooper’s read and write shares :

This returned two new shares : SYSVOL and NETLOGON.

However, after taking a look at their content, I found nothing really meaningful that could help us escalate our privileges.

That said, I kept on my enumeration with trying attacks such as kerberoasting and asreproasting :

As you can see, they were unsuccessful.

Finally, I decided to collect the domain information and look for attack paths that could help me escalate my privileges. To achieve that, I used netexec’s bloodhound ingestor :

Collecting domain information using nxc’s bloodhound ingestor

Then we can upload the domain information in Bloodhound.

Note : You can upload the zip file directly in Bloodhound without decompressing it.

As you can see, there is nothing really interesting here. I also tried to run some pre-built queries but landed nowhere.

Nevertheless, when taking a look at Ryan.Cooper’s groups, I noticed that it was part of the Builtin\Certificate Service DCOM Access as displayed below :

This made me think of Active Directory Certificate Service (AD CS) which is directory service used by the Domain Controller to serve digital certificates, signatures, and public key cryptography.

To enumerate the certificates, I used certipy :

Guest what ? The UserAuthentication template is vulnerable to ESC1.

ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN).

Let’s leverage that to escalate our privileges. Shall we ?

Here is a beautiful diagram that summarizes how we will proceed.

ESC1 exploitation from Windows and Linux

Well, let’s get our hands dirty :

Requesting a certificate for the Administrator user

Once the certificate requested, we will need to generate a TGT ticket for the domain Administrator. To achieve that, we can use certipy as follows :

Got a KRB_AP_ERR_SKEW(Clock skew too great) error

The error above is due to time synchronization issue. Indeed, the DC and our attacker machine are not using the same time. To solve that, we can use the following command :

Unfortunately, ntpdate did not solve the issue.

Another way of fixing the issue consists of using the following commands :

1/ timedatectl set-ntp off : This prevents the Network Time Protocol from auto-updating

2/ rdate -n <DC_IP> : This matches your computer’s date and time with the date and time of the Domain Controller.

As you can see, the error was solved and certipy provided us with the NT hash in addition of the TGT ticket. Just amazing :)

Last but not least, you could also use another great tool called faketime to solve the time synchronization error. To use it, you simply need to prepend your command with faketime :

Solving the KRB_AP_ERR_SKEW(Clock skew too great) error using faketime

That being said, let’s perform a pass-the-hash against the Administrator account using the NT hash returned by certipy above :

Hoorah \0/ ! We successfully pwned the administrator account.

To confirm that, we can try to dump the krbtgt’s NT hash :

As you can see it works !

Well, let’s retrieve now the root flag and end with the challenge :

Key Techniques Used

Here are the following techniques we used to solve this box :

Enumerating read/write shares to see if we can find sensitive information
Exploiting mssql xp_dirtree to grab and a Net-NTLMv2 hash then crack it offline with hashcat
Performing internal reconnaissance on target system
Enumerating AD DS with certipy
Exploiting a certificate template vulnerable to ESC1 using certipy
Fixing the KRB_AP_ERR_SKEW (Clockskew too great) error using various techniques.

Lessons Learned

1/ To get an initial foothold, we firstly found credentials in a public share that we used to authenticate as user PublicUser. With that access, we got a winRM session that allowed us to find Ryan.Cooper’s password in the SQL server’s logs. We recommend to avoid storing plaintext credentials in shares that can be accessible as guest user. Furthermore, we recommend to disable null session.

2/ To escalate our privileges to Domain Admins, we exploited a v certificate template that was vulnerable to ESC1. To fix that issue, we recommend the following measures :

Apply the Least Privilege Principle: Remove unnecessary privileges, ensuring that only authorized groups have Enroll rights.
Template Security Hardening: Ensure that templates requiring elevated privileges, such as client authentication certificates, are protected with stricter permissions.
Audit and Monitor: Regularly review certificate template configurations and maintain an audit trail of access requests.

Wrap Up

That’s it guys. Congrats on having made it so far 👏

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !

Resources

https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#template-allows-san-esc1
https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate
https://mayfly277.github.io/posts/GOADv2-pwning-part6/#adcs---esc1
https://github.com/ly4k/Certipy?tab=readme-ov-file#esc1
https://medium.com/@danieldantebarnes/fixing-the-kerberos-sessionerror-krb-ap-err-skew-clock-skew-too-great-issue-while-kerberoasting-b60b0fe20069

Contact

GitHub : https://github.com/0liverFlow