EscapeTwo - Hack The Box
Enumeration
Nmap and DNS
Initial nmap scan revealed common Domain Controller ports and MSSQL port were open. Moreover, DNS enumeration revealed the Domain Controller FQDN.
SMB Enumeration
A user was given to me. Using the given credentials I enumerated SMB Shares. Two of the shares were unusual.
The Accounting Department share included 2 excel files.
I opened them using XLSX Viewer website. Inside it, there was credentials for MSSQL service account and oscar user.
Exploitation
MSSQL
I logged in to MSSQL using found credentials.
Then I ran reverse shell using xp_cmdshell.
Then I tried some privilege escalation methods but it did not work. Later, while I was browsing through directories I found an SQL config file which included service account “sql_svc” and its password.
Checking the credentials I found out it was a valid password.
Then I tried many things and nothing worked.
I could brute force all users with all valid passwords I found. Before I do that, I checked Users directory and found there was only ryan, sql_svc and Administrator directories. So I thought maybe user “ryan” set the service account so its password may be same as ryan’s password. I tried and it worked.
Using evil-winrm I logged in and got the user flag.
Privilege Escalation
At first, I ran bloodhound and found that Ryan was WriteOwner to CA_SVC which is probably service account that can request certificates.
So, I applied steps from Hacking Articles blog and changed the password of the target user.
Then I ran certipy and found out a template was vulnerable to ESC4.
Following steps from the official certipy wiki I got the administrator hash. Then I logged in with this hash and got the root flag.
Pwned
The machine was pwned.