{"id":210,"date":"2025-07-05T18:49:00","date_gmt":"2025-07-05T18:49:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=210"},"modified":"2025-12-28T19:42:57","modified_gmt":"2025-12-28T19:42:57","slug":"escape-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=210","title":{"rendered":"Escape- Hackthebox lab"},"content":{"rendered":"\n

To start the assessment, I start with my nmap scans to check for open TCP and UDP ports.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Looks like a domain controller with a SQL service. I use the tool smbclient to check for any smb share that look interesting.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The share “Public” looks good so I connect to the share. There is a file called Procedures.pdf so I pull that down to my local attack box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The file contains employee instructions for connecting to the SQL server and it also has a cleartext password for the “PublicUser” account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I connect to the SQL server with the discovered account. It looks like the databases are all default with nothing interesting. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I decided to use the xp_dirtree function to read a fake share on my attack box. With this functionality, I can run Responder to see if I can capture a password hash. I successfully collect a NTLMv2 hash for the sql_svc user.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I take the password hash offline and crack it with the Hashcat tool reveling the plaintext password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I am then able to log into the target machine with WinRM.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I found an interesting file in the C:\\SQLServer\\Logs directory and download it to my local attack box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The file hash a plaintext password for the user “ryan.cooper”, it looks like they entered the password in the username field on accident.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

While enumerating Active Directory, I found an Active Directory Certificate Services vulnerability ESC1 on the certificate template “UserAuthentication”.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I use the tool certipy-ad to request a certificate and obtain a .pfx file to use to authenticate to the certificate server with.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I ran into an issue where the clock on my local attack box was too far off from the clock on the target machine.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used the “ntpdate” tool to resolve this.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then I was able to authenticate and grab the password hash for the “Administrator” account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I passed the hash with WinRM and was able to log in as “Administrator” fully compromising the box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This box shows the importance of keeping passwords protected and making sure services like Active Directory Certificate Services are properly implemented and hardened to protect against cyber threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

To start the assessment, I start with my nmap scans to check for open TCP and UDP ports. Looks like a domain controller with a SQL service. I use the tool smbclient to check for any smb share that look interesting. The share “Public” looks good so I connect to […]<\/p>\n","protected":false},"author":1,"featured_media":212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-210","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=210"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions"}],"predecessor-version":[{"id":475,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions\/475"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/212"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}