Introduction to EscapeTwo

This write-up will explore the “EscapeTwo” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “EscapeTwo” machine from Hack The Box by achieving the following objectives:

User Flag:

The attacker explored the target machine’s network services and exploited weak access controls. Initial scans identified open ports, including SMB, enabling access to shared folders. By reviewing these files, the attacker discovered a password and identified a user account (Ryan) with elevated permissions. Using these permissions, the attacker connected remotely to the system and retrieved the user flag with a simple command.

Root Flag:

First, the attacker escalated privileges by exploiting an Active Directory misconfiguration. Next, using the Ryan account, they employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control in hand, the attacker then acquired a special certificate, subsequently authenticated as an administrator, and finally retrieved the root flag with a command.

Enumerating the EscapeTWO Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.51

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/escapetwo]
└──╼ $nmap -sC -sV -oA initial -Pn 10.10.11.51
Nmap scan report for 10.10.11.51
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-16 14:15:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.

1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-16T04:02:09
|_Not valid after:  2055-05-16T04:02:09
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.

Analysis:

• 53/tcp (domain): Simple DNS Plus server running, likely handling DNS requests.
• 88/tcp (kerberos-sec): Kerberos authentication service active, indicates Active Directory environment.
• 135/tcp (msrpc): Microsoft RPC service, used for remote procedure calls on Windows.
• 139/tcp (netbios-ssn): NetBIOS session service, Windows file and printer sharing over SMBv1.
• 389/tcp (ldap): LDAP service for Active Directory directory services (non-SSL).
• 445/tcp (microsoft-ds): SMB service used for Windows file sharing and Active Directory.
• 464/tcp (kpasswd5): Kerberos password change service.
• 593/tcp (ncacn_http): Microsoft RPC over HTTP, potentially used for remote management.
• 636/tcp (ssl/ldap): Secure LDAP (LDAPS) for encrypted directory access.
• 1433/tcp (ms-sql-s): Microsoft SQL Server 2019 instance accessible, possibly exploitable.
• 3268/tcp (ldap): Global Catalog LDAP for Active Directory, supports forest-wide queries.
• 3269/tcp (ssl/ldap): Secure Global Catalog LDAP over SSL.
  

Exploitation

Samba Exploration:

If successful, it then attempts to find other user accounts by brute-forcing their ID numbers, thereby helping to identify valid users for further testing.

The output is then filtered using grep SidTypeUser Only the entries that correspond to actual user accounts will be displayed, excluding groups or system accounts. This helps the tester quickly identify valid user accounts on the target machine for further analysis or access attempts.v

It connects to the target machine at the IP address 10.10.11.51 with the smbclient tool, a command-line utility similar to an FTP client but designed for accessing SMB shares.

This list shows shared folders on a computer that others on the network can access, like shared drawers in an office.

• Accounting Department: Likely holds financial or work files for the accounting team.
• ADMIN$ and C$: Hidden folders for IT admins to manage the system remotely.
• IPC$: A system tool for communication between devices, not a regular folder.
• NETLOGON and SYSVOL: Support user login and access control in the network.
• Users: Contains personal folders for different computer users.

The folder contains two Excel files: accounting_2024.xlsx and accounts.xlsx.

Transferring both files to our computer

We discovered a password stored within an XML file.

It looks much cleaner when using the Python command.

SQL enumeration on EscapeTwo machine

Since the Nmap results indicated that the MSSQL service is open, and the default MSSQL user (sa) Typically has the highest level of administrative privileges, so it’s worth attempting to use it. In this case, we try to enable and use the xp_cmdshell feature for further exploitation.

Let’s proceed with executing MSSQL commands.

Let’s initiate our listener.

The operation was successful, so we proceeded to enable xp_cmdshell and execute the shell command through it to confirm execution.

We established a reverse shell connection.

The SQL Server 2019 installation was found.

Begin by enumerating the local files, where you will find a configuration file located at C:\SQL2019\ExpressAdv_ENU.

Another password was found in the configuration file named sql-Configuration.INI.

Discovered several potential usernames.

SMB access was obtained as the user Ryan, which can be used for enumeration with BloodHound.

Bloodhound enumeration on escapetwo machine

We will gather additional information using BloodHound.

Once the collection was complete, I imported them into BloodHound. That’s when I found the ryan with CA_SVC account — one I could change the owner of.

Let’s examine Oscar’s connection.

We can see that Ryan has the WriteOwner permission on the CA_SVC account.

Using NXC, we were able to discover credentials that work with WinRM

We can read the user flag by typing “type user.txt’ command

Escalate to Root Privileges Access

Privilege Escalation:

We attempted to use the owneredit.py Script to change the object ownership, but the operation failed due to an unspecified issue.

The script executed successfully after setting PYTHONPATH=… For instance, assigning ownership of an administrator account to a user like Ryan would mean he could modify settings or permissions that are normally reserved for administrators. Moreover, this change could increase Ryan’s control over the system. Therefore, it is important to carefully manage account ownership to prevent unauthorized access.

This command is used in dacledit.py to grant the user Ryan full control (FullControl) permissions over the ca_svc account. It authenticates to the domain sequel.htb using Ryan’s credentials. The -action 'write' flag specifies that a permission change is being made.

This command allows the user Ryan to quietly gain access as another account, ca_svc, by taking advantage of a weakness in how the network handles certificates.

It uses a special code (hash) instead of a password to access the account and looks for any vulnerable settings, then shows the results on the screen.

This command uses Certipy to request a special security certificate from the network’s main server (dc01.sequel.htb) using a template named DunderMifflinAuthentication.

This command requests a certificate from the sequel-DC01-CA on the domain controller DC01.sequel.htb. It uses the ca_svc account’s NT hash for authentication and asks for a certificate based on the DunderMifflinAuthentication template.

This command uses Certipy to authenticate to the domain controller at IP 10.10.11.51 using the certificate file administrator.pfx.

We read the root flag by typing the “type root.txt” command

The post Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Orange Business Services Security Operations Center solution is designed to protect a company's business from the risk that information, applications, databases, servers and workstations, data and systems are modified, copied or destroyed. The service is responsible for identifying, investigating, prioritizing, escalating and resolving issues, which most of the time, are generated intentionally or accidentally by the human resource.

The post SOC-as-a-Service from Orange Business Services appeared first on DefCamp 2022.

Flexible Engine, the Orange Business Services public cloud platform, enables you to create pay-as-you-go virtual machines, including storage and computing resources, host your databases and critical applications and innovate directly in the cloud using containers, Big Data, Machine Learning and Artificial Intelligence.

The post Flexible Engine from Orange Business Services appeared first on DefCamp 2022.

CrowdStrike Introduces Sandbox Scryer: A Free Threat-Hunting Tool for Generating MITRE ATT&CK and Navigator Data.

The post Sandbox Scryer from CrowdStrike appeared first on DefCamp 2022.

Business Internet Security from Orange protects the information delivered over the internet and the companies’ data against cyber-attacks. The data traffic is scanned for viruses, malware, spam, intrusion attempts and it is cleaned in the cloud, before is reaches the companies’ servers. With a simple management interface, permanent updates and upgrades, embedded professional services and security consultancy and seamless scalability and upgradability, Business Internet Security eliminates the need for expensive, on-premise equipment.

The post Business Internet Security Threat Map from Orange Romania appeared first on DefCamp 2022.

Cloud-based Taegis™ XDR: prevent, detect and respond to advanced threats with automation, machine learning-driven analytics and comprehensive threat intelligence while Taegis VDR automates vulnerability management by intelligently prioritizing remediation efforts based on actionable recommendations that reflect the context of your environment.

The post Taegis™ XDR & VDR from Secureworks appeared first on DefCamp 2022.

ExpressVPN introduces Aircove, the industry’s first Wi-Fi router with built-in VPN.

The post Aircove from ExpressVPN appeared first on DefCamp 2022.

Improve security effectiveness and resiliency and elevate SecOps efficiency!

The post BloxOne Threat Defense from Infoblox appeared first on DefCamp 2022.

Introducing: CVE Monitor, a free early warning service that informs organisations worldwide of upcoming threats and trends in cyber security.

The post CVE Monitor from Bit Sentinel appeared first on DefCamp 2022.

Introducing: Sniper Automatic Exploiter, helping security teams confirm the real impact of a CVE with remote code execution or arbitrary file read risks and quickly identify which of their systems are truly vulnerable, so they can effectively prioritize remediation.

The post Sniper – Automatic Exploiter from Pentest-Tools.com (“Best Emerging Technology” finalist at SC Europe Awards 2022) appeared first on DefCamp 2022.

The post Detectify year in review 2019 appeared first on Detectify Blog.