Official EscapeTwo Discussion

HTB Content Machines
147

Changing passwords should not be done unless there is no other way. It is not good practice, practically speaking. In the real world, it might cause unintended lose of privileges.

If you look at bloodhound, you will find another means of owning the target account.

148

Privesc was not as intuitive as i though by looking at bloodhound, but thanks to some hints I got it to work. Foothold was pretty straight forward. DM if you need a nudge

151

Still stuck on the user flag. i have two kerberoastable but can not crack it. i also have access to the db and i am able to execute commands with xp_cmdshell but i can’t find anything interesting.

152

hehe yes that can happen

153

Any hints to move on after getting stuck in mssql? Unable to execute command with no xp_cmdshell privilege

165

Can anybody give me a hand with “- CERTSRV_E_SUBJECT_DNS_REQUIRED” I’ve tried setting the DNS and alternate DNS but cant get passed it.

166

A clean up script is running every 3 Minutes an set the pw back!!!

168

-dns worked for me

1 Like
169

maybe -ns IP and key-size 4096 will help

171

Pwned! Thank for all the help!

3 Likes
172

I’m still stuck, can I DM someone for a nudge? I found the s**_*** passwd but don’t know what to do from there

173

Same error, any hints?

174

i found 2 hashes for the two service users sql_* and ca_* , but don’t know what to do next. Any hints ?

176

I have found the accounts creds but i don’t know what to do next. any hint will be good for me.

180

I’m having issues, not sure if its a bug but when trying to login in with sql creds I get: “Switching to TLS
Unable to login because its an untrusted domain” any ideas? my nmap scan outputted a few rsa certs…wondering if it had something to do with that?

181

nvm solved it

182

Wow, I completely missed that… Thank you so much :joy:
I feel like HTB should have written that part in like font size 60 flashing red text

4 Likes
183

This was a fun box and very fustrating at times, but here are a few hints to help people:

User:

  • Remember to check the machine description for the default credentials
  • Enumerate everything. If you struggling to open a certain file, trying unzipping it and reading the contents of these files and it may reveal what you’re looking for
  • Accessing a certain service might not work with one method, but another method may prove useful
  • Configuration files are your friend
  • You can never go wrong with password spraying

Root:

  • As this is an AD enviornment, there is a particular user who we want to own once inital access has been established who may issue certificates. Make sure to run Bloodhound against the target, identify this user and abuse the recommended commands
  • Certipy is your friend
  • You may require the -dns [Target IP] and -dc-ip [Target IP] on your flags for one of the final commands

Feel free to drop me a message if you would like any further pointers :slight_smile: Make sure to include what you’ve found out already!

14 Likes
184

same problem, i tried the -dns param, but useless

185

Try using both -dns and -dc-ip flags!