1433
Now trying mssql with discovery creds from [[445]]
nxc mssql hokkaido-aerospace.com -u discovery -p 'Start123!'
Now we can login to mssql:
Now we have a database called hrappdb which we can't access
Now checking for impersonation:
Now we are hrappdb-reader 
Now checking databases:
Checking all tables:
Now verifying credentials: 
It is valid.
Now running bloodhound digestor:
Now in bloodhound checking outbound transitive object control for hrapp-service: 
We have genericWrite over hazel. Now to get hashes:
We got hashes for maintenence,hazel and discover
Trying to crack we got creds only for hazel: 
RERUN BLOODHOUND AS HAZEL:
Now in bloodhound we can check hazel outbound transitive object control: 
We can see that Hazel is a member of TIER2-ADMINS and IT.
Checking member of IT: 
We have 3 members:
Molly.Smith: 
Alexandra.Little: 
We can see Molly has more rights.
Now checking Shortest path to domain admin: 
Now resetting Molly's password:
Now we can use rdp: 
Connect using xfreerdp: 
We are molly.smith now
Now running command prompt as administrator with molly's creds: 
Now we can use our SeBackupPrivilege to Privesc:
Now we have sam and system in Temp directory.
Now start a python upload server on kali:
Now upload sam ans system by visiting edge on windows target.
Now use secretsdump.py:
Now we have hashes for administrator: 
Now we have pwned it: 
Now we can login with evil-winrm:
Last updated
Was this helpful?