AS svc_sql
Running Sharp Hound form Sliver
Execute it from the directory where the user has write access.
sharp-hound-4 -i -- "-c all"
download 20240210091635_BloodHound.zip
Hunting with Blood Hound
There are 5 IT admin group users who are in Administrator user.
- LOUISE.HILBERT@M3C.LOCAL
- JOHN.CLARK@M3C.LOCAL
- TERESSA.GOMEZ@M3C.LOCAL
- KENNETH.KEA@M3C.LOCAL
- NORMA.BRANHAM@M3C.LOCAL
Most probably this users will in be in allow not to be delegate group so be careful if you are trying to impersonate this users.
To get to the domain controller I either have louise.hilbert account or svc_apache.
Shortest path to reach svc_apache is from IT admins?
Let’s see first what can we do with svc_sql account.
SVC_SQL account has constrained Delegation to time/m3webaw.
So we can impersonate any user to this machine to obtain tgs and use altservice to get to m3webaw.
Let’s explore m3webaw now.
if we select the query shortes path to m3webaw we find few paths.
- one through IT admins the 5 users abov
- the server admin group can PSRemote to thies machine as well.
What we can do now is use the constrained delegation of svc_sql to impersonate users from server_admins and do ps remote to m3webaw.
We can try to impersonate the administrator user and other it admin users but this will most probably not work as they might me in protected group.
Find kerberostable users
sliver (CASUAL_PLATFORM) > rubeus kerberoast /simple /nowrap
Not able to crack them.