(June 12, 2022, 11:43 AM)jon01 Wrote:

(June 12, 2022, 07:45 AM)yemacaw863 Wrote:

(June 12, 2022, 04:32 AM)thomasratkos Wrote:

(June 12, 2022, 04:16 AM)skyweasel Wrote: Cheers for thi post/nudge.

I keep getting "[-] exceptions must derive from BaseException"  from GetUserSPNs.py

annoying.

care to paste the full tgs?

its a problem with the tool, not you.. do some google searching, you might find the creator of the box on github trying to get this issue fixed  :D


i hit a wall after this so if anyone has a nudge after this lmk please   😎

Thanks for the nudges!

Subsequently,
1. Found a "Network Security Changes.pdf" file by "IT Support" using smbclient.py under Public shares.. the following is the summary content:
"(Affects All) When you log on or access network resources you will now be using Kerberos authentication..."
"(Affects HR department) The attacker was able to retrieve credentials from an SQL database used by our HR software so we have removed all access to the SQL service for everyone apart from network administrators"

2. Able to run reg.py using both users to query the windows registry (different results).

And now.. I'm stuck again :(

---

@qwerty173 / @jon01 any nudge? :D

impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSVC/scrm.local -user-id 500 Administrator           

// may be this can help :P
impacket-mssqlclient
enable_xp_cmdshell
and get a shell :

woww.. thanks a lot @jon01 !
I understand how u get the nthash, but how about the domain-sid :huh:

@jon01 have u rooted this machine?

(June 12, 2022, 04:33 PM)yemacaw863 Wrote: @jon01 have u rooted this machine?
If yes, am I on the correct path if I'm looking at "ScrambleClient.exe" ?

can u pls show how you managed to get user

(June 12, 2022, 04:37 PM)HolesInSec Wrote:

(June 12, 2022, 04:33 PM)yemacaw863 Wrote: @jon01 have u rooted this machine?
If yes, am I on the correct path if I'm looking at "ScrambleClient.exe" ?

can u pls show how you managed to get user

1. enumerate sql
2. execute command as another user using powershell

(June 12, 2022, 02:03 PM)Photographer Wrote: Any nudge on how to geht the Domain-Sid and the nthash?

i would like to know as well, i know you can get the domain-sid with rpcclient with lsaquery command, but how to get the nthash??

(June 12, 2022, 06:52 PM)thomasratkos Wrote:

(June 12, 2022, 02:03 PM)Photographer Wrote: Any nudge on how to geht the Domain-Sid and the nthash?

i would like to know as well, i know you can get the domain-sid with rpcclient with lsaquery command, but how to get the nthash??

us
Hey, how did you use rpclient? im getting some LOGON ERRORS when using rpcclient with the -k option with both users

(June 12, 2022, 06:52 PM)thomasratkos Wrote:

(June 12, 2022, 02:03 PM)Photographer Wrote: Any nudge on how to geht the Domain-Sid and the nthash?

i would like to know as well, i know you can get the domain-sid with rpcclient with lsaquery command, but how to get the nthash??

https://codebeautify.org/ntlm-hash-generator

Pegasus60 --> b999a16500b87d17ec7f2e2a68778f05

(June 12, 2022, 08:12 PM)hacker1111 Wrote:

(June 12, 2022, 06:52 PM)thomasratkos Wrote:

(June 12, 2022, 02:03 PM)Photographer Wrote: Any nudge on how to geht the Domain-Sid and the nthash?

i would like to know as well, i know you can get the domain-sid with rpcclient with lsaquery command, but how to get the nthash??

https://codebeautify.org/ntlm-hash-generator

Pegasus60 --> b999a16500b87d17ec7f2e2a68778f05

And how about the domain SID? im not able to figure out how should i get it since im not able to use rpcclient or reg.py. The box is giving me some rpc errors when i try to use any of those tools

Collating both Error fixes here:

First Error when using GetUserSPNs.py      [-] exceptions must derive from BaseException

Edit GetUserSPNs.py around line 240, dependent on version:

search for

target = self.getMachineName()

replace it it with

        if self.__doKerberos:
            #target = self.getMachineName()   #<--- Old
            target = self.__kdcHost           #<-- New

Second Error, for those getting

[-] [('SSL routines', '', 'internal error')]

search for tds.py and ldap.py

Edit each file, and replace

          

  ctx = SSL.Context(SSL.TLSv1_METHOD) #!<--- Old

  ctx = SSL.Context(SSL.TLSv1_2_METHOD) #!<--- New

Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?