(June 12, 2022, 11:38 PM)Toto Wrote: Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?

make sure you're using the latest version

So, I have a foothold on the server. I was able to pivot locally from SQLSVC to MISCSVC and get the user.txt flag. I thought I had admin esc with SQLSVC because it has set to Enabled, but none of the usual suspects (potato, PrintSpoofer, etc) seem to work (maybe I'm just doing them wrong, it's possible). Ran winPEAS and found that the ScrambleServer is autorun is unquoted, but I don't seem to have permissions to manipulate the tasks on either svc account. A nudge in the right direction would be greatly appreciated. ;)

(June 12, 2022, 11:42 PM)AndreyGolara Wrote:

(June 12, 2022, 11:38 PM)Toto Wrote: Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?

make sure you're using the latest version

Okay thanks, worked I'm now in a SQL shell like thing. I'm trying to get a proper shell but xp_cmdshell is whimsical.

(June 13, 2022, 12:00 AM)Toto Wrote:

(June 12, 2022, 11:42 PM)AndreyGolara Wrote:

(June 12, 2022, 11:38 PM)Toto Wrote: Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?

make sure you're using the latest version

Okay thanks, worked I'm now in a SQL shell like thing. I'm trying to get a proper shell but xp_cmdshell is whimsical.

Care to post up your syntax, I'm getting weird output back, using impact 10.1

(June 13, 2022, 12:02 AM)skyweasel Wrote:

(June 13, 2022, 12:00 AM)Toto Wrote:

(June 12, 2022, 11:42 PM)AndreyGolara Wrote:

(June 12, 2022, 11:38 PM)Toto Wrote: Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?

make sure you're using the latest version

Okay thanks, worked I'm now in a SQL shell like thing. I'm trying to get a proper shell but xp_cmdshell is whimsical.

Care to post up your syntax, I'm getting weird output back, using impact 10.1

I used the same command as someone posted earlier, impacket_mssqlclient -k scrm.local

---

Woops seems like I messed up, still don't have a shell it just started a shell of my own machine, back to square one.

(June 13, 2022, 12:04 AM)Toto Wrote:

(June 13, 2022, 12:02 AM)skyweasel Wrote:

(June 13, 2022, 12:00 AM)Toto Wrote:

(June 12, 2022, 11:42 PM)AndreyGolara Wrote:

(June 12, 2022, 11:38 PM)Toto Wrote: Can't seem to get impacket-mssqlclient to work, I'm either getting :
Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use) or
Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Any ideas how to fix this ?

make sure you're using the latest version

Okay thanks, worked I'm now in a SQL shell like thing. I'm trying to get a proper shell but xp_cmdshell is whimsical.

Care to post up your syntax, I'm getting weird output back, using impact 10.1

I used the same command as someone posted earlier, impacket_mssqlclient -k scrm.local

---

Woops seems like I messed up, still don't have a shell it just started a shell of my own machine, back to square one.

Hmm weird, I get: [-] ERROR(DC1): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
Using just -k & scrm.local

EDIT - wait.. had wrong KRB5 - needed the Admin one. working now by the looks.. but it still bombs out "double free or corruption (out)"

man, impacket is finicky!

Is it normal for me not to be able to download SharpHound to the sqlsvc shell ? Is it not required to use Bloodhound to get user ?

(June 12, 2022, 06:42 PM)jon01 Wrote:

(June 12, 2022, 04:33 PM)yemacaw863 Wrote: @jon01 have u rooted this machine?

yes via uninited way :P

I was looking at "ScrambleClient.exe" (aka port 4411) and found a way to login.
Then I saw two users and there's upload String function.

Initially I thought it's serialization to execute reverse shell.. However:
ERROR_GENERAL;Error deserializing sales order: Unable to cast object of type '<gadget-type>' to type 'ScrambleLib.SalesOrder'.

Wondering am I looking on the correct path or rabbit hole..

@jon01, nudge again?  :blush:

(June 13, 2022, 01:43 AM)yemacaw863 Wrote: I was looking at "ScrambleClient.exe" (aka port 4411) and found a way to login.
Then I saw two users and there's upload String function.

Initially I thought it's serialization to execute reverse shell.. However:
ERROR_GENERAL;Error deserializing sales order: Unable to cast object of type '<gadget-type>' to type 'ScrambleLib.SalesOrder'.

Wondering am I looking on the correct path or rabbit hole..

@jon01, nudge again?  :blush:

dont need a nudge ur right at the finish line ;)

is the impacket mssqlclient the intended path? Getting nothing but drama.

Get TGT for ksimpson.
Use this to get SPN for sqlsvc and crack password

SQL server is hanging out there on 1433 along with 4411, so SQL seems the logical path but mssqlclient.py crashes on both my Kali & win HTB boxes - just wanting to check before I overhaul the vms.