sqlsvc Session
The presence of MSSQL instance was initially identified during the Recon phase. However, the absence of valid domain credentials constrained the available actions to address this discovery. The sqlsvc account is identified to be the service account responsible for running the MSSQL instance and is compromised via Kerberoasting at a later stage.
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ KRB5CCNAME=sqlsvc@dc1.scrm.local.ccache impacket-mssqlclient scrm.local/sqlsvc@dc1.scrm.local -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[-] error(dc1): Line 1: Login failed for user 'SCRM\sqlsvc'.But, I am unable to access the MSSQL instance using the TGT of the sqlsvc account
This presents an unusual situation, given the credential is valid and is also used to run the MSSQL instance itself.
”network administrators”
However, there is an explanation to this strange occurrence.
Looking back at the PDF file found in one of the SMB shares, it explicitly states that all access to the SQL service has been REVOKED except for “network administrators”
This might be the reason why I am unable to access the MSSQL instance even with the running service account
While the scope of the designated “network administrators” comes in to a question, it’s crucial to note that the compromised sqlsvc account remains a legitimate service account for the MSSQL instance. That being said, compromised service accounts in an Active Directory domain often get leveraged further to TGS forgery or the [[Scrambled_Silver_Ticket_Attack#[Silver Ticket Attack](https //en.hackndo.com/kerberos-silver-golden-tickets/) (Forging TGS)|Silver Ticket Attack]]