Check your file size. If it’s different from that on the target machine then probably a broken transfer.
Runas is not strong enough to do what you need done.
look into " RunasCs.exe ". The normal RunAs is stripped of power and basically sandboxed in windows. you need a more powerful Runas tool 
Youre on the right right track.
2 Likes
yes i tried that but it says:
[-] RunasCsException: LogonUser failed with error code: The user name or password is incorrect
i don’t know if i have the right creds
should i search the entire SQLEXPR-2019_x64_ENU directory
or is there any specific dir where i have to search
what command to download a file from windows’ target machine to host ?
Mika’s password is IL0********ager
The config file is def. the way.
what command did you use to download it ?
yes i can runas mika now
but i am not able to find the memory file or something yall are talking about
Should be on the desktop of Mika. Youll need to exfiltrate it off the machine.
HackTricks has many exfil methods you can try.
Please i need help with investigating the memory dump
if you have a windows vm download memprocfs and make sure you’ve python installed in the windows.Install python pacakages with this cmd => pip install pypykatz aiowinreg . and then run memprocsfs like this => memprocfs.exe -devire memory.dmp -forensic 1 => you’ll find secrets in the py folder
Thanks a lot
A little lost on lateral movement. I have a reverse shell as the service account and valid credentials for the m***************** account, but not really sure how to proceed from here since I can’t supply a password when prompted in my reverse shell and there’s no legitimate remote access service I can connect to with this account. Any hints here or via DM would be appreciated.
You should be able to spawn another RevShell from the SQL prompt just like you did for the foothold.
1 Like
I would need it to run the command as mikasa though, right? Otherwise the new rev shell would still be as sql_svc. I was looking into the runasCs tool that was mentioned in the thread but since I can’t figure out file transfer I’m a little lost as to how I’m supposed to get it to the machine to use it.
EDIT: Finally found a method that works for file transfer onto the box.
1 Like
Correct. Sorry i misspoke.
You need to get RunasCs.exe on the box. You can abuse the SQL prompt and a python server for this.
1 Like
Does this have something to do with the deleted ADObject? I have restored it but I feel I am missing something in order to do the lateral movement there
I personally feel like the Deleted Objects is apart of the intended path but i didnt go that route. I have no proof that’s the correct way though I haven’t seen anyone complete it that way personally.
Anytime you have an Active Directory box your goal should be to see if running bloodhound is possible. bloodhound will get you a lot of details and help you narrow down your focus onto an attack vector. It will also tell you vulenerabilites.
4 Likes
its is a problem with spawn port 80? i cant find vpnserwer where its wokr
There is a problem with the web server port. Multiple people have reported the issue.
Change your vpn to Europe or another country and try again.
I use VIP+ and pwnbox and havnt had any issues I think it was mostly the openvpn and seasonal vpns having issues.
After a couple of shells cutting off, finally it remained stable.
Did you guys elevated to user from a memory dump or manual enumeration?
Via scripts it gets picked up by AV and haven’t got any privileges.
Getting out of ideas.