Module completed, if you need help message me, or simpley ask in a forum.
I found the users je and al, with their passwords. Both are DC users but not local. I have read this post several times and I don’t know how to get j*s’s password. I used ldap and smb enumeration for kerberos and asrepoast.
Any hint to continue with the module?
I found the users Jue and Atl, with their passwords. Both are DC users but not local. I have read this post several times and I don’t know how to get j*s’s password. I used ldap and smb enumeration for kerberos and asrepoast.
Any hint to continue with the module?
Did you got the flag from SQL01 ?
After that you get usernames with their passwords from the databases
j *s’s password comes after…
You have to enumerate the database in order to proceed.
Thanks for your help, check each of the databases and i got the following information:
database enumerates: master / tempdb / model / msdb / interns
just show tables for databases: msdb / master , when i checked one by one tables i did’nt found a tables with usernames.
the usesr J----e and At–l not were local user on 172.15.15.15.
You are getting hot…
Try this SELECT * FROM [interns].[dbo].details
I can´t see the tables of interns databases…
sudo proxychains4 -q crackmapexec mssql 172.16.15.15 -u J****** -p ****** -q “SELECT table_name from interns.INFORMATION_SCHEMA.TABLES”
MSSQL 172.16.15.15 1433 SQL01 Windows 10 / Server 2019 Build 17763 (name:SQL01) (domain:INLANEFREIGHT.LOCAL)
MSSQL 172.16.15.15 1433 SQL01 [+] INLANEFREIGHT.LOCAL\J******:P********
your command
sudo proxychains4 -q crackmapexec mssql 172.16.15.15 -u J****** -p ******** -q “SELECT * FROM [interns].[dbo].details”
MSSQL 172.16.15.15 1433 SQL01 [] Windows 10 / Server 2019 Build 17763 (name:SQL01) (domain:INLANEFREIGHT.LOCAL)
MSSQL 172.16.15.15 1433 SQL01 [+] INLANEFREIGHT.LOCAL\J*****:********
you need mysql creds to enumerate the sql database
Delete the post, dont show passwords like that.
try 172.16.15.3 a**** --spider DEV -pattern txt
than use get-file to get whatever you found in the dev share.
This will get you to the SQL01
Than try SELECT * FROM [interns].[dbo].details
But also there is the flag on that machine, you will have to priv than impersonate and more c:\Users\Public\flag.txt
So 2 things you will get so you can continue.
thank your support. excellent explanation. it was funny when i got creds files, but the username has 2 symbols. i said ■■■.
But i can continue with your support. thank my friend
Those 2 symbols are encoding errors, they mean nosthing just ignore them.
Now you are on a right track.
Hello friend.
This weekend I was trying to answer question 3 (DEV01), the server only responds to me with the smb protocol (domain users). I checked the shared folders as you indicated in question 2 and there is no interesting information.
What should I do? I have checked all the sections several times.
hi, friend.
i have a question. i executed ntlmrelay attack and i got an an attempt of connection from user james SUCCEED.
results
[] SMBD-Thread-4 (process_request_thread): Connection from INLANEFREIGHT/JAMES@10.129.204.182 controlled, attacking target smb://172.16.15.20
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Authenticating against smb://172.16.15.20 as INLANEFREIGHT/JAMES SUCCEED
what should i do to get the hash?
hi, Halfluke.
I’m stuck at question 3, I was checked all the sections for this module.
i have a question about question 3. i executed ntlmrelay attack and i got an an attempt of connection from user james SUCCEED.
results
[] SMBD-Thread-4 (process_request_thread): Connection from INLANEFREIGHT/JAMES@10.129.204.182 controlled, attacking target smb://172.16.15.20
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Authenticating against smb://172.16.15.20 as INLANEFREIGHT/JAMES SUCCEED
what should i do to get the hash? any suggestions?
Sorry, i am currently on vacation with no access to my notes. Sorry about that
Hi reyjem,
I have completed this module, and I did not use ntlmrelayx for that. I recommend you use Responder instead. You should receive ***** hash within a minute or so. Obviously, this approach will only work if you have dropped a malicious file somewhere…
hi, @emer1ca . yesterday I checked all and i found the hash.
I got the answer for the question 3.
this morning i got the answer for the question 4
Any Hint for the question 5?
[/quote]
hi, @anichols9 .
I’m in the last question. but i checked your post and i saw you got password for user svc_inlaneadm. I dont have it.
should I have it to solve the last question?
I’m stuck at question 5
Any hint ?