🦑Privileged Access
Privileged Access
Remote Desktop
Typically, if we have control of a local admin user on a given machine, we will be able to access it via RDP. Sometimes, we will obtain a foothold with a user that does not have local admin rights anywhere, but does have the rights to RDP into one or more machines.
Using PowerView, we could use the Get-NetLocalGroupMember function to begin enumerating members of the Remote Desktop Users
group on the host
all Domain Users (meaning all
users in the domain) can RDP to this host.
Checking the Domain Users Group's Local Admin & Execution Rights using BloodHound
Once we control a user, we can check what remote access rights they have either directly or inherited via group membership under Execution Rights
on the Node Info
tab.
WinRM
We can again use the PowerView function Get-NetLocalGroupMember
to the Remote Management Users
group.
We can also utilize this custom Cypher query
in BloodHound to hunt for users with this type of access. This can be done by pasting the query into the Raw Query
box at the bottom of the screen and hitting enter.
Adding the Cypher Query as a Custom Query in BloodHound
Establishing WinRM Session from Windows
We can use the Enter-PSSession cmdlet using PowerShell from a Windows host.
and on a linux host we can use evil-winrm
Install evil-winrm ->
And to conect to the host with a set of valid credentials ->
SQL Server Admin
A way that you may find SQL server credentials other then via Kerberoasting (common) or others such as LLMNR/NBT-NS Response Spoofing or password spraying is using the tool Snaffler to find web.config or other types of configuration files that contain SQL server connection strings
Here is a query for bloodhound to find SQL Admin Rights
in the Node Info
tab for a given user
We can use our ACL rights to authenticate with the wley
user, change the password for the damundsen
user and then authenticate with the target using a tool such as PowerUpSQL
, which has a handy command cheat sheet. Let's assume we changed the account password to SQL1234!
using our ACL rights. We can now authenticate and run operating system commands.
Enumerating MSSQL Instances with PowerUpSQL
We could then authenticate against the remote SQL server host and run custom queries or operating system commands.
We can also authenticate from our Linux attack host using mssqlclient.py
Then we can look at the commands we can launch on the SQL server like enable_xp_cmdshell
to enable the xp_cmdshell stored procedure which allows for one to execute operating system commands via the database if the account in question has the proper access rights.
Now we can run commands in the format xp_cmdshell <command>
What other user in the domain has CanPSRemote rights to a host?
So i start by launching sharphound on my windows machine, then downloading it to my attackbox via a evil-winrm session, then i launch bloodhound and upload all the data ->
I enter this raw query ->
What host can this user access via WinRM? (just the computer name)
Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.
We find the SQL admin rights ->
via a evil-winrm session i upload mssqlclient.exe to the RDP session and launch the attack
Last updated