# Privileged Access [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) {% hint style="info" %} To get all data in Bloodhound, use SharpHond.exe - Exegol compatible version Bloodhound.py don't get all data, probably because of DNS resolution {% endhint %} ## Remote Desktop Users Group ```powershell-session PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" ComputerName : ACADEMY-EA-MS01 GroupName : Remote Desktop Users MemberName : INLANEFREIGHT\Domain Users SID : S-1-5-21-3842939050-3880317879-2865463114-513 IsGroup : True IsDomain : UNKNOWN ``` ### Bloodhound Query ```cypher MATCH p=(g:Group {name:"DOMAIN USERS@INLANEFREIGHT.LOCAL"})-[:CanRDP]->(c:Computer) WHERE c.operatingsystem CONTAINS "Server" return p ``` ## WinRM ```powershell-session PS C:\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" ComputerName : ACADEMY-EA-MS01 GroupName : Remote Management Users MemberName : INLANEFREIGHT\forend SID : S-1-5-21-3842939050-3880317879-2865463114-5614 IsGroup : False IsDomain : UNKNOWN ``` ### Bloodhound Query ```cypher MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2 ``` ### EnterPSSession ```powershell-session PS C:\htb> $password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force PS C:\htb> $cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password) PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred [ACADEMY-EA-DB01]: PS C:\Users\forend\Documents> hostname ACADEMY-EA-DB01 [ACADEMY-EA-DB01]: PS C:\Users\forend\Documents> Exit-PSSession PS C:\htb> ``` Double Hop Problem: {% content-ref url="/pages/e45UlE0kurvBtLaNSVXV" %} [Kerberos Double Hop Problem](/0xss0rz/pentest/internal-pentest/kerberos-double-hop-problem.md) {% endcontent-ref %} ### Evil-WinRM {% content-ref url="/pages/5zE4duLRkawZtstWjbb7" %} [Evil-WinRM](/0xss0rz/pentest/tools/evil-winrm.md) {% endcontent-ref %} ## MSSQL ### Bloodhound Query ```cypher MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2 ``` ### PowerUpSQL ```powershell-session PS C:\htb> cd .\PowerUpSQL\ PS C:\htb> Import-Module .\PowerUpSQL.ps1 PS C:\htb> Get-SQLInstanceDomain ComputerName : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL Instance : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433 DomainAccountSid : 1500000521000170152142291832437223174127203170152400 DomainAccount : damundsen DomainAccountCn : Dana Amundsen Service : MSSQLSvc Spn : MSSQLSvc/ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL:1433 LastLogon : 4/6/2022 11:59 AM ``` ```powershell-session PS C:\htb> Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version' VERBOSE: 172.16.5.150,1433 : Connection Success. Column1 ------- Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) ... ``` ### mssqlclient.py {% content-ref url="/pages/zKnHoEmkwvLtoFrs0oE5" %} [MSSQL (1433)](/0xss0rz/pentest/protocols/mssql-1433.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/privileged-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.